sagan-1.2.0/0000755000175000017500000000000013310533453011545 5ustar champchampsagan-1.2.0/Makefile.am0000644000175000017500000000233013310531444013575 0ustar champchampAUTOMAKE_OPIONS=foreign no-dependencies subdir-objects ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src #INCLUDES = @INCLUDES@ # Install BFD include file, and others that it needs. #install-data-local: # @$(NORMAL_INSTALL) # $(mkinstalldirs) $(sysconfdir) # $(INSTALL_DATA)sagan.conf $(sysconfdir)/sagan.yaml install-data-local: test -z "$(DESTDIR)$(sysconfdir)" || /bin/mkdir -p "$(DESTDIR)$(sysconfdir)" test -f "$(DESTDIR)$(sysconfdir)/sagan.yaml" || $(INSTALL_DATA) etc/sagan.yaml "$(DESTDIR)$(sysconfdir)/sagan.yaml" test -z "$(DESTDIR)$(sbindir)" || /bin/mkdir -p "$(DESTDIR)$(sbindir)" $(INSTALL) -d "$(DESTDIR)$(mandir)/man8" $(INSTALL) -m 644 etc/sagan.8 "$(DESTDIR)$(mandir)/man8" $(INSTALL) -m 755 src/sagan "$(DESTDIR)$(sbindir)/sagan" $(INSTALL) -d "$(DESTDIR)/var/log/sagan" $(INSTALL) -d "$(DESTDIR)/var/run/sagan" @echo "" @echo "------------------------------------------------------------------------------" @echo "Sagan has been installed! You still need to do a few more things before your" @echo "up and running. For more information, see:" @echo "https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganInstall" @echo "------------------------------------------------------------------------------" @echo "" sagan-1.2.0/TODO0000644000175000017500000000012713310531444012233 0ustar champchamp For the latest TODO list, see: https://wiki.quadrantsec.com/bin/view/Main/SaganTODO sagan-1.2.0/install-sh0000755000175000017500000003413713310533436013562 0ustar champchamp#!/bin/sh # install - install a program, script, or datafile scriptversion=2011-11-20.07; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the # following copyright and license. # # Copyright (C) 1994 X Consortium # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN # AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- # TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # # Except as contained in this notice, the name of the X Consortium shall not # be used in advertising or otherwise to promote the sale, use or other deal- # ings in this Software without prior written authorization from the X Consor- # tium. # # # FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # 'make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. nl=' ' IFS=" "" $nl" # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit=${DOITPROG-} if test -z "$doit"; then doit_exec=exec else doit_exec=$doit fi # Put in absolute file names if you don't have them in your path; # or use environment vars. chgrpprog=${CHGRPPROG-chgrp} chmodprog=${CHMODPROG-chmod} chownprog=${CHOWNPROG-chown} cmpprog=${CMPPROG-cmp} cpprog=${CPPROG-cp} mkdirprog=${MKDIRPROG-mkdir} mvprog=${MVPROG-mv} rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} posix_glob='?' initialize_posix_glob=' test "$posix_glob" != "?" || { if (set -f) 2>/dev/null; then posix_glob= else posix_glob=: fi } ' posix_mkdir= # Desired mode of installed file. mode=0755 chgrpcmd= chmodcmd=$chmodprog chowncmd= mvcmd=$mvprog rmcmd="$rmprog -f" stripcmd= src= dst= dir_arg= dst_arg= copy_on_change=false no_target_directory= usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE or: $0 [OPTION]... SRCFILES... DIRECTORY or: $0 [OPTION]... -t DIRECTORY SRCFILES... or: $0 [OPTION]... -d DIRECTORIES... In the 1st form, copy SRCFILE to DSTFILE. In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. In the 4th, create DIRECTORIES. Options: --help display this help and exit. --version display version info and exit. -c (ignored) -C install only if different (preserve the last data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. -s $stripprog installed files. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG " while test $# -ne 0; do case $1 in -c) ;; -C) copy_on_change=true;; -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 case $mode in *' '* | *' '* | *' '* | *'*'* | *'?'* | *'['*) echo "$0: invalid mode: $mode" >&2 exit 1;; esac shift;; -o) chowncmd="$chownprog $2" shift;; -s) stripcmd=$stripprog;; -t) dst_arg=$2 # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac shift;; -T) no_target_directory=true;; --version) echo "$0 $scriptversion"; exit $?;; --) shift break;; -*) echo "$0: invalid option: $1" >&2 exit 1;; *) break;; esac shift done if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. # Otherwise, the last argument is the destination. Remove it from $@. for arg do if test -n "$dst_arg"; then # $@ is not empty: it contains at least $arg. set fnord "$@" "$dst_arg" shift # fnord fi shift # arg dst_arg=$arg # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac done fi if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 fi # It's OK to call 'install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then do_exit='(exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 trap "ret=141; $do_exit" 13 trap "ret=143; $do_exit" 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. case $mode in # Optimize common cases. *644) cp_umask=133;; *755) cp_umask=22;; *[0-7]) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac fi for src do # Protect names problematic for 'test' and other utilities. case $src in -* | [=\(\)!]) src=./$src;; esac if test -n "$dir_arg"; then dst=$src dstdir=$dst test -d "$dstdir" dstdir_status=$? else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if test ! -f "$src" && test ! -d "$src"; then echo "$0: $src does not exist." >&2 exit 1 fi if test -z "$dst_arg"; then echo "$0: no destination specified." >&2 exit 1 fi dst=$dst_arg # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then if test -n "$no_target_directory"; then echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi dstdir=$dst dst=$dstdir/`basename "$src"` dstdir_status=0 else # Prefer dirname, but fall back on a substitute if dirname fails. dstdir=` (dirname "$dst") 2>/dev/null || expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$dst" : 'X\(//\)[^/]' \| \ X"$dst" : 'X\(//\)$' \| \ X"$dst" : 'X\(/\)' \| . 2>/dev/null || echo X"$dst" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q' ` test -d "$dstdir" dstdir_status=$? fi fi obsolete_mkdir_used=false if test $dstdir_status != 0; then case $posix_mkdir in '') # Create intermediate dirs using mode 755 as modified by the umask. # This is like FreeBSD 'install' as of 1997-10-28. umask=`umask` case $stripcmd.$umask in # Optimize common cases. *[2367][2367]) mkdir_umask=$umask;; .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; *[0-7]) mkdir_umask=`expr $umask + 22 \ - $umask % 100 % 40 + $umask % 20 \ - $umask % 10 % 4 + $umask % 2 `;; *) mkdir_umask=$umask,go-w;; esac # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then mkdir_mode=-m$mode else mkdir_mode= fi posix_mkdir=false case $umask in *[123567][0-7][0-7]) # POSIX mkdir -p sets u+wx bits regardless of umask, which # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) # $RANDOM is not portable (e.g. dash); use it when possible to # lower collision chance tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 # As "mkdir -p" follows symlinks and we work in /tmp possibly; so # create the $tmpdir first (and fail if unsuccessful) to make sure # that nobody tries to guess the $tmpdir name. if (umask $mkdir_umask && $mkdirprog $mkdir_mode "$tmpdir" && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. test_tmpdir="$tmpdir/a" ls_ld_tmpdir=`ls -ld "$test_tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null fi trap '' 0;; esac;; esac if $posix_mkdir && ( umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else # The umask is ridiculous, or mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. case $dstdir in /*) prefix='/';; [-=\(\)!]*) prefix='./';; *) prefix='';; esac eval "$initialize_posix_glob" oIFS=$IFS IFS=/ $posix_glob set -f set fnord $dstdir shift $posix_glob set +f IFS=$oIFS prefixes= for d do test X"$d" = X && continue prefix=$prefix$d if test -d "$prefix"; then prefixes= else if $posix_mkdir; then (umask=$mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 else case $prefix in *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; *) qprefix=$prefix;; esac prefixes="$prefixes '$qprefix'" fi fi prefix=$prefix/ done if test -n "$prefixes"; then # Don't fail if two instances are running concurrently. (umask $mkdir_umask && eval "\$doit_exec \$mkdirprog $prefixes") || test -d "$dstdir" || exit 1 obsolete_mkdir_used=true fi fi fi if test -n "$dir_arg"; then { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else # Make a couple of temp file names in the proper directory. dsttmp=$dstdir/_inst.$$_ rmtmp=$dstdir/_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && eval "$initialize_posix_glob" && $posix_glob set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && $posix_glob set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then rm -f "$dsttmp" else # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || # The rename failed, perhaps because mv can't rename something else # to itself, or perhaps because mv is so ancient that it does not # support -f. { # Now remove or move aside any old file at destination location. # We try this two ways since rm can't unlink itself on some # systems and the destination file might be busy for other # reasons. In this case, the final cleanup might fail but the new # file should still install successfully. { test ! -f "$dst" || $doit $rmcmd -f "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 } } && # Now rename the file to the real destination. $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 trap '' 0 fi done # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: sagan-1.2.0/README0000644000175000017500000000240713310531444012426 0ustar champchamp Welcome to the README file. --------------------------- What is Sagan? Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. The Sagan structure and Sagan rules work similarly to the Sourcefire "Snort" IDS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS databases via unified2/barnyard2, it is compatible with all Snort "consoles". For example, Sagan is compatible with Snorby [http://www.snorby.org], Sguil [http://sguil.sourceforge.net], BASE, and the Prelude IDS framework! (to name a few). Sagan supports many different output formats, log normalization (via liblognorm), GeoIP detection, script execution on event and automatic firewall support via "Snortsam" (see http://www.snortsam.net). Sagan uses the GNU "artisic style". For more information, please visit the Sagan web site: http://sagan.quadrantsec.com. If you're looking for Sagan rules on Github, they are located at: https://github.com/beave/sagan-rules sagan-1.2.0/FAQ0000644000175000017500000000004213310531444012071 0ustar champchampSee http://sagan.quadrantsec.com sagan-1.2.0/Makefile.in0000644000175000017500000006346113310533436013625 0ustar champchamp# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ subdir = . DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \ $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/configure $(am__configure_deps) \ $(srcdir)/config.h.in COPYING TODO compile config.guess \ config.sub install-sh missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_ext.m4 \ $(top_srcdir)/m4/ax_gcc_x86_avx_xgetbv.m4 \ $(top_srcdir)/m4/ax_gcc_x86_cpuid.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d CONFIG_HEADER = config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ cscope distdir dist dist-all distcheck am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ $(LISP)config.h.in # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags CSCOPE = cscope DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) am__remove_distdir = \ if test -d "$(distdir)"; then \ find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ && rm -rf "$(distdir)" \ || { sleep 5 && rm -rf "$(distdir)"; }; \ else :; fi am__post_remove_distdir = $(am__remove_distdir) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best DIST_TARGETS = dist-gzip distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' distcleancheck_listfiles = find . -type f -print ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCAS = @CCAS@ CCASDEPMODE = @CCASDEPMODE@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ ENDIAN = @ENDIAN@ EXEEXT = @EXEEXT@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LDFLAGS = @LDFLAGS@ LIBESTR_CFLAGS = @LIBESTR_CFLAGS@ LIBESTR_LIBS = @LIBESTR_LIBS@ LIBFASTJSON_CFLAGS = @LIBFASTJSON_CFLAGS@ LIBFASTJSON_LIBS = @LIBFASTJSON_LIBS@ LIBLOGNORM_CFLAGS = @LIBLOGNORM_CFLAGS@ LIBLOGNORM_LIBS = @LIBLOGNORM_LIBS@ LIBOBJS = @LIBOBJS@ LIBPCREVERSION_CFLAGS = @LIBPCREVERSION_CFLAGS@ LIBPCREVERSION_LIBS = @LIBPCREVERSION_LIBS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIMD_FLAGS = @SIMD_FLAGS@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target = @target@ target_alias = @target_alias@ target_cpu = @target_cpu@ target_os = @target_os@ target_vendor = @target_vendor@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPIONS = foreign no-dependencies subdir-objects ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src all: config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive .SUFFIXES: am--refresh: Makefile @: $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ echo ' cd $(srcdir) && $(AUTOMAKE) --gnu'; \ $(am__cd) $(srcdir) && $(AUTOMAKE) --gnu \ && exit 0; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ echo ' $(SHELL) ./config.status'; \ $(SHELL) ./config.status;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) $(SHELL) ./config.status --recheck $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) $(am__cd) $(srcdir) && $(AUTOCONF) $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) $(am__aclocal_m4_deps): config.h: stamp-h1 @test -f $@ || rm -f stamp-h1 @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1 stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status @rm -f stamp-h1 cd $(top_builddir) && $(SHELL) ./config.status config.h $(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) ($(am__cd) $(top_srcdir) && $(AUTOHEADER)) rm -f stamp-h1 touch $@ distclean-hdr: -rm -f config.h stamp-h1 # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscope: cscope.files test ! -s cscope.files \ || $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS) clean-cscope: -rm -f cscope.files cscope.files: clean-cscope cscopelist cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f cscope.out cscope.in.out cscope.po.out cscope.files distdir: $(DISTFILES) $(am__remove_distdir) test -d "$(distdir)" || mkdir "$(distdir)" @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done -test -n "$(am__skip_mode_fix)" \ || find "$(distdir)" -type d ! -perm -755 \ -exec chmod u+rwx,go+rx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ || chmod -R a+r "$(distdir)" dist-gzip: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz $(am__post_remove_distdir) dist-bzip2: distdir tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 $(am__post_remove_distdir) dist-lzip: distdir tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz $(am__post_remove_distdir) dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) dist-tarZ: distdir @echo WARNING: "Support for shar distribution archives is" \ "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__post_remove_distdir) dist-shar: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz $(am__post_remove_distdir) dist-zip: distdir -rm -f $(distdir).zip zip -rq $(distdir).zip $(distdir) $(am__post_remove_distdir) dist dist-all: $(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:' $(am__post_remove_distdir) # This target untars the dist file and tries a VPATH configuration. Then # it guarantees that the distribution is self-contained by making another # tarfile. distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lz*) \ lzip -dc $(distdir).tar.lz | $(am__untar) ;;\ *.tar.xz*) \ xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) mkdir $(distdir)/_build $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build \ && ../configure \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ && $(MAKE) $(AM_MAKEFLAGS) uninstall \ && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ distuninstallcheck \ && chmod -R a-w "$$dc_install_base" \ && ({ \ (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ } || { rm -rf "$$dc_destdir"; exit 1; }) \ && rm -rf "$$dc_destdir" \ && $(MAKE) $(AM_MAKEFLAGS) dist \ && rm -rf $(DIST_ARCHIVES) \ && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ && cd "$$am__cwd" \ || exit 1 $(am__post_remove_distdir) @(echo "$(distdir) archives ready for distribution: "; \ list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' distuninstallcheck: @test -n '$(distuninstallcheck_dir)' || { \ echo 'ERROR: trying to run $@ with an empty' \ '$$(distuninstallcheck_dir)' >&2; \ exit 1; \ }; \ $(am__cd) '$(distuninstallcheck_dir)' || { \ echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \ exit 1; \ }; \ test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left after uninstall:" ; \ if test -n "$(DESTDIR)"; then \ echo " (check DESTDIR support)"; \ fi ; \ $(distuninstallcheck_listfiles) ; \ exit 1; } >&2 distcleancheck: distclean @if test '$(srcdir)' = . ; then \ echo "ERROR: distcleancheck can only run from a VPATH build" ; \ exit 1 ; \ fi @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left in build directory after distclean:" ; \ $(distcleancheck_listfiles) ; \ exit 1; } >&2 check-am: all-am check: check-recursive all-am: Makefile config.h installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive clean-am: clean-generic mostlyclean-am distclean: distclean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -f Makefile distclean-am: clean-am distclean-generic distclean-hdr distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-data-local install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -rf $(top_srcdir)/autom4te.cache -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) all install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ am--refresh check check-am clean clean-cscope clean-generic \ cscope cscopelist-am ctags ctags-am dist dist-all dist-bzip2 \ dist-gzip dist-lzip dist-shar dist-tarZ dist-xz dist-zip \ distcheck distclean distclean-generic distclean-hdr \ distclean-tags distcleancheck distdir distuninstallcheck dvi \ dvi-am html html-am info info-am install install-am \ install-data install-data-am install-data-local install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags \ tags-am uninstall uninstall-am #INCLUDES = @INCLUDES@ # Install BFD include file, and others that it needs. #install-data-local: # @$(NORMAL_INSTALL) # $(mkinstalldirs) $(sysconfdir) # $(INSTALL_DATA)sagan.conf $(sysconfdir)/sagan.yaml install-data-local: test -z "$(DESTDIR)$(sysconfdir)" || /bin/mkdir -p "$(DESTDIR)$(sysconfdir)" test -f "$(DESTDIR)$(sysconfdir)/sagan.yaml" || $(INSTALL_DATA) etc/sagan.yaml "$(DESTDIR)$(sysconfdir)/sagan.yaml" test -z "$(DESTDIR)$(sbindir)" || /bin/mkdir -p "$(DESTDIR)$(sbindir)" $(INSTALL) -d "$(DESTDIR)$(mandir)/man8" $(INSTALL) -m 644 etc/sagan.8 "$(DESTDIR)$(mandir)/man8" $(INSTALL) -m 755 src/sagan "$(DESTDIR)$(sbindir)/sagan" $(INSTALL) -d "$(DESTDIR)/var/log/sagan" $(INSTALL) -d "$(DESTDIR)/var/run/sagan" @echo "" @echo "------------------------------------------------------------------------------" @echo "Sagan has been installed! You still need to do a few more things before your" @echo "up and running. For more information, see:" @echo "https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganInstall" @echo "------------------------------------------------------------------------------" @echo "" # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: sagan-1.2.0/rules/0000755000175000017500000000000013310533422012673 5ustar champchampsagan-1.2.0/rules/nexpose.rules0000644000175000017500000000501213310533411015424 0ustar champchamp# Sagan nexpose.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Brian Echeverry - NeXpose rules (security scanning software) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan paused"; content: "SCAN PAUSED|3a|"; classtype: not-suspicious; program: NeXpose; reference: url,wiki.quadrantsec.com/bin/view/Main/5002276; sid:5002276; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan failed"; content: "SCAN FAILED|3a|"; classtype: not-suspicious; program: NeXpose; reference: url,wiki.quadrantsec.com/bin/view/Main/5002277; sid:5002277; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan stopped"; content: "SCAN STOPPED|3a|"; classtype: not-suspicious; program: NeXpose; reference: url,wiki.quadrantsec.com/bin/view/Main/5002289; sid:5002289; rev:2;) sagan-1.2.0/rules/digitalpersona.rules0000644000175000017500000002744013310533411016761 0ustar champchamp# Sagan digitalpersona.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Digitalpersona two factor (finger print) authentication systems. # Champ Clark III - 07/30/2012 # DigitalPersona_Pro: 1025: NT AUTHORITY\SYSTEM: User name: bob Domain: MASTER Credentials verified for logon: Password: No Fingerprint: Yes Smartcard: No Fingerprint PIN: No # ^^ Logins need normalization #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User login"; content: " 1024: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001435; sid: 5001435; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] OTS Started"; content: " 1281: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001436; sid: 5001436; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Fingerprint reader connected"; content: " 1793: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001437; sid: 5001437; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Fingerprint reader disconnected"; content: " 1794: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001438; sid: 5001438; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] One-to-one fingerprint match failed [5/5]"; content: " 2049: "; classtype: unsuccessful-user; program: DigitalPersona* after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001439; sid: 5001439; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] System unlocked"; content: " 1031: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001440; sid: 5001440; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk Login"; content: " 1026: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001441; sid: 5001441; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Logoff"; content: " 1027: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001442; sid: 5001442; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk Logoff"; content: " 1028: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001443; sid: 5001443; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] System locked"; content: " 1029: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001444; sid: 5001444; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk locked"; content: " 1030: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001445; sid: 5001445; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] System unlocked"; content: " 1031: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001446; sid: 5001446; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk unlocked"; content: " 1032: "; classtype: successful-user; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001447; sid: 5001447; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Registered PIN"; content: " 1033: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001448; sid: 5001448; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Changed PIN"; content: " 1034: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001449; sid: 5001449; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] FP used to unlocked smart card"; content: " 1035: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001450; sid: 5001450; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Shared account problem"; content: " 1036: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001451; sid: 5001451; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Shared account missing"; content: " 1037: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001452; sid: 5001452; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] OTS Stopped"; content: " 1281: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001453; sid: 5001453; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Agent cannot start"; content: " 1283: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001454; sid: 5001454; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Password changed canceled by user"; content: " 1285: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001455; sid: 5001455; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Inital fillin was preformed"; content: " 1288: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001456; sid: 5001456; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Fillin was preformed"; content: " 1289: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001457; sid: 5001457; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Account data could not be modified"; content: " 1290: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001458; sid: 5001458; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Account data successfully modified"; content: " 1291: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001459; sid: 5001459; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] CRC check failure"; content: " 1292: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001460; sid: 5001460; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User added to Kiosk ID list"; content: " 1537: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001461; sid: 5001461; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User deleted to Kiosk ID list"; content: " 1538: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001462; sid: 5001462; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User pushed out of the User ID list"; content: " 1539: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001463; sid: 5001463; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk ID list created"; content: " 1540: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001464; sid: 5001464; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk ID list deleted"; content: " 1541: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001465; sid: 5001465; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] DPHost started"; content: " 1795: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001466; sid: 5001466; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] DPHost cannot started"; content: " 1797: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001467; sid: 5001467; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Connection to server succeeded"; content: " 1798: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001468; sid: 5001468; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Connection to server failed"; content: " 1799: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001469; sid: 5001469; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Server busy"; content: " 1800: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001470; sid: 5001470; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] One-to-many matched failed"; content: " 2050: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001471; sid: 5001471; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Account locked out"; content: " 2051: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001472; sid: 5001472; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] License quota exceeded"; content: " 4097: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001473; sid: 5001473; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] License quota near limit"; content: " 4098: "; classtype: system-event; program: DigitalPersona* reference: url,wiki.quadrantsec.com/bin/view/Main/5001474; sid: 5001474; rev:3;) sagan-1.2.0/rules/cisco-sdee.rules0000644000175000017500000254601513310533411016000 0ustar champchamp# Sagan cisco-sdee.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Note: You will need a program to convert Cisco IPS events (from the SDEE protocol) to syslog. At Quadrant, # we have developed a program called "qdee" ("Q - Dee"). You'll need something similar. "qdee" is _not_ # a open source project at this time. # # Update Notes [2017/05/09] : The Cisco IPS modules are pretty old. By default, all these rules have been disabled # and you probably shouldn't use them. The software "qdee" is now shipped with Sagan in the "extra" directory. # You can also check out https://github.com/beave/sagan/tree/master/extra/qdee # # Contact Champ Clark III for more information (cclark@quadrantsec.com) # # Since these are not "standard" rules, we start the ID's at "6100000". # # See: https://supportforums.cisco.com/discussion/10008061/problems-ips-#alert-reporting # http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html # http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-data-ios-ips-12-4t-book.pdf #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPS/IDS License Expiration"; content: "Health Warning"; content: "licenseExpiration"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/6100000; sid: 6100000; rev:1;) # Based off http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId={Sigature ID} #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Bad Option List"; content: "SID: 1000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101000; sid: 6101000; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Record Packet Route"; content: "SID: 1001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101001; sid: 6101001; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Timestamp"; content: "SID: 1002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101002; sid: 6101002; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Provide s,c,h,tcc"; content: "SID: 1003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101003; sid: 6101003; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Loose Source Route"; content: "SID: 1004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101004; sid: 6101004; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-SATNET ID"; content: "SID: 1005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101005; sid: 6101005; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Strict Source Route"; content: "SID: 1006 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101006; sid: 6101006; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 over IPv4 or IPv6"; content: "SID: 1007 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101007; sid: 6101007; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lurk Malware Communication"; content: "SID: 1018 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101018; sid: 6101018; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XShellC601 Malware Communication"; content: "SID: 1019 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101019; sid: 6101019; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BB Malware Communication"; content: "SID: 1020 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101020; sid: 6101020; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Murcy Malware Communication"; content: "SID: 1021 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101021; sid: 6101021; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QDigit Malware Communication"; content: "SID: 1022 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101022; sid: 6101022; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Software Smart Install Denial of Service"; content: "SID: 1027 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101027; sid: 6101027; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BitDefender Internet Security 2009 XSS"; content: "SID: 1028 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101028; sid: 6101028; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell iManager Off By One Buffer Overflow"; content: "SID: 1029 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101029; sid: 6101029; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantic IM Manager Administrator Console Code Injection"; content: "SID: 1030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101030; sid: 6101030; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows MPEG Layer-3 Audio Decoder Stack Buffer Overflow"; content: "SID: 1032 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101032; sid: 6101032; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Slowloris Exploit"; content: "SID: 1034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101034; sid: 6101034; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft DNS server Denial of Service Vulnerability"; content: "SID: 1038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101038; sid: 6101038; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability"; content: "SID: 1039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101039; sid: 6101039; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNSChanger Malware"; content: "SID: 1040 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101040; sid: 6101040; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Shellcode Encoder"; content: "SID: 1044 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101044; sid: 6101044; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Internet Agent HTTP Request Remote Code Execution"; content: "SID: 1051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101051; sid: 6101051; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe PDF Remote Code Execution"; content: "SID: 1052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101052; sid: 6101052; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx WRF File Buffer Overflow"; content: "SID: 1055 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101055; sid: 6101055; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Corehttp Httpd Buffer Overflow"; content: "SID: 1056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101056; sid: 6101056; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow"; content: "SID: 1057 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101057; sid: 6101057; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Webex WRF File Buffer Overflow"; content: "SID: 1058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101058; sid: 6101058; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Hit-Highlighting Authentication Bypass"; content: "SID: 1059 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101059; sid: 6101059; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache auth_ldap Format String"; content: "SID: 1060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101060; sid: 6101060; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Active Directory LDAP Remote Code Execution"; content: "SID: 1062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: 389; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101062; sid: 6101062; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BIND 8 TSIG Remote Code Execution"; content: "SID: 1063 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101063; sid: 6101063; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor Backup Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability"; content: "SID: 1067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101067; sid: 6101067; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows PPTP Denial of Service"; content: "SID: 1069 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $PPTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101069; sid: 6101069; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Tivoli Directory Server 6.0 Denial Of Service"; content: "SID: 1076 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101076; sid: 6101076; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP File Upload GLOBAL Variable Overwrite"; content: "SID: 1077 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101077; sid: 6101077; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix RTSP SETUP Request Denial Of Service"; content: "SID: 1079 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101079; sid: 6101079; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Informix Long Username Buffer Overflow"; content: "SID: 1080 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101080; sid: 6101080; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Libevent DNS Parsing Denial Of Service"; content: "SID: 1081 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101081; sid: 6101081; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Libevent DNS Parsing Denial Of Service"; content: "SID: 1082 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101082; sid: 6101082; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Plug and Play Overflow"; content: "SID: 1083 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101083; sid: 6101083; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS HTTP Server Vulnerability"; content: "SID: 1085 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101085; sid: 6101085; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle OPMN daemon Format String Denial Of Service"; content: "SID: 1086 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101086; sid: 6101086; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle XDB FTP Buffer Overflow"; content: "SID: 1088 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101088; sid: 6101088; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SAP Message Server Group Parameter Remote Buffer Overflow"; content: "SID: 1089 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101089; sid: 6101089; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NTP MODE_PRIVATE Denial of Service"; content: "SID: 1090 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $NTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101090; sid: 6101090; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSwan and StrongSwan DPD Packet Remote DoS"; content: "SID: 1091 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101091; sid: 6101091; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Measuresoft ScadaPro Command Injection"; content: "SID: 1096 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101096; sid: 6101096; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Buffer Overflow"; content: "SID: 1097 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101097; sid: 6101097; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Denial of Service"; content: "SID: 1099 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101099; sid: 6101099; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unknown IP Protocol"; content: "SID: 1101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101101; sid: 6101101; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Impossible IP Packet"; content: "SID: 1102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101102; sid: 6101102; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Localhost Source Spoof"; content: "SID: 1104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101104; sid: 6101104; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Denial of Service"; content: "SID: 1105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101105; sid: 6101105; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsys PROMOTIC ActiveX SaveCfg AddTrend Buffer Overflow"; content: "SID: 1106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101106; sid: 6101106; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RFC 1918 Addresses Seen"; content: "SID: 1107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101107; sid: 6101107; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Packet with Proto 11"; content: "SID: 1108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101108; sid: 6101108; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Interface DoS"; content: "SID: 1109 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101109; sid: 6101109; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Arbitrary Files Access and Denial of Service"; content: "SID: 1121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101121; sid: 6101121; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenOffice Remote Code Execution"; content: "SID: 1122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101122; sid: 6101122; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft RPC DCOM ISystemActivator Buffer Overflow"; content: "SID: 1124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101124; sid: 6101124; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WellinTech Kingview Buffer Overflow"; content: "SID: 1126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101126; sid: 6101126; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS ISAKMP Vulnerability"; content: "SID: 1127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101127; sid: 6101127; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft RRAS Service Overflow"; content: "SID: 1128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101128; sid: 6101128; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer VML Remote Code Execution"; content: "SID: 1129 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101129; sid: 6101129; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Malicous Signed Portable Executable File"; content: "SID: 1130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101130; sid: 6101130; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft MSCOMCTL ActiveX Control Remote Code Execution Vulnerability"; content: "SID: 1131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101131; sid: 6101131; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE OnReadyStateChange Remote Code Execution"; content: "SID: 1132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101132; sid: 6101132; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE SelectAll Remote Code Execution"; content: "SID: 1134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101134; sid: 6101134; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Parameter Validation Vulnerability"; content: "SID: 1135 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101135; sid: 6101135; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works Remote Code Execution"; content: "SID: 1136 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101136; sid: 6101136; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Livemesh Application"; content: "SID: 1137 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101137; sid: 6101137; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer VML Use After Free"; content: "SID: 1138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101138; sid: 6101138; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba Marshalling Code Remote Code Execution Vulnerability"; content: "SID: 1140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101140; sid: 6101140; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Javascript Obfuscation Code Fragment"; content: "SID: 1142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101142; sid: 6101142; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectX NULL Byte Overwrite Vulnerability"; content: "SID: 1143 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101143; sid: 6101143; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Publisher 2007 Remote Code Execution"; content: "SID: 1144 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101144; sid: 6101144; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office PowerPoint Remote Code Execution Vulnerability"; content: "SID: 1152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101152; sid: 6101152; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel 2003 Denial of Service Vulnerability"; content: "SID: 1155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101155; sid: 6101155; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Outlook Remote Code Execution"; content: "SID: 1157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101157; sid: 6101157; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache 2.0 Encoded Backslash Directory Traversal Vulnerability"; content: "SID: 1166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101166; sid: 6101166; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic Alphanumeric Generated Email Address"; content: "SID: 1169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101169; sid: 6101169; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Shellcode Encoder"; content: "SID: 1173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101173; sid: 6101173; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visio Viewer Remote Code Execution"; content: "SID: 1182 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101182; sid: 6101182; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word RTF Heap Overrun"; content: "SID: 1183 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101183; sid: 6101183; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Reader Buffer Overflow"; content: "SID: 1184 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101184; sid: 6101184; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Serialization Vulnerability"; content: "SID: 1185 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101185; sid: 6101185; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Memory Corruption"; content: "SID: 1186 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101186; sid: 6101186; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI Plus Heap Overflow Vulnerability"; content: "SID: 1187 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101187; sid: 6101187; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Vulnerability"; content: "SID: 1188 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101188; sid: 6101188; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel MergeCells Record Heap Overflow"; content: "SID: 1189 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101189; sid: 6101189; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash Player newfunction Buffer Overflow"; content: "SID: 1190 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101190; sid: 6101190; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Memory Corruption Vulnerability"; content: "SID: 1191 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101191; sid: 6101191; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Remote Code Execution"; content: "SID: 1192 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101192; sid: 6101192; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Remote Code Execution"; content: "SID: 1193 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101193; sid: 6101193; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI Remote Code Execution Vulnerability"; content: "SID: 1194 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101194; sid: 6101194; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft TrueType Font Parsing Vulnerability"; content: "SID: 1195 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101195; sid: 6101195; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability"; content: "SID: 1196 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101196; sid: 6101196; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability"; content: "SID: 1197 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101197; sid: 6101197; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragmentation Buffer Full"; content: "SID: 1200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101200; sid: 6101200; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Overlap"; content: "SID: 1201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101201; sid: 6101201; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Overrun - Datagram Too Long"; content: "SID: 1202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101202; sid: 6101202; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Overwrite - Data is Overwritten"; content: "SID: 1203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101203; sid: 6101203; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Missing Initial Fragment"; content: "SID: 1204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101204; sid: 6101204; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Too Many Datagrams"; content: "SID: 1205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101205; sid: 6101205; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Too Small"; content: "SID: 1206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101206; sid: 6101206; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Too Many Fragments in a Datagram"; content: "SID: 1207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101207; sid: 6101207; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Incomplete Datagram"; content: "SID: 1208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101208; sid: 6101208; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Object Packager Remote Code Execution Vulnerability"; content: "SID: 1210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101210; sid: 6101210; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Spyeye Trojan Toolkit"; content: "SID: 1212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101212; sid: 6101212; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Deflate Encoding Memory Corruption"; content: "SID: 1213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101213; sid: 6101213; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption"; content: "SID: 1218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101218; sid: 6101218; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jolt2 Fragment Reassembly DoS attack"; content: "SID: 1220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101220; sid: 6101220; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server DBMS_CDC_PUBLISH SQL Injection"; content: "SID: 1221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101221; sid: 6101221; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragment Flags Invalid"; content: "SID: 1225 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101225; sid: 6101225; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Packet Bad Length"; content: "SID: 1250 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101250; sid: 6101250; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flame Malware"; content: "SID: 1256 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101256; sid: 6101256; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1258 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101258; sid: 6101258; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS Internet Explorer 9 Use After Free"; content: "SID: 1261 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101261; sid: 6101261; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Unauthorized Digital Certificates"; content: "SID: 1263 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101263; sid: 6101263; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Leak"; content: "SID: 1265 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101265; sid: 6101265; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1268 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101268; sid: 6101268; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Title Element Change Remote Code Execution"; content: "SID: 1270 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101270; sid: 6101270; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft insertAdjacentText Remote Code Execution"; content: "SID: 1271 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101271; sid: 6101271; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Developer Toolbar Vulnerability"; content: "SID: 1272 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101272; sid: 6101272; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer 8 Memory Corruption Vulnerability"; content: "SID: 1273 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101273; sid: 6101273; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Memory Access Vulnerability"; content: "SID: 1274 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101274; sid: 6101274; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Dynamics AX Enterprise Portal Elevation of Privilege"; content: "SID: 1275 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101275; sid: 6101275; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution"; content: "SID: 1276 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101276; sid: 6101276; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1277 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101277; sid: 6101277; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer and Lync HTML Sanitization Cross-Site Scripting"; content: "SID: 1279 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101279; sid: 6101279; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft XML Core Services Remote Code Execution"; content: "SID: 1281 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101281; sid: 6101281; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Player WRF File Heap Overflow"; content: "SID: 1283 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101283; sid: 6101283; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow"; content: "SID: 1284 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101284; sid: 6101284; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Stop Service Code"; content: "SID: 1285 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101285; sid: 6101285; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Reset Service Code"; content: "SID: 1287 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101287; sid: 6101287; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TelePresence Recording Server Media Import Command Injection"; content: "SID: 1288 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101288; sid: 6101288; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix boot code dump"; content: "SID: 1289 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101289; sid: 6101289; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Denial of Service"; content: "SID: 1290 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101290; sid: 6101290; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Firmware Update"; content: "SID: 1291 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101291; sid: 6101291; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Denial of Service"; content: "SID: 1292 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101292; sid: 6101292; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Denial of Service"; content: "SID: 1293 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101293; sid: 6101293; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Groupwise Messenger Server Information Leakage"; content: "SID: 1295 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101295; sid: 6101295; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Webex WRF JPEG DHT Chunk Stack Buffer Overflow"; content: "SID: 1296 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101296; sid: 6101296; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Enumeration Information Disclosure"; content: "SID: 1298 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101298; sid: 6101298; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Segment Overwrite"; content: "SID: 1300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $FTP_PORT; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101300; sid: 6101300; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Inactivity Timeout"; content: "SID: 1301 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101301; sid: 6101301; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Embryonic Timeout"; content: "SID: 1302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101302; sid: 6101302; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Closing Timeout"; content: "SID: 1303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101303; sid: 6101303; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Packet Queue Overflow"; content: "SID: 1304 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101304; sid: 6101304; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP URG flag set"; content: "SID: 1305 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101305; sid: 6101305; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Option Other"; content: "SID: 1306 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101306; sid: 6101306; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Window Variation"; content: "SID: 1307 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101307; sid: 6101307; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TTL evasion"; content: "SID: 1308 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101308; sid: 6101308; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Reserved flags set"; content: "SID: 1309 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101309; sid: 6101309; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Retransmit Data Different"; content: "SID: 1310 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101310; sid: 6101310; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Packet Exceeds MSS"; content: "SID: 1311 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101311; sid: 6101311; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP MSS below minimum"; content: "SID: 1312 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101312; sid: 6101312; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP MSS exceeds maximum"; content: "SID: 1313 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101313; sid: 6101313; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN Packet With Data"; content: "SID: 1314 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101314; sid: 6101314; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ACK w/o TCP Stream"; content: "SID: 1315 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101315; sid: 6101315; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FIN or RST w/o TCP Stream"; content: "SID: 1316 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101316; sid: 6101316; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Zero Window Probe"; content: "SID: 1317 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101317; sid: 6101317; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SharePoint Reflected List Parameter Vulnerability"; content: "SID: 1326 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101326; sid: 6101326; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IIS Stack Exhaustion DoS"; content: "SID: 1328 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101328; sid: 6101328; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer 9 Cached Object Remote Code Execution"; content: "SID: 1329 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101329; sid: 6101329; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Drop - Bad Checksum"; content: "SID: 1330 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101330; sid: 6101330; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1331 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101331; sid: 6101331; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Registered Application Handler Vulnerability"; content: "SID: 1333 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101333; sid: 6101333; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows ADO Heap Overflow"; content: "SID: 1334 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101334; sid: 6101334; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Sharepoint Cross Site Scripting Attack"; content: "SID: 1335 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101335; sid: 6101335; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Telepresence Command Injection Vulnerability"; content: "SID: 1338 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101338; sid: 6101338; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Joomla 1.5.12 TinyBrowser File Upload Code Execution"; content: "SID: 1341 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101341; sid: 6101341; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Common Services Framework Help Servlet XSS Vulnerability"; content: "SID: 1343 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101343; sid: 6101343; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS BGP Malformed Attribute Denial of Service"; content: "SID: 1346 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101346; sid: 6101346; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Skype Call Activity"; content: "SID: 1347 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101347; sid: 6101347; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Javascript Trojan Iframe.F"; content: "SID: 1349 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101349; sid: 6101349; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visio Viewer Code Execution Vulnerability"; content: "SID: 1350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101350; sid: 6101350; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Web Gateway Remote Command Execution"; content: "SID: 1353 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101353; sid: 6101353; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player URL Security Domain Checking Vulnerability"; content: "SID: 1356 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101356; sid: 6101356; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Shockwave Buffer Overflow"; content: "SID: 1358 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101358; sid: 6101358; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Domino Server Controller Authentication Bypass"; content: "SID: 1360 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101360; sid: 6101360; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Remote Administration Protocol Read Access Violation Vulnerability"; content: "SID: 1364 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101364; sid: 6101364; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle WebCenter ActiveX Control File Creation Vulnerability"; content: "SID: 1366 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101366; sid: 6101366; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1367 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101367; sid: 6101367; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime JPEG2000 Integer Overflow"; content: "SID: 1369 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101369; sid: 6101369; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FFmpeg 4xm Null Pointer Memory Corruption"; content: "SID: 1370 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101370; sid: 6101370; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Integer Overflow Remote Code Execution"; content: "SID: 1371 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101371; sid: 6101371; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Asynchronous NULL Object Access Remote Code Execution"; content: "SID: 1372 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101372; sid: 6101372; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption Vulnerability"; content: "SID: 1373 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101373; sid: 6101373; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro ServerProtect EarthAgent RPC Buffer Overflow Vulnerability"; content: "SID: 1374 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101374; sid: 6101374; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari WebKit Memory Corruption Vulnerability"; content: "SID: 1376 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101376; sid: 6101376; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Chrome and Apple Safari Use After Free Vulnerability"; content: "SID: 1377 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101377; sid: 6101377; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visio Memory Corruption"; content: "SID: 1378 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101378; sid: 6101378; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability"; content: "SID: 1379 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101379; sid: 6101379; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSCOMCTL ActiveX Control Remote Code Execution Vulnerability"; content: "SID: 1380 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101380; sid: 6101380; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Networking Vulnerability"; content: "SID: 1381 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101381; sid: 6101381; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Print Spooler Service Format String Vulnerability"; content: "SID: 1382 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101382; sid: 6101382; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Remote Administration Protocol Heap Overflow"; content: "SID: 1384 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101384; sid: 6101384; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows IE Layout Memory Corruption"; content: "SID: 1385 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101385; sid: 6101385; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Reader Stack Buffer Overflow Vulnerability"; content: "SID: 1386 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101386; sid: 6101386; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Arbitrary Code Execution"; content: "SID: 1387 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101387; sid: 6101387; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL CMS Structure OriginatorInfo Memory Corruption"; content: "SID: 1388 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101388; sid: 6101388; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Database Archiving Software GIOP Parsing Buffer Overflow"; content: "SID: 1389 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101389; sid: 6101389; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Denial of Service"; content: "SID: 1393 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101393; sid: 6101393; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Linksys PlayerPT ActiveX Control Stack Overflow"; content: "SID: 1394 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101394; sid: 6101394; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player MP4 Sequence Parameter Set Parsing Buffer Overflow"; content: "SID: 1395 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101395; sid: 6101395; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visual Studio Cross Site Scripting (XSS) Vulnerability"; content: "SID: 1396 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101396; sid: 6101396; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Array.reduceRight Integer Overflow Vulnerability"; content: "SID: 1397 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101397; sid: 6101397; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Outlook Web Access Cross Site Request Forgery Vulnerability"; content: "SID: 1398 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101398; sid: 6101398; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA Total Defense Suite Information Disclosure Vulnerability"; content: "SID: 1399 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101399; sid: 6101399; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GRE Over IPv6 Encapsulation"; content: "SID: 1400 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101400; sid: 6101400; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPIP Encapsulation"; content: "SID: 1401 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101401; sid: 6101401; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MPLS Over IPv6 Encapsulation"; content: "SID: 1402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101402; sid: 6101402; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv4 Over IPv6 Encapsulation"; content: "SID: 1403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101403; sid: 6101403; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Shockwave PAMI Chunk Remote Code Execution"; content: "SID: 1404 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101404; sid: 6101404; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Destination IP Address"; content: "SID: 1405 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101405; sid: 6101405; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Source Port"; content: "SID: 1406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101406; sid: 6101406; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Destination Port"; content: "SID: 1407 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101407; sid: 6101407; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Data Packet"; content: "SID: 1408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101408; sid: 6101408; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GRE Tunnel Detected"; content: "SID: 1409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101409; sid: 6101409; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Over MPLS Tunnel"; content: "SID: 1410 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101410; sid: 6101410; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Unsolicited Response Storm"; content: "SID: 1414 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101414; sid: 6101414; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Non-DNP3 Communication on a DNP3 Port"; content: "SID: 1415 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101415; sid: 6101415; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Last Received Was A Broadcast Message"; content: "SID: 1417 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101417; sid: 6101417; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java 7 Applet Remote Code Execution Vulnerability"; content: "SID: 1421 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101421; sid: 6101421; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Time Synchronization Required"; content: "SID: 1422 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101422; sid: 6101422; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Device Under Local Control"; content: "SID: 1423 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101423; sid: 6101423; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Device In Trouble"; content: "SID: 1424 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101424; sid: 6101424; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Attempt To Use Unsupported Function Code"; content: "SID: 1425 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101425; sid: 6101425; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Request Object Unknown Or Errors In Application Data"; content: "SID: 1426 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101426; sid: 6101426; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Parameters Out Of Range"; content: "SID: 1427 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101427; sid: 6101427; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Event Buffer Overflow"; content: "SID: 1428 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101428; sid: 6101428; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Already Executing Request"; content: "SID: 1429 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101429; sid: 6101429; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Corrupt Configuration Error"; content: "SID: 1430 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101430; sid: 6101430; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Invalid Reserved IIN Flags Set"; content: "SID: 1431 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101431; sid: 6101431; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Active Configuration"; content: "SID: 1432 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101432; sid: 6101432; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Request"; content: "SID: 1433 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101433; sid: 6101433; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Reply"; content: "SID: 1434 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101434; sid: 6101434; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Error"; content: "SID: 1435 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101435; sid: 6101435; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Response Or Authentication Challenge"; content: "SID: 1436 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101436; sid: 6101436; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Challenge"; content: "SID: 1437 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101437; sid: 6101437; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Response Storm"; content: "SID: 1438 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101438; sid: 6101438; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Device Restarted"; content: "SID: 1439 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101439; sid: 6101439; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Shamoon Malware Activity"; content: "SID: 1441 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101441; sid: 6101441; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visual Studio Team Web Access XSS Vulnerability"; content: "SID: 1442 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101442; sid: 6101442; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft System Center Configuration Manager Reflected XSS"; content: "SID: 1444 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101444; sid: 6101444; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Reader Memory Corruption"; content: "SID: 1445 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101445; sid: 6101445; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BaoFeng Storm ActiveX Control Buffer Overflow Vulnerability"; content: "SID: 1446 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101446; sid: 6101446; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ganglia Stack Buffer Overflow Vulnerability"; content: "SID: 1447 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101447; sid: 6101447; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Player Player Heap Buffer Overflow Vulnerability"; content: "SID: 1451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101451; sid: 6101451; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Reader Memory Corruption Vulnerability"; content: "SID: 1455 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101455; sid: 6101455; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Fusion Middleware Outside In Excel File Parsing Integer Overflow"; content: "SID: 1459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101459; sid: 6101459; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenLDAP Modrdn Memory Corruption Vulnerability"; content: "SID: 1460 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101460; sid: 6101460; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DATAC Control RealWin SCADA Server Buffer Overflow Vulnerability"; content: "SID: 1461 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101461; sid: 6101461; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks Helix Universal Server Buffer Overflow"; content: "SID: 1462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101462; sid: 6101462; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DD-WRT Arbitrary Shell Command Execution Vulnerability"; content: "SID: 1464 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101464; sid: 6101464; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer execCommand Vulnerability"; content: "SID: 1466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101466; sid: 6101466; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EMC NetWorker Format String Vulnerability"; content: "SID: 1468 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101468; sid: 6101468; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Visio Object Processing Vulnerability"; content: "SID: 1469 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101469; sid: 6101469; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox and SeaMonkey Remote Cross-Site Scripting Vulnerability"; content: "SID: 1470 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101470; sid: 6101470; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability"; content: "SID: 1471 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101471; sid: 6101471; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Embedded OpenType Font Processing Heap Overflow Vulnerability"; content: "SID: 1472 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101472; sid: 6101472; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XDP Encoded PDF File Transfer"; content: "SID: 1474 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101474; sid: 6101474; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webex Player Heap Overflow"; content: "SID: 1475 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101475; sid: 6101475; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ASA and FWSM DCERPC Inspection DoS"; content: "SID: 1476 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101476; sid: 6101476; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ASA PIX Denial of Service"; content: "SID: 1478 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101478; sid: 6101478; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability"; content: "SID: 1480 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101480; sid: 6101480; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer cloneNode Remote Code Execution"; content: "SID: 1481 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101481; sid: 6101481; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Document Layout Processing Use-After-Free Vulnerability"; content: "SID: 1482 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101482; sid: 6101482; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer 9 Event Listener Remote Code Execution"; content: "SID: 1483 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101483; sid: 6101483; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Recording Format Player Buffer Overflow"; content: "SID: 1487 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101487; sid: 6101487; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CISCO ASA DCERPC Inspection Denial Of Service"; content: "SID: 1492 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101492; sid: 6101492; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Distributed Denial of Service on Financial Institutions"; content: "SID: 1493 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101493; sid: 6101493; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Recording Format Player Overflow"; content: "SID: 1494 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101494; sid: 6101494; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Remote Code Execution"; content: "SID: 1495 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101495; sid: 6101495; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works 9 Remote Code Execution Vulnerability"; content: "SID: 1496 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101496; sid: 6101496; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption"; content: "SID: 1497 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101497; sid: 6101497; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server Report Manager Reflected Cross Site Scripting Vulnerability"; content: "SID: 1498 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101498; sid: 6101498; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word PAPX Section Processing Arbitrary Code Execution Vulnerability"; content: "SID: 1501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101501; sid: 6101501; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Response-Splitting Protection Bypass"; content: "SID: 1503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101503; sid: 6101503; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption"; content: "SID: 1504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101504; sid: 6101504; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks Helix Server RTSP SETUP Stack Buffer Overflow"; content: "SID: 1507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101507; sid: 6101507; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ImageMagick ResolutionUnit Tag Invalid Validation Denial of Service Vulnerability"; content: "SID: 1508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101508; sid: 6101508; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office TIFF Image Converter Memory Corruption"; content: "SID: 1511 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101511; sid: 6101511; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Easy Printer Care HPTicketMgr.dll ActiveX Remote Code Execution"; content: "SID: 1512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101512; sid: 6101512; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe SWF Remote Code Execution"; content: "SID: 1513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101513; sid: 6101513; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe SWF Remote Code Execution"; content: "SID: 1514 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101514; sid: 6101514; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Invalid Function Code Is Used"; content: "SID: 1520 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101520; sid: 6101520; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Reserved Function Code Used"; content: "SID: 1524 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101524; sid: 6101524; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe SWF Remote Code Execution"; content: "SID: 1528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101528; sid: 6101528; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Chrome and Apple Safari Use-After-Free Code Execution"; content: "SID: 1532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101532; sid: 6101532; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EMC NetWorker Buffer Overflow"; content: "SID: 1534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101534; sid: 6101534; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exim Mail Transfer Agent Arbitrary Code Execution Vulnerability"; content: "SID: 1535 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101535; sid: 6101535; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat PDF Font Processing Memory Corruption"; content: "SID: 1536 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101536; sid: 6101536; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Outside In JPEG 2000 Heap Buffer Overflow"; content: "SID: 1537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101537; sid: 6101537; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Unified MeetingPlace Web Conferencing Buffer Overflow"; content: "SID: 1538 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101538; sid: 6101538; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Hyperion Strategic Finance Client Heap Buffer Overflow"; content: "SID: 1540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101540; sid: 6101540; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Reader Code Execution"; content: "SID: 1545 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101545; sid: 6101545; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] H3C and Huawei SNMP Access Control Vulnerability"; content: "SID: 1546 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101546; sid: 6101546; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Word 2010 Stack Overflow"; content: "SID: 1547 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101547; sid: 6101547; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Picture Manager Memory Corruption"; content: "SID: 1548 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101548; sid: 6101548; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Netware XNFS.NLM xdrDecodeString Heap Buffer Overflow"; content: "SID: 1550 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101550; sid: 6101550; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox SVGTextElement.getCharNumAtPositio Use-After-Free"; content: "SID: 1555 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101555; sid: 6101555; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Intelligent Management Center Multiple Remote Code Execution"; content: "SID: 1556 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101556; sid: 6101556; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Notes URL Handler Vulnerability"; content: "SID: 1563 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101563; sid: 6101563; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Cross Domain Bypass"; content: "SID: 1564 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101564; sid: 6101564; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell ZENworks Asset Management Web Console Information Disclosure"; content: "SID: 1565 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101565; sid: 6101565; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Vista Speech Recognition ActiveX Vulnerabilities"; content: "SID: 1566 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101566; sid: 6101566; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP StorageWorks P4000 Virtual SAN Appliance Command Execution Vulnerability"; content: "SID: 1569 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101569; sid: 6101569; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple iCloud Traffic"; content: "SID: 1570 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101570; sid: 6101570; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell File Reporter Buffer Overflow"; content: "SID: 1571 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101571; sid: 6101571; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Operations Agent for NonStop Server HEALTH Packet Parsing Stack Buffer"; content: "SID: 1572 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101572; sid: 6101572; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Shockwave ActiveX SwDir.dll Stack Buffer Overflow"; content: "SID: 1573 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101573; sid: 6101573; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VMWare ActiveX Remote Code Execution"; content: "SID: 1574 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101574; sid: 6101574; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell iPrint Client ActiveX Remote Code Execution"; content: "SID: 1575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101575; sid: 6101575; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asterisk SIP Channel Driver Denial of Service"; content: "SID: 1577 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101577; sid: 6101577; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTPD32 Format String Vulnerability"; content: "SID: 1578 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101578; sid: 6101578; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asterisk SIP INVITE Denial of Service"; content: "SID: 1579 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101579; sid: 6101579; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Shockwave Player Director Record Parsing Remote Code Execution"; content: "SID: 1580 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101580; sid: 6101580; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Explorer Code Execution"; content: "SID: 1584 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101584; sid: 6101584; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Explorer Code Execution"; content: "SID: 1585 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101585; sid: 6101585; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VLC Media Player Code Execution"; content: "SID: 1586 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101586; sid: 6101586; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows File Enumeration Memory Corruption Vulnerability"; content: "SID: 1587 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101587; sid: 6101587; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Stack Overflow Code Execution"; content: "SID: 1588 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101588; sid: 6101588; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Invalid Length Use After Free"; content: "SID: 1589 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101589; sid: 6101589; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability"; content: "SID: 1591 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101591; sid: 6101591; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability"; content: "SID: 1593 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101593; sid: 6101593; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asterisk Skinny Channel Driver Capabilities_Res_Message Denial of Service"; content: "SID: 1595 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101595; sid: 6101595; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CFormElement Use After Free Vulnerability"; content: "SID: 1596 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101596; sid: 6101596; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Web Proxy Auto-Discovery Arbitrary Code Execution"; content: "SID: 1597 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101597; sid: 6101597; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Business Intelligence Enterprise Edition Cross Site Scripting"; content: "SID: 1598 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101598; sid: 6101598; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 zero length option"; content: "SID: 1600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101600; sid: 6101600; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 1 violation"; content: "SID: 1601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101601; sid: 6101601; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 2 violation"; content: "SID: 1602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101602; sid: 6101602; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 3 violation"; content: "SID: 1603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101603; sid: 6101603; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 4 violation"; content: "SID: 1604 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101604; sid: 6101604; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 5 violation"; content: "SID: 1605 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101605; sid: 6101605; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 short option data"; content: "SID: 1606 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101606; sid: 6101606; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 multi-crafted fragments"; content: "SID: 1607 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101607; sid: 6101607; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CTreePos Element Use After Free Vulnerability"; content: "SID: 1608 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101608; sid: 6101608; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Code Access Information Disclosure"; content: "SID: 1609 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101609; sid: 6101609; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Echo Request"; content: "SID: 1610 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101610; sid: 6101610; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Echo Reply"; content: "SID: 1611 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101611; sid: 6101611; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Destination Unreachable"; content: "SID: 1612 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101612; sid: 6101612; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Packet Too Big Message"; content: "SID: 1613 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101613; sid: 6101613; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Time Exceeded Message"; content: "SID: 1614 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101614; sid: 6101614; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Parameter Problem Message"; content: "SID: 1615 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101615; sid: 6101615; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Group Membership Query"; content: "SID: 1616 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101616; sid: 6101616; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Group Membership Report"; content: "SID: 1617 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101617; sid: 6101617; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Membership Reduction"; content: "SID: 1618 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101618; sid: 6101618; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Router Solicitation"; content: "SID: 1619 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101619; sid: 6101619; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Router Advertisement"; content: "SID: 1620 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101620; sid: 6101620; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Neighbor Solicitation"; content: "SID: 1621 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101621; sid: 6101621; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Neighbor Advertisement"; content: "SID: 1622 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101622; sid: 6101622; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Redirect"; content: "SID: 1623 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101623; sid: 6101623; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Router Renumbering"; content: "SID: 1624 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101624; sid: 6101624; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Membership Report V2"; content: "SID: 1625 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101625; sid: 6101625; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large ICMPV6 Traffic"; content: "SID: 1626 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101626; sid: 6101626; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented ICMPv6 Traffic"; content: "SID: 1627 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101627; sid: 6101627; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Traffic over IPv4"; content: "SID: 1628 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101628; sid: 6101628; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Traffic over IPv6"; content: "SID: 1629 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101629; sid: 6101629; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Packet Too Big"; content: "SID: 1630 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101630; sid: 6101630; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Reflection Bypass Vulnerability"; content: "SID: 1631 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101631; sid: 6101631; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unix CUPS HTTP GET Denial Of Service"; content: "SID: 1632 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101632; sid: 6101632; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bootpd 2.4.3 Buffer Overflow"; content: "SID: 1635 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101635; sid: 6101635; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox 1.0.7 InstallTrigger.Install Remote Code Execution"; content: "SID: 1636 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101636; sid: 6101636; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Javascript Engine Overflow"; content: "SID: 1637 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101637; sid: 6101637; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox CSS Layout Memory Corruption"; content: "SID: 1638 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101638; sid: 6101638; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability"; content: "SID: 1641 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101641; sid: 6101641; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Kernel-Mode Driver Remote Code Execution"; content: "SID: 1642 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101642; sid: 6101642; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari Out of Bounds Access Denial of Service"; content: "SID: 1643 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101643; sid: 6101643; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Java Applet Payload Creation"; content: "SID: 1646 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101646; sid: 6101646; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Internet Agent RRULE Weekday Parsing Buffer Overflow"; content: "SID: 1653 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101653; sid: 6101653; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PNG Embedded File Type"; content: "SID: 1654 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101654; sid: 6101654; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player ActionScript callMethod Code Execution"; content: "SID: 1664 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101664; sid: 6101664; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Secure Backup Server Command Execution Vulnerability"; content: "SID: 1671 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101671; sid: 6101671; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Open Type Font Parsing Vulnerability"; content: "SID: 1681 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101681; sid: 6101681; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE Improper Ref Counting Use After Free Vulnerability"; content: "SID: 1683 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101683; sid: 6101683; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GXV-3000 SIP Phone Eavesdropping Exploit"; content: "SID: 1693 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101693; sid: 6101693; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xitami Web Server Buffer Overflow"; content: "SID: 1694 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101694; sid: 6101694; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Root Access"; content: "SID: 1695 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101695; sid: 6101695; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Guest Access"; content: "SID: 1696 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101696; sid: 6101696; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Nobody Access"; content: "SID: 1697 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101697; sid: 6101697; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Hop-by-Hop Options Present"; content: "SID: 1700 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101700; sid: 6101700; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Present"; content: "SID: 1702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101702; sid: 6101702; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Fragmented Traffic"; content: "SID: 1703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101703; sid: 6101703; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Authentication Header Present"; content: "SID: 1704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101704; sid: 6101704; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 ESP Header Present"; content: "SID: 1705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101705; sid: 6101705; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IPv6 Header Traffic Class Field"; content: "SID: 1706 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101706; sid: 6101706; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IPv6 Header Flow Label Field"; content: "SID: 1707 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101707; sid: 6101707; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Header Contains An Invalid Address"; content: "SID: 1708 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101708; sid: 6101708; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Word RTF Document Processing Arbitrary Code Execution Vulnerability"; content: "SID: 1709 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101709; sid: 6101709; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Extensions Headers Out Of Order"; content: "SID: 1710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101710; sid: 6101710; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Duplicate IPv6 Extension Headers"; content: "SID: 1711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101711; sid: 6101711; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Packet Contains Duplicate Src And Dst Address"; content: "SID: 1712 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101712; sid: 6101712; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Header Contains Multicast Source Address"; content: "SID: 1713 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101713; sid: 6101713; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Address Set To localhost"; content: "SID: 1714 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101714; sid: 6101714; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Options Padding Too Long"; content: "SID: 1716 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101716; sid: 6101716; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back To Back Padding Options"; content: "SID: 1717 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101717; sid: 6101717; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Option Data Too Short"; content: "SID: 1718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101718; sid: 6101718; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Endpoint Identification Option Set"; content: "SID: 1719 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101719; sid: 6101719; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Jumbo Payload Option Set"; content: "SID: 1720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101720; sid: 6101720; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Router Alert Option Set"; content: "SID: 1721 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101721; sid: 6101721; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set"; content: "SID: 1722 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101722; sid: 6101722; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Packet Contains Unassigned Options"; content: "SID: 1723 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101723; sid: 6101723; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Endpoint Identification Option Set"; content: "SID: 1724 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101724; sid: 6101724; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set"; content: "SID: 1725 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101725; sid: 6101725; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Invalid Option Set"; content: "SID: 1726 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101726; sid: 6101726; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Router Alert Option Set"; content: "SID: 1727 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101727; sid: 6101727; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Type 0"; content: "SID: 1728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101728; sid: 6101728; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Telnet Failure Log XSS"; content: "SID: 1729 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101729; sid: 6101729; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Type 1 Routing Header"; content: "SID: 1730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101730; sid: 6101730; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Type 2 Routing Header"; content: "SID: 1731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101731; sid: 6101731; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Type Unknown Type"; content: "SID: 1732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101732; sid: 6101732; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IPv6 Routing Header Length"; content: "SID: 1733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101733; sid: 6101733; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Incomplete"; content: "SID: 1734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101734; sid: 6101734; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Contains Invalid IP Address"; content: "SID: 1735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101735; sid: 6101735; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Contains A Loop"; content: "SID: 1736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101736; sid: 6101736; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Reserved Bits Set"; content: "SID: 1737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101737; sid: 6101737; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Unnecessary Fragment Header"; content: "SID: 1738 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101738; sid: 6101738; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Illegal Fragmentation"; content: "SID: 1739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101739; sid: 6101739; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Small IPv6 Fragments"; content: "SID: 1740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101740; sid: 6101740; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Fragment Header Reserved Bits Set"; content: "SID: 1741 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101741; sid: 6101741; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 No Next Header Option Present"; content: "SID: 1742 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101742; sid: 6101742; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP phpinfo() Cross-Site Scripting Vulnerability"; content: "SID: 1743 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101743; sid: 6101743; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Database Privilege Escalation"; content: "SID: 1747 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101747; sid: 6101747; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Peercast Basic Authentication Overflow"; content: "SID: 1749 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101749; sid: 6101749; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP zip URL Wrapper Buffer Overflow (HTTP)"; content: "SID: 1755 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101755; sid: 6101755; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Axigen POP3 Server Remote Format String Attack"; content: "SID: 1756 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101756; sid: 6101756; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VLC HTTPD Format String Bug"; content: "SID: 1758 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101758; sid: 6101758; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Solaris RWall Daemon Syslog Format String Vulnerability"; content: "SID: 1760 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101760; sid: 6101760; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Post File Upload Buffer Overflow"; content: "SID: 1761 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101761; sid: 6101761; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Value Scan"; content: "SID: 1762 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101762; sid: 6101762; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Synergy Clipboard Integer Overflow"; content: "SID: 1773 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101773; sid: 6101773; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet Web Admin Server Command Injection"; content: "SID: 1774 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101774; sid: 6101774; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netware Client Service Buffer Overflow"; content: "SID: 1775 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101775; sid: 6101775; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IIS 4.0 Information Leaking Vulnerability"; content: "SID: 1777 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101777; sid: 6101777; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IIS 4.0 Cross Site Scripting Vulnerability"; content: "SID: 1778 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101778; sid: 6101778; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS Server Memory Corruption Vulnerability"; content: "SID: 1780 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101780; sid: 6101780; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nimda Worm TFTP Request"; content: "SID: 1781 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101781; sid: 6101781; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates Total Defense Suite UNCWS SQL Injection"; content: "SID: 1786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101786; sid: 6101786; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Java Remote Compiler Option Loading"; content: "SID: 1787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101787; sid: 6101787; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tom Sawyer GET Extension Factory ActiveX Remote Code Execution"; content: "SID: 1789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101789; sid: 6101789; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft System Center Operations Manager Privilege Escalation"; content: "SID: 1790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101790; sid: 6101790; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HeapLib Instantiation"; content: "SID: 1791 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101791; sid: 6101791; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CButton User After Free"; content: "SID: 1792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101792; sid: 6101792; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework OData Services Denial of Service"; content: "SID: 1793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101793; sid: 6101793; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft XML Core Services Vulnerability"; content: "SID: 1794 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101794; sid: 6101794; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Streamprocess Buffer Overflow"; content: "SID: 1799 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101799; sid: 6101799; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks RealPlayer URL Parsing Stack Buffer Overflow"; content: "SID: 1801 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101801; sid: 6101801; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ruby on Rails Remote Code Execution Vulnerability"; content: "SID: 1802 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101802; sid: 6101802; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Exchange iCal DoS"; content: "SID: 1803 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101803; sid: 6101803; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java 1.7 Update 10 Remote Code Execution"; content: "SID: 1804 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101804; sid: 6101804; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ASA 1000v Cloud Firewall H.323 Inspection Denial of Service"; content: "SID: 1807 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101807; sid: 6101807; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Java Applet Rhino Script Engine Policy Bypass"; content: "SID: 1813 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101813; sid: 6101813; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] x.509 Certificate NULL Byte Name Insertion"; content: "SID: 1814 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101814; sid: 6101814; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] x.509 Certificate Integer Overflow"; content: "SID: 1815 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101815; sid: 6101815; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS IPSLA DoS"; content: "SID: 1819 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101819; sid: 6101819; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quest Software Big Brother Arbitrary File Deletion and Overwriting"; content: "SID: 1820 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101820; sid: 6101820; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid Gopher Parsing Overflow"; content: "SID: 1822 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101822; sid: 6101822; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUPS GIF Parsing Heap Overflow"; content: "SID: 1823 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101823; sid: 6101823; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET XML Signature Syntax and Processing Vulnerability"; content: "SID: 1831 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101831; sid: 6101831; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix XenApp And XenDesktop XML Buffer Overflow"; content: "SID: 1833 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101833; sid: 6101833; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sunway ForceControl SNMP NetDBServer Buffer Overflow"; content: "SID: 1835 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101835; sid: 6101835; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP JetDirect PJL Interface Universal Path Traversal"; content: "SID: 1836 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101836; sid: 6101836; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML5 Heap Spray"; content: "SID: 1837 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101837; sid: 6101837; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wibu-Systems WibuKey Runtime for Windows ActiveX Control Buffer Overflow"; content: "SID: 1838 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101838; sid: 6101838; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory LDAP Null Search Parameter Overflow"; content: "SID: 1850 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101850; sid: 6101850; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Portable SDK for UPnP Devices Buffer Overflow Vulnerabilities"; content: "SID: 1851 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101851; sid: 6101851; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ruby On Rails Remote Code Execution"; content: "SID: 1853 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101853; sid: 6101853; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Netware XNFS.NLM Remote Code Execution"; content: "SID: 1855 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101855; sid: 6101855; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1857 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101857; sid: 6101857; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OmniInet.exe Buffer Overflow Vulnerability"; content: "SID: 1858 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101858; sid: 6101858; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1862 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101862; sid: 6101862; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability"; content: "SID: 1863 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101863; sid: 6101863; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1864 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101864; sid: 6101864; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Internet Agent Buffer Overflow Vulnerability"; content: "SID: 1865 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101865; sid: 6101865; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox DOM Insertions Memory Corruption"; content: "SID: 1866 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101866; sid: 6101866; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1867 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101867; sid: 6101867; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Vector Markup Language Remote Code Execution"; content: "SID: 1868 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101868; sid: 6101868; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ATA 187 Remote Access Vulnerability"; content: "SID: 1873 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101873; sid: 6101873; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VoipNow Professional Nsextt Parameter XSS Vulnerability"; content: "SID: 1874 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101874; sid: 6101874; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebERP Local File Include Vulnerability"; content: "SID: 1877 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101877; sid: 6101877; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Java Web Console Format String Vulnerability"; content: "SID: 1878 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101878; sid: 6101878; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Elefant CMS ID Parameter Cross Site Scripting Vulnerability"; content: "SID: 1880 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101880; sid: 6101880; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] D-Link DSL-2640B Redpass.Cgi Cross Site Request Forgery Vulnerability"; content: "SID: 1881 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101881; sid: 6101881; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Cross Site Scripting Vulnerability"; content: "SID: 1882 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101882; sid: 6101882; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JW Player Logo.Link Parameter Cross Site Scripting Vulnerability"; content: "SID: 1883 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101883; sid: 6101883; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Count Per Day Plugin Datemin Parameter XSS Vulnerability"; content: "SID: 1885 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101885; sid: 6101885; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Wp-ImageZoom File Parameter Remote File Disclosure Vulnerability"; content: "SID: 1886 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101886; sid: 6101886; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] InduSoft Web Studio Unauthenticated Insecure Remote Operations"; content: "SID: 1892 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101892; sid: 6101892; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bitweaver Highlight Parameter Cross Site Scripting Vulnerability"; content: "SID: 1894 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101894; sid: 6101894; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1895 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101895; sid: 6101895; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XAMPP Cds.Php Cross Site Scripting Vulnerability"; content: "SID: 1896 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101896; sid: 6101896; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nagios XI VisApi.Php Div Parameter XSS Vulnerability"; content: "SID: 1898 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101898; sid: 6101898; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MGB Guestbook Index.Php Cross Site Scripting Vulnerability"; content: "SID: 1899 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101899; sid: 6101899; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Church_Admin Id Parameter XSS Vulnerability"; content: "SID: 1900 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101900; sid: 6101900; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JW Player Playerready Cross Site Scripting Vulnerability"; content: "SID: 1904 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101904; sid: 6101904; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sophos E-Mail Security Virtual Appliance Remote Code Execution Vulnerability"; content: "SID: 1908 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101908; sid: 6101908; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KindEditor Name Parameter Cross Site Scripting Vulnerability"; content: "SID: 1909 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101909; sid: 6101909; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Rich Widget Plugin Arbitrary File Upload Vulnerability"; content: "SID: 1911 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101911; sid: 6101911; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Zenoss ViewDaemonLog Daemon Arbitrary Log File Access Vulnerability"; content: "SID: 1914 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101914; sid: 6101914; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Application Lifecycle Management XGO.ocx Remote Code Execution"; content: "SID: 1920 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101920; sid: 6101920; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ManageEngine Support Center Plus Cross Site Scripting Vulnerability"; content: "SID: 1922 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101922; sid: 6101922; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SilverStripe BackURL Parameter URI Redirection Vulnerability"; content: "SID: 1924 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101924; sid: 6101924; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symphony CMS BluePRINTs URI SQL Injection"; content: "SID: 1925 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101925; sid: 6101925; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress ABC Test Plugin Id Parameter XSS Vulnerability"; content: "SID: 1926 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101926; sid: 6101926; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Crayon Syntax Highlighter Wp_load Remote File Include"; content: "SID: 1927 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101927; sid: 6101927; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lattice Semiconductor Diamond Programmer Buffer Overflow"; content: "SID: 1928 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101928; sid: 6101928; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mcrypt Check File Head Stack Based Buffer Overflow"; content: "SID: 1929 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101929; sid: 6101929; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Cross Site Request Forgery Vulnerability"; content: "SID: 1930 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101930; sid: 6101930; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Newsletter Preview.php File Disclosure Vulnerability"; content: "SID: 1931 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101931; sid: 6101931; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DocXP Fid Parameter Directory Traversal Vulnerability"; content: "SID: 1933 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101933; sid: 6101933; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1937 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101937; sid: 6101937; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1938 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101938; sid: 6101938; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1939 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101939; sid: 6101939; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explore Remote Code Execution"; content: "SID: 1940 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101940; sid: 6101940; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1941 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101941; sid: 6101941; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Cross Site Scripting"; content: "SID: 1942 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101942; sid: 6101942; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Outside In CorelDRAW File Parser Heap Buffer Overflow"; content: "SID: 1944 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101944; sid: 6101944; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro Control Manager Cross Site Request Forgery"; content: "SID: 1945 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101945; sid: 6101945; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari WebKit SVG Memory Corruption"; content: "SID: 1946 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101946; sid: 6101946; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Buffer Overflow Vulnerability"; content: "SID: 1947 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101947; sid: 6101947; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Cloned DOM Object Code Execution"; content: "SID: 1949 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101949; sid: 6101949; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Remote Code Execution"; content: "SID: 1950 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101950; sid: 6101950; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache DoS"; content: "SID: 1958 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101958; sid: 6101958; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari WebKit innerHTML Double Free Memory Corruption"; content: "SID: 1959 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101959; sid: 6101959; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WINS Service Failed Response Vulnerability"; content: "SID: 1969 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101969; sid: 6101969; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hewlett-Packard OpenView Network Node Manager Remote Code Execution"; content: "SID: 1972 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101972; sid: 6101972; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1973 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101973; sid: 6101973; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise HTTP Interfaces Arbitrary File Retrieval"; content: "SID: 1974 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101974; sid: 6101974; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] APT1 SSL Certificate"; content: "SID: 1975 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101975; sid: 6101975; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Zone-based Firewall SIP Denial of Service"; content: "SID: 1976 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101976; sid: 6101976; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Memory Corruption"; content: "SID: 1977 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101977; sid: 6101977; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability"; content: "SID: 1978 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101978; sid: 6101978; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Visio Viewer VSD File Type Confusion"; content: "SID: 1981 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101981; sid: 6101981; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Sharepoint XSS"; content: "SID: 1984 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101984; sid: 6101984; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Sharepoint XSS"; content: "SID: 1990 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101990; sid: 6101990; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1993 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101993; sid: 6101993; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft WKSSVC NetpManageIPCConnect Remote Code Execution"; content: "SID: 1997 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101997; sid: 6101997; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1998 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101998; sid: 6101998; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Echo Reply"; content: "SID: 2000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102000; sid: 6102000; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Host Unreachable"; content: "SID: 2001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102001; sid: 6102001; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Source Quench"; content: "SID: 2002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102002; sid: 6102002; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Redirect"; content: "SID: 2003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102003; sid: 6102003; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Echo Request"; content: "SID: 2004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102004; sid: 6102004; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Time Exceeded for a Datagram"; content: "SID: 2005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102005; sid: 6102005; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Parameter Problem on Datagram"; content: "SID: 2006 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102006; sid: 6102006; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Timestamp Request"; content: "SID: 2007 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102007; sid: 6102007; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Timestamp Reply"; content: "SID: 2008 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102008; sid: 6102008; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Information Request"; content: "SID: 2009 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102009; sid: 6102009; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Information Reply"; content: "SID: 2010 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102010; sid: 6102010; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Address Mask Reply"; content: "SID: 2012 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102012; sid: 6102012; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] 7T IGSS Buffer Overflow"; content: "SID: 2019 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102019; sid: 6102019; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows SMB PIPE Remote Denial of Service Vulnerability"; content: "SID: 2021 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102021; sid: 6102021; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Schneider Electric Accutech Manager HTTP Request Processing Buffer Overflow"; content: "SID: 2023 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102023; sid: 6102023; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability"; content: "SID: 2024 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102024; sid: 6102024; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CCaret Use-After-Free Vulnerability"; content: "SID: 2030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102030; sid: 6102030; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft OneNote Information Disclosure"; content: "SID: 2034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102034; sid: 6102034; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SharePoint Elevation of Privilege"; content: "SID: 2036 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102036; sid: 6102036; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 2038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102038; sid: 6102038; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer 8 Memory Corruption Vulnerability"; content: "SID: 2039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102039; sid: 6102039; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Network Sweep With Echo"; content: "SID: 2100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102100; sid: 6102100; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Network Sweep w/Timestamp"; content: "SID: 2101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102101; sid: 6102101; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Network Sweep w/Address Mask"; content: "SID: 2102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102102; sid: 6102102; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented ICMP Traffic"; content: "SID: 2150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102150; sid: 6102150; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large ICMP Traffic"; content: "SID: 2151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102151; sid: 6102151; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Flood"; content: "SID: 2152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102152; sid: 6102152; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Smurf Attack"; content: "SID: 2153 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102153; sid: 6102153; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ping of Death Attack"; content: "SID: 2154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102154; sid: 6102154; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modem DoS"; content: "SID: 2155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102155; sid: 6102155; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nachi Worm ICMP Echo Request"; content: "SID: 2156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102156; sid: 6102156; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Hard Error DoS"; content: "SID: 2157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102157; sid: 6102157; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nachi Worm ICMP Echo Request"; content: "SID: 2158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102158; sid: 6102158; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Destination Unreachable Protocol Unreachable"; content: "SID: 2159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102159; sid: 6102159; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IGMP Header DoS"; content: "SID: 2200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102200; sid: 6102200; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IGMP over fragmented IP"; content: "SID: 2201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102201; sid: 6102201; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IGMP Invalid Packet DoS"; content: "SID: 2202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102202; sid: 6102202; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Port Sweep"; content: "SID: 3001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103001; sid: 6103001; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN Port Sweep"; content: "SID: 3002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103002; sid: 6103002; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag SYN Port Sweep"; content: "SID: 3003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103003; sid: 6103003; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FIN Port Sweep"; content: "SID: 3005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103005; sid: 6103005; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag FIN Port Sweep"; content: "SID: 3006 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103006; sid: 6103006; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP High Port Sweep"; content: "SID: 3010 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103010; sid: 6103010; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FIN High Port Sweep"; content: "SID: 3011 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103011; sid: 6103011; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag FIN High Port Sweep"; content: "SID: 3012 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; reference: url,wiki.quadrantsec.com/bin/view/Main/6103012; sid: 6103012; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Null Port Sweep"; content: "SID: 3015 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103015; sid: 6103015; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag Null Port Sweep"; content: "SID: 3016 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103016; sid: 6103016; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN FIN Port Sweep"; content: "SID: 3020 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103020; sid: 6103020; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag SYN FIN Port Sweep"; content: "SID: 3021 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103021; sid: 6103021; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN Host Sweep"; content: "SID: 3030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103030; sid: 6103030; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG SYN Host Sweep"; content: "SID: 3031 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103031; sid: 6103031; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FIN Host Sweep"; content: "SID: 3032 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103032; sid: 6103032; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG FIN Host Sweep"; content: "SID: 3033 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103033; sid: 6103033; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP NULL Host Sweep"; content: "SID: 3034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103034; sid: 6103034; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG NULL Host Sweep"; content: "SID: 3035 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103035; sid: 6103035; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN FIN Host Sweep"; content: "SID: 3036 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103036; sid: 6103036; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG SYN FIN Host Sweep"; content: "SID: 3037 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103037; sid: 6103037; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented NULL TCP Packet"; content: "SID: 3038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103038; sid: 6103038; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented Orphaned FIN packet"; content: "SID: 3039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103039; sid: 6103039; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP NULL Packet"; content: "SID: 3040 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103040; sid: 6103040; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN/FIN Packet"; content: "SID: 3041 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103041; sid: 6103041; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Orphaned Fin Packet"; content: "SID: 3042 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103042; sid: 6103042; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented SYN/FIN Packet"; content: "SID: 3043 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103043; sid: 6103043; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Queso Sweep"; content: "SID: 3045 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103045; sid: 6103045; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NMAP OS Fingerprint"; content: "SID: 3046 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103046; sid: 6103046; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Half-open SYN Attack"; content: "SID: 3050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103050; sid: 6103050; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Connection Window Size RST DoS"; content: "SID: 3051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103051; sid: 6103051; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UPNP Service Host Sweep"; content: "SID: 3052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103052; sid: 6103052; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP RCPT TO: Bounce"; content: "SID: 3100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103100; sid: 6103100; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Invalid Recipient"; content: "SID: 3101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103101; sid: 6103101; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Invalid Sender"; content: "SID: 3102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103102; sid: 6103102; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Reconnaissance"; content: "SID: 3103 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103103; sid: 6103103; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Archaic Sendmail Attacks"; content: "SID: 3104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103104; sid: 6103104; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Decode Alias"; content: "SID: 3105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103105; sid: 6103105; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mail Spam"; content: "SID: 3106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103106; sid: 6103106; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Majordomo Execute Attack"; content: "SID: 3107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103107; sid: 6103107; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP MIME Content Overflow"; content: "SID: 3108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103108; sid: 6103108; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long SMTP Command"; content: "SID: 3109 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103109; sid: 6103109; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Suspicious Mail Attachment"; content: "SID: 3110 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103110; sid: 6103110; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] W32 Sircam Malicious Code"; content: "SID: 3111 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103111; sid: 6103111; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Domino Mail Loop DoS"; content: "SID: 3112 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103112; sid: 6103112; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Email Attachment with Malicious Payload"; content: "SID: 3113 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103113; sid: 6103113; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FetchMail Arbitrary Code Execution"; content: "SID: 3114 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103114; sid: 6103114; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Data Header Overflow"; content: "SID: 3115 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103115; sid: 6103115; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netbus"; content: "SID: 3116 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103116; sid: 6103116; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KLEZ Worm"; content: "SID: 3117 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103117; sid: 6103117; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rwhoisd format string"; content: "SID: 3118 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103118; sid: 6103118; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WS_FTP STAT Overflow"; content: "SID: 3119 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103119; sid: 6103119; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ANTS Virus"; content: "SID: 3120 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103120; sid: 6103120; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Vintra MailServer EXPN DoS"; content: "SID: 3121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103121; sid: 6103121; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP EXPN root Recon"; content: "SID: 3122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103122; sid: 6103122; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBus Pro Traffic"; content: "SID: 3123 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103123; sid: 6103123; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail prescan Memory Corruption"; content: "SID: 3124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103124; sid: 6103124; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Postfix 1.1.12 envelope address DoS"; content: "SID: 3125 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103125; sid: 6103125; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Postfix bounce scan"; content: "SID: 3126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103126; sid: 6103126; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP AUTH Brute Force Attempt"; content: "SID: 3127 ,"; xbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103127; sid: 6103127; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange xexch50 overflow"; content: "SID: 3128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103128; sid: 6103128; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus C Variant File Attachment"; content: "SID: 3129 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103129; sid: 6103129; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus I Variant File Attachment"; content: "SID: 3130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103130; sid: 6103130; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus L Variant File Attachment"; content: "SID: 3131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103131; sid: 6103131; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment"; content: "SID: 3132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103132; sid: 6103132; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment Variant B"; content: "SID: 3133 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103133; sid: 6103133; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoomJuice Worm network probe"; content: "SID: 3134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103134; sid: 6103134; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MyDoom Virus Activity"; content: "SID: 3135 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103135; sid: 6103135; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netsky Virus Activity"; content: "SID: 3136 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103136; sid: 6103136; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sober Virus Activity"; content: "SID: 3137 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103137; sid: 6103137; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bagle.C Virus Email Attachment"; content: "SID: 3138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103138; sid: 6103138; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bagle.E Virus Email Attachment"; content: "SID: 3139 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103139; sid: 6103139; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bagle Virus Activity"; content: "SID: 3140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103140; sid: 6103140; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lovgate Worm Activity"; content: "SID: 3141 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103141; sid: 6103141; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sasser Worm Activity"; content: "SID: 3142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103142; sid: 6103142; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BERBEW Trojan Activity"; content: "SID: 3143 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103143; sid: 6103143; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ratos Worm Activity"; content: "SID: 3144 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103144; sid: 6103144; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ZAFI Worm Activity"; content: "SID: 3145 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103145; sid: 6103145; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bropia Worm Activity"; content: "SID: 3146 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103146; sid: 6103146; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Remote Command Execution"; content: "SID: 3150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103150; sid: 6103150; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SYST Command Attempt"; content: "SID: 3151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103151; sid: 6103151; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP CWD ~root"; content: "SID: 3152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103152; sid: 6103152; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Improper Address Specified"; content: "SID: 3153 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103153; sid: 6103153; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Improper Port Specified"; content: "SID: 3154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103154; sid: 6103154; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP RETR Pipe Filename Command Execution"; content: "SID: 3155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103155; sid: 6103155; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP STOR Pipe Filename Command Execution"; content: "SID: 3156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103156; sid: 6103156; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP PASV Port Spoof"; content: "SID: 3157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103157; sid: 6103157; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC Format String"; content: "SID: 3158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103158; sid: 6103158; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP PASS Suspicious Length"; content: "SID: 3159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103159; sid: 6103159; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cesar FTP Buffer Overflow"; content: "SID: 3160 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103160; sid: 6103160; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP realpath Buffer Overflow"; content: "SID: 3161 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103161; sid: 6103161; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] glFtpD LIST DoS"; content: "SID: 3162 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103162; sid: 6103162; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WU-FTPD Heap Corruption"; content: "SID: 3163 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103163; sid: 6103163; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Instant Server Mini Portal Directory Traversal"; content: "SID: 3164 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103164; sid: 6103164; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC"; content: "SID: 3165 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103165; sid: 6103165; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP USER Suspicious Length"; content: "SID: 3166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103166; sid: 6103166; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Format String in FTP username"; content: "SID: 3167 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103167; sid: 6103167; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC Directory Traversal"; content: "SID: 3168 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103168; sid: 6103168; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC tar"; content: "SID: 3169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103169; sid: 6103169; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WS_FTP SITE CPWD Buffer Overflow"; content: "SID: 3170 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103170; sid: 6103170; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Priviledged Login"; content: "SID: 3171 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103171; sid: 6103171; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ftp Cwd Overflow"; content: "SID: 3172 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103172; sid: 6103172; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long FTP Command"; content: "SID: 3173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103173; sid: 6103173; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ProFTPD STAT DoS"; content: "SID: 3175 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103175; sid: 6103175; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long MDTM Command"; content: "SID: 3177 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103177; sid: 6103177; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Denial Of Service in Microsoft SMS Client"; content: "SID: 3178 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103178; sid: 6103178; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ftpdchk DOS"; content: "SID: 3179 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103179; sid: 6103179; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BakBone NetVault Remote Heap Overflow"; content: "SID: 3180 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103180; sid: 6103180; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] dSMTP Mail Server Format String Overflow"; content: "SID: 3181 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103181; sid: 6103181; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Phf Attack"; content: "SID: 3200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103200; sid: 6103200; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW .url File Requested"; content: "SID: 3202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103202; sid: 6103202; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW .lnk File Requested"; content: "SID: 3203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103203; sid: 6103203; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW .bat File Requested"; content: "SID: 3204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103204; sid: 6103204; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML File Has .url Link"; content: "SID: 3205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103205; sid: 6103205; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML File Has .lnk Link"; content: "SID: 3206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103206; sid: 6103206; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML File Has .bat Link"; content: "SID: 3207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103207; sid: 6103207; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Campas Attack"; content: "SID: 3208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103208; sid: 6103208; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Glimpse Server Attack"; content: "SID: 3209 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103209; sid: 6103209; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS View Source Attack"; content: "SID: 3210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103210; sid: 6103210; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Hex View Source Attack"; content: "SID: 3211 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103211; sid: 6103211; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW NPH-TEST-CGI Attack"; content: "SID: 3212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103212; sid: 6103212; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW TEST-CGI Attack"; content: "SID: 3213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103213; sid: 6103213; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS DOT DOT VIEW Attack"; content: "SID: 3214 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103214; sid: 6103214; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS DOT DOT EXECUTE Attack"; content: "SID: 3215 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103215; sid: 6103215; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Directory Traversal ../.."; content: "SID: 3216 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103216; sid: 6103216; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW php View File Attack"; content: "SID: 3217 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103217; sid: 6103217; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SGI Wrap Attack"; content: "SID: 3218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103218; sid: 6103218; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PHP Buffer Overflow"; content: "SID: 3219 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103219; sid: 6103219; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Long URL Attack"; content: "SID: 3220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103220; sid: 6103220; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI-Viewsource Attack"; content: "SID: 3221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103221; sid: 6103221; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PHP Log Scripts Read Attack"; content: "SID: 3222 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103222; sid: 6103222; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IRIX cgi-handler Attack"; content: "SID: 3223 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103223; sid: 6103223; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP WebGais"; content: "SID: 3224 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103224; sid: 6103224; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW websendmail File Access"; content: "SID: 3225 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103225; sid: 6103225; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Webdist Bug"; content: "SID: 3226 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103226; sid: 6103226; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Htmlscript Bug"; content: "SID: 3227 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103227; sid: 6103227; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Performer Attack"; content: "SID: 3228 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103228; sid: 6103228; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Website Win-C-Sample Buffer Overflow"; content: "SID: 3229 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103229; sid: 6103229; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Website Uploader"; content: "SID: 3230 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103230; sid: 6103230; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Convert Attack"; content: "SID: 3231 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103231; sid: 6103231; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW finger attempt"; content: "SID: 3232 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103232; sid: 6103232; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW count-cgi Overflow"; content: "SID: 3233 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103233; sid: 6103233; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Local Trusted Resource Execution"; content: "SID: 3234 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103234; sid: 6103234; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] showHelp CHM File Execution Weakness"; content: "SID: 3235 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103235; sid: 6103235; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Path Disclosure"; content: "SID: 3236 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103236; sid: 6103236; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Hijack"; content: "SID: 3250 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103250; sid: 6103250; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Hijack Simplex Mode"; content: "SID: 3251 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103251; sid: 6103251; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Agent ActiveX Control"; content: "SID: 3252 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103252; sid: 6103252; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Request Smuggling"; content: "SID: 3253 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103253; sid: 6103253; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XML-RPC PHP Command Execution"; content: "SID: 3254 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103254; sid: 6103254; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Long HTTP Header DoS"; content: "SID: 3255 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103255; sid: 6103255; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS OOB Data"; content: "SID: 3300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103300; sid: 6103300; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NETBIOS Stat"; content: "SID: 3301 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103301; sid: 6103301; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBios Session Service Failed Login"; content: "SID: 3302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103302; sid: 6103302; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Login successful with Guest Privileges"; content: "SID: 3303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103303; sid: 6103303; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NULL login attempt"; content: "SID: 3304 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103304; sid: 6103304; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB 95 98 Password File Access"; content: "SID: 3305 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103305; sid: 6103305; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Registry Access Attempt"; content: "SID: 3306 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103306; sid: 6103306; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Red Button"; content: "SID: 3307 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103307; sid: 6103307; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt"; content: "SID: 3308 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103308; sid: 6103308; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt"; content: "SID: 3309 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103309; sid: 6103309; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netbios Enum Share DoS"; content: "SID: 3310 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103310; sid: 6103310; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote SAM Service Access Attempt"; content: "SID: 3311 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103311; sid: 6103311; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB .eml email file remote access"; content: "SID: 3312 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103312; sid: 6103312; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Suspicious Password Usage"; content: "SID: 3313 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103313; sid: 6103313; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Locator Service Overflow"; content: "SID: 3314 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103314; sid: 6103314; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability"; content: "SID: 3315 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103315; sid: 6103315; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Project1 DOS"; content: "SID: 3316 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103316; sid: 6103316; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LSASS DCE RPC Request"; content: "SID: 3317 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103317; sid: 6103317; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DsRolerUpgradeDownlevelServer Request"; content: "SID: 3318 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103318; sid: 6103318; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCE RPC Request"; content: "SID: 3319 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103319; sid: 6103319; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt"; content: "SID: 3320 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103320; sid: 6103320; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB User Enumeration"; content: "SID: 3321 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103321; sid: 6103321; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Windows Share Enumeration"; content: "SID: 3322 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103322; sid: 6103322; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB: RFPoison Attack"; content: "SID: 3323 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103323; sid: 6103323; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NIMDA Infected File Transfer"; content: "SID: 3324 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103324; sid: 6103324; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba call_trans2open Overflow"; content: "SID: 3325 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103325; sid: 6103325; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Startup Folder Remote Access"; content: "SID: 3326 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103326; sid: 6103326; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPC DCOM Overflow"; content: "SID: 3327 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103327; sid: 6103327; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows SMB RPC NoOp Sled"; content: "SID: 3328 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103328; sid: 6103328; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPCSS Overflow"; content: "SID: 3329 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103329; sid: 6103329; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPCSS Overflow 2"; content: "SID: 3330 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103330; sid: 6103330; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP MSRPC Messenger Overflow"; content: "SID: 3331 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103331; sid: 6103331; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP MSRPC Messenger Overflow"; content: "SID: 3332 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103332; sid: 6103332; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB MSRPC Messenger Overflow"; content: "SID: 3333 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103333; sid: 6103333; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Workstation Service Overflow"; content: "SID: 3334 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103334; sid: 6103334; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Anig Worm File Transfer"; content: "SID: 3335 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103335; sid: 6103335; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow"; content: "SID: 3336 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103336; sid: 6103336; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPC Race Condition Exploitation"; content: "SID: 3337 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103337; sid: 6103337; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows LSASS RPC Overflow"; content: "SID: 3338 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103338; sid: 6103338; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows System32 Directory File Creation"; content: "SID: 3339 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103339; sid: 6103339; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Shell External Handler"; content: "SID: 3340 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103340; sid: 6103340; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Activity"; content: "SID: 3341 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103341; sid: 6103341; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows NetDDE Overflow"; content: "SID: 3342 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103342; sid: 6103342; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Account Locked"; content: "SID: 3343 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103343; sid: 6103343; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows 2000 TCP RPC DoS"; content: "SID: 3344 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103344; sid: 6103344; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC WinNuke"; content: "SID: 3345 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103345; sid: 6103345; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows TSShutdn.exe Attempt"; content: "SID: 3346 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103346; sid: 6103346; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ASN.1 Library Bit String Heap Corruption"; content: "SID: 3347 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103347; sid: 6103347; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Disk Enumerations"; content: "SID: 3348 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103348; sid: 6103348; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Date And Time Enumerations"; content: "SID: 3349 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103349; sid: 6103349; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Transport Enumerations"; content: "SID: 3350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103350; sid: 6103350; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS User Session Enumerations"; content: "SID: 3351 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103351; sid: 6103351; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba Fragment Reassembly Overflow"; content: "SID: 3352 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103352; sid: 6103352; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Request Overflow"; content: "SID: 3353 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103353; sid: 6103353; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Remote Registry Request DoS"; content: "SID: 3356 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103356; sid: 6103356; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid Netbios Name"; content: "SID: 3357 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103357; sid: 6103357; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Kill Telnet DoS"; content: "SID: 3400 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103400; sid: 6103400; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Telnet-IFS Match"; content: "SID: 3401 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103401; sid: 6103401; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BSD Telnet Daemon Buffer Overflow"; content: "SID: 3402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103402; sid: 6103402; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Excessive Environment Options"; content: "SID: 3403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103403; sid: 6103403; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SysV /bin/login Overflow"; content: "SID: 3404 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103404; sid: 6103404; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Avirt Gateway Proxy Buffer Overflow"; content: "SID: 3405 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103405; sid: 6103405; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris TTYPROMPT Overflow"; content: "SID: 3406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103406; sid: 6103406; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Telnet Client NEW ENVIRON Option Overflow"; content: "SID: 3407 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103407; sid: 6103407; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Telnet Client LINEMODE SLC Option Overflow"; content: "SID: 3408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103408; sid: 6103408; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Over Non-standard Ports"; content: "SID: 3409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT: classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103409; sid: 6103409; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger Bomb"; content: "SID: 3450 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: 79; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103450; sid: 6103450; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BearShare Directory Traversal"; content: "SID: 3451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103451; sid: 6103451; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gopherd Halidate Overflow"; content: "SID: 3452 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103452; sid: 6103452; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS NetMeeting RDS DoS"; content: "SID: 3453 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103453; sid: 6103453; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Check Point Firewall Information Leak"; content: "SID: 3454 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103454; sid: 6103454; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java Web Server Cmd Exec"; content: "SID: 3455 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103455; sid: 6103455; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris in.fingerd Information Leak"; content: "SID: 3456 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103456; sid: 6103456; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger root shell"; content: "SID: 3457 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103457; sid: 6103457; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AIM game invite overflow"; content: "SID: 3458 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103458; sid: 6103458; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ValiCert Forms.exe Overflow"; content: "SID: 3459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103459; sid: 6103459; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger probe"; content: "SID: 3461 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103461; sid: 6103461; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger Redirect"; content: "SID: 3462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103462; sid: 6103462; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger root"; content: "SID: 3463 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103463; sid: 6103463; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] File access in finger"; content: "SID: 3464 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103464; sid: 6103464; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger Activity"; content: "SID: 3465 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103465; sid: 6103465; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RAS/PPTP Malformed Control Packet DOS"; content: "SID: 3466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103466; sid: 6103466; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin -froot Attack"; content: "SID: 3500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103500; sid: 6103500; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Long TERM Variable"; content: "SID: 3501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103501; sid: 6103501; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rlogin Activity"; content: "SID: 3502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103502; sid: 6103502; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Authenticate Buffer Overflow"; content: "SID: 3525 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103525; sid: 6103525; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Imap Login Buffer Overflow"; content: "SID: 3526 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103526; sid: 6103526; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UW imapd Overflows"; content: "SID: 3527 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103527; sid: 6103527; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPSwitch IMail DELETE Command Overflow"; content: "SID: 3528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103528; sid: 6103528; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Long EXAMINE Command"; content: "SID: 3529 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103529; sid: 6103529; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS Oversized TACACS+ Attack"; content: "SID: 3530 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103530; sid: 6103530; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Telnet DoS"; content: "SID: 3531 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT: classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103531; sid: 6103531; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed BGP Open Message"; content: "SID: 3532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103532; sid: 6103532; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Misformed BGP Packet DoS"; content: "SID: 3533 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103533; sid: 6103533; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Long AUTHENTICATE Command"; content: "SID: 3534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103534; sid: 6103534; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MailEnable HTTP Authorization Buffer Overflow"; content: "SID: 3537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103537; sid: 6103537; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS CSAdmin Attack"; content: "SID: 3540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103540; sid: 6103540; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] POP Buffer Overflow"; content: "SID: 3550 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103550; sid: 6103550; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] POP User Root"; content: "SID: 3551 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103551; sid: 6103551; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] INN Buffer Overflow"; content: "SID: 3575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103575; sid: 6103575; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] INN Control Message Exploit"; content: "SID: 3576 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103576; sid: 6103576; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP LOGIN Command Invalid Username"; content: "SID: 3577 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103577; sid: 6103577; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Format String"; content: "SID: 3578 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103578; sid: 6103578; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Telnet Buffer Overflow"; content: "SID: 3600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103600; sid: 6103600; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Command History Exploit"; content: "SID: 3601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103601; sid: 6103601; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Cisco Identification"; content: "SID: 3602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103602; sid: 6103602; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Enable Bypass"; content: "SID: 3603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103603; sid: 6103603; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Catalyst CR DoS"; content: "SID: 3604 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103604; sid: 6103604; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH RSAREF2 Buffer Overflow"; content: "SID: 3650 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103650; sid: 6103650; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH CRC32 Overflow"; content: "SID: 3651 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103651; sid: 6103651; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH Gobbles"; content: "SID: 3652 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103652; sid: 6103652; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Rapid SSH Connections"; content: "SID: 3653 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103653; sid: 6103653; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH Gobbles Exploit"; content: "SID: 3654 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103654; sid: 6103654; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CDE dtspcd Overflow"; content: "SID: 3700 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103700; sid: 6103700; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle 9iAS Web Cache Buffer Overflow"; content: "SID: 3701 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103701; sid: 6103701; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Default sa account access"; content: "SID: 3702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103702; sid: 6103702; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid FTP URL Buffer Overflow"; content: "SID: 3703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103703; sid: 6103703; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS FTP STAT Denial of Service"; content: "SID: 3704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103704; sid: 6103704; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tivoli Storage Manager Client Acceptor Overflow"; content: "SID: 3705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103705; sid: 6103705; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT PGP Public Key Server Overflow"; content: "SID: 3706 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103706; sid: 6103706; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Perl fingerd Command Exec"; content: "SID: 3707 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103707; sid: 6103707; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AnalogX Proxy Socks4a DNS Overflow"; content: "SID: 3708 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103708; sid: 6103708; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AnalogX Proxy Web Proxy Overflow"; content: "SID: 3709 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103709; sid: 6103709; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS Directory Traversal"; content: "SID: 3710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103710; sid: 6103710; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Informer FW1 Auth Replay DoS"; content: "SID: 3711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103711; sid: 6103711; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle TNS 'Service_Name' Overflow"; content: "SID: 3714 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103714; sid: 6103714; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI+ JPEG Buffer Overflow"; content: "SID: 3716 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103716; sid: 6103716; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows .ANI File DoS"; content: "SID: 3718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103718; sid: 6103718; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSN Messenger PNG Overflow"; content: "SID: 3719 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103719; sid: 6103719; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL sa Account Brute Force"; content: "SID: 3720 ,"; xbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103720; sid: 6103720; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TNS Brute Force"; content: "SID: 3721 ,"; xbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103721; sid: 6103721; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long pop username"; content: "SID: 3728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103728; sid: 6103728; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long pop password"; content: "SID: 3729 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103729; sid: 6103729; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo (TCP)"; content: "SID: 3730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103730; sid: 6103730; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMail HTTP Get Buffer Overflow"; content: "SID: 3731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103731; sid: 6103731; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL xp_cmdshell Usage"; content: "SID: 3732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103732; sid: 6103732; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Real Server Format Overflow"; content: "SID: 3733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103733; sid: 6103733; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cfengine Overflow"; content: "SID: 3734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103734; sid: 6103734; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS Flag Insertion Overflow"; content: "SID: 3735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103735; sid: 6103735; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Subversion get-dated-rev overflow"; content: "SID: 3736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103736; sid: 6103736; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid Proxy NTLM Authenticate Overflow"; content: "SID: 3737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103737; sid: 6103737; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS Argumentx Vulnerability"; content: "SID: 3738 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103738; sid: 6103738; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nullsoft SHOUTcast Format String Attack"; content: "SID: 3739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103739; sid: 6103739; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMail LDAP Service Buffer Overflow"; content: "SID: 3740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103740; sid: 6103740; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] mIRC DCC Send Buffer Overflow"; content: "SID: 3782 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103782; sid: 6103782; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow"; content: "SID: 3783 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103783; sid: 6103783; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor Discovery Service SERVICEPC Overflow"; content: "SID: 3784 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103784; sid: 6103784; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle 9i XDB FTP UNLOCK Buffer Overflow"; content: "SID: 3785 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103785; sid: 6103785; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle 9i XDB FTP PASS Buffer Overflow"; content: "SID: 3786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103786; sid: 6103786; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IRIX Printing System Remote Command Execution"; content: "SID: 3787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103787; sid: 6103787; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris LPD Remote Command Execution"; content: "SID: 3788 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103788; sid: 6103788; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DistCC Daemon Command Execution"; content: "SID: 3789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103789; sid: 6103789; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Openview Omniback II Command Execution"; content: "SID: 3790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103790; sid: 6103790; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris Printd Unlink File Deletion"; content: "SID: 3791 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103791; sid: 6103791; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long Telnet Username"; content: "SID: 3792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103792; sid: 6103792; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ZENworks 6.5 Authentication Overflow"; content: "SID: 3793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103793; sid: 6103793; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle iSQL*PLus Overflow"; content: "SID: 3802 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103802; sid: 6103802; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache mod_proxy Buffer Overflow"; content: "SID: 3883 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103883; sid: 6103883; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cfengine Authentication Heap Based Buffer Overflow"; content: "SID: 3884 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103884; sid: 6103884; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BackOrifice BO2K TCP Stealth 1"; content: "SID: 3991 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103991; sid: 6103991; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP Port Sweep"; content: "SID: 4001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104001; sid: 6104001; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP Host Flood"; content: "SID: 4002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104002; sid: 6104002; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nmap UDP Port Sweep"; content: "SID: 4003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104003; sid: 6104003; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Flood Attack"; content: "SID: 4004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104004; sid: 6104004; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP Bomb"; content: "SID: 4050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104050; sid: 6104050; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BackOrifice-Original-UDP"; content: "SID: 4053 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104053; sid: 6104053; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIP Trace"; content: "SID: 4054 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104054; sid: 6104054; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NTPd readvar overflow"; content: "SID: 4056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104056; sid: 6104056; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UPnP LOCATION Overflow"; content: "SID: 4058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104058; sid: 6104058; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Orifice Ping"; content: "SID: 4060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104060; sid: 6104060; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Chargen Echo DoS"; content: "SID: 4061 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104061; sid: 6104061; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CSS 11000 Malformed UDP DoS"; content: "SID: 4062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104062; sid: 6104062; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unreal Engine secure Overflow"; content: "SID: 4063 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104063; sid: 6104063; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed IKE Packet DoS"; content: "SID: 4067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104067; sid: 6104067; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoS NBT Stream"; content: "SID: 4068 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104068; sid: 6104068; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tftp Passwd File"; content: "SID: 4100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104100; sid: 6104100; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TFTPD Directory Traversal"; content: "SID: 4101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104101; sid: 6104101; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ascend Denial of Service"; content: "SID: 4150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104150; sid: 6104150; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BOBAX Virus Activity"; content: "SID: 4151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104151; sid: 6104151; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic File Transfer Signatures"; content: "SID: 4322 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104322; sid: 6104322; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Embedded SNMP Community Names"; content: "SID: 4500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104500; sid: 6104500; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVCO/4K Remote Username / Password Retrieve"; content: "SID: 4501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104501; sid: 6104501; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Community Name Brute Force Attempt"; content: "SID: 4502 ,"; xbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104502; sid: 6104502; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows NT SNMP System Info Retrieve"; content: "SID: 4503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104503; sid: 6104503; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP IOS Configuration Retrieval"; content: "SID: 4504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104504; sid: 6104504; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP IOS VACM MIB Access"; content: "SID: 4505 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104505; sid: 6104505; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] D-Link Wireless SNMP Plain Text Password"; content: "SID: 4506 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104506; sid: 6104506; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Protocol Violation"; content: "SID: 4507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104507; sid: 6104507; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non SNMP Traffic"; content: "SID: 4508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104508; sid: 6104508; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Openview SNMP Hidden Community Name"; content: "SID: 4509 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104509; sid: 6104509; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris SNMP Hidden Community Name"; content: "SID: 4510 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104510; sid: 6104510; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Avaya SNMP Hidden Community Name"; content: "SID: 4511 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104511; sid: 6104511; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Community String Public"; content: "SID: 4512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104512; sid: 6104512; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco SNMP Message Processing DoS"; content: "SID: 4513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104513; sid: 6104513; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Community String Public"; content: "SID: 4514 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104514; sid: 6104514; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP/VC Embedded Community Names"; content: "SID: 4515 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104515; sid: 6104515; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Printer Query DoS"; content: "SID: 4516 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104516; sid: 6104516; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS UDP Bomb"; content: "SID: 4600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104600; sid: 6104600; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CheckPoint Firewall RDP ByPass"; content: "SID: 4601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104601; sid: 6104601; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Beagle (Bagle) Virus DNS Lookup"; content: "SID: 4602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104602; sid: 6104602; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Discover"; content: "SID: 4603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104603; sid: 6104603; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Request"; content: "SID: 4604 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104604; sid: 6104604; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Offer"; content: "SID: 4605 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104605; sid: 6104605; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TFTP Long Filename Buffer Overflow"; content: "SID: 4606 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104606; sid: 6104606; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Deep Throat Response"; content: "SID: 4607 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104607; sid: 6104607; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo (UDP)"; content: "SID: 4608 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104608; sid: 6104608; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Orinoco SNMP Info Leak"; content: "SID: 4609 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104609; sid: 6104609; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerberos 4 User Recon"; content: "SID: 4610 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104610; sid: 6104610; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] D-Link DWL-900AP+ TFTP Config Retrieve"; content: "SID: 4611 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104611; sid: 6104611; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP Phone TFTP Config Retrieve"; content: "SID: 4612 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104612; sid: 6104612; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTP Filename Buffer Overflow"; content: "SID: 4613 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104613; sid: 6104613; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTP Overflow"; content: "SID: 4614 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104614; sid: 6104614; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Beagle.B (Bagle.B) Virus DNS Lookup"; content: "SID: 4615 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104615; sid: 6104615; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PoPToP PPtP Short Length Overflow"; content: "SID: 4617 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104617; sid: 6104617; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid DHCP Packet"; content: "SID: 4619 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104619; sid: 6104619; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Limited Broadcast Query"; content: "SID: 4620 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104620; sid: 6104620; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Stack Overflow"; content: "SID: 4701 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104701; sid: 6104701; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Heap Overflow"; content: "SID: 4702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104702; sid: 6104702; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Stack Overflow"; content: "SID: 4703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104703; sid: 6104703; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Heap Overflow"; content: "SID: 4704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104704; sid: 6104704; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS newdsn attack"; content: "SID: 5034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105034; sid: 6105034; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP cgi HylaFAX Faxsurvey"; content: "SID: 5035 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT: classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105035; sid: 6105035; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SGI MachineInfo Attack"; content: "SID: 5037 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105037; sid: 6105037; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW wwwsql file read Bug"; content: "SID: 5038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105038; sid: 6105038; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW finger attempt"; content: "SID: 5039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105039; sid: 6105039; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW anyform attack"; content: "SID: 5041 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105041; sid: 6105041; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Webcom.se Guestbook attack"; content: "SID: 5044 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105044; sid: 6105044; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW xterm display attack"; content: "SID: 5045 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105045; sid: 6105045; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW dumpenv.pl recon"; content: "SID: 5046 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105046; sid: 6105046; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Server Side Include POST attack"; content: "SID: 5047 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105047; sid: 6105047; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS BAT EXE attack"; content: "SID: 5048 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105048; sid: 6105048; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS showcode.asp access"; content: "SID: 5049 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105049; sid: 6105049; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS .htr Overflow Attack"; content: "SID: 5050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105050; sid: 6105050; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Double Byte Code Page"; content: "SID: 5051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105051; sid: 6105051; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage Extensions PWD Open Attempt"; content: "SID: 5052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105052; sid: 6105052; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage _vti_bin Directory List Attempt"; content: "SID: 5053 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105053; sid: 6105053; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWWBoard Password"; content: "SID: 5054 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105054; sid: 6105054; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Basic Authentication Overflow"; content: "SID: 5055 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105055; sid: 6105055; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Cisco IOS %% DoS"; content: "SID: 5056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105056; sid: 6105056; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Sambar Samples"; content: "SID: 5057 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105057; sid: 6105057; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW info2www Attack"; content: "SID: 5058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105058; sid: 6105058; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Alibaba Attack"; content: "SID: 5059 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105059; sid: 6105059; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Excite AT-generate.cgi Access"; content: "SID: 5060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105060; sid: 6105060; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW catalog_type.asp Access"; content: "SID: 5061 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105061; sid: 6105061; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW classifieds.cgi Attack"; content: "SID: 5062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105062; sid: 6105062; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW imagemap.cgi Attack"; content: "SID: 5064 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105064; sid: 6105064; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IRIX infosrch.cgi Attack"; content: "SID: 5065 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105065; sid: 6105065; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW man.sh Access"; content: "SID: 5066 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105066; sid: 6105066; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW plusmail Attack"; content: "SID: 5067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105067; sid: 6105067; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW formmail.pl Access"; content: "SID: 5068 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105068; sid: 6105068; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW whois_raw.cgi Attack"; content: "SID: 5069 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105069; sid: 6105069; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW msadcs.dll Access"; content: "SID: 5070 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105070; sid: 6105070; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW msacds.dll Attack"; content: "SID: 5071 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105071; sid: 6105071; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW bizdb1-search.cgi Attack"; content: "SID: 5072 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105072; sid: 6105072; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW EZshopper loadpage.cgi Attack"; content: "SID: 5073 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105073; sid: 6105073; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW EZshopper search.cgi Attack"; content: "SID: 5074 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105074; sid: 6105074; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Virtualized UNC Bug"; content: "SID: 5075 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105075; sid: 6105075; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW webplus bug"; content: "SID: 5076 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105076; sid: 6105076; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Excite AT-admin.cgi Access"; content: "SID: 5077 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105077; sid: 6105077; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Piranha passwd attack"; content: "SID: 5078 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105078; sid: 6105078; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PCCS MySQL Admin Access"; content: "SID: 5079 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105079; sid: 6105079; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IBM WebSphere Access"; content: "SID: 5080 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105080; sid: 6105080; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW WinNT cmd.exe Access"; content: "SID: 5081 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105081; sid: 6105081; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HTML Objects Memory Corruption"; content: "SID: 5082 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105082; sid: 6105082; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Virtual Vision FTP Browser Access"; content: "SID: 5083 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105083; sid: 6105083; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Alibaba Attack 2"; content: "SID: 5084 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105084; sid: 6105084; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Source Fragment Access"; content: "SID: 5085 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105085; sid: 6105085; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW WEBactive Logfile Access"; content: "SID: 5086 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105086; sid: 6105086; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Sun Java Server Access"; content: "SID: 5087 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105087; sid: 6105087; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Akopia MiniVend Access"; content: "SID: 5088 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105088; sid: 6105088; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Big Brother Directory Access"; content: "SID: 5089 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105089; sid: 6105089; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW FrontPage htimage.exe Access"; content: "SID: 5090 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105090; sid: 6105090; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Cart32 Remote Admin Access"; content: "SID: 5091 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105091; sid: 6105091; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI-World Poll It Access"; content: "SID: 5092 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105092; sid: 6105092; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PHP-Nuke admin.php3 Access"; content: "SID: 5093 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105093; sid: 6105093; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Script Center Account Manager Attack"; content: "SID: 5095 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105095; sid: 6105095; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Script Center Subscribe Me Attack"; content: "SID: 5096 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105096; sid: 6105096; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW FrontPage MS-DOS Device Attack"; content: "SID: 5097 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105097; sid: 6105097; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW GWScripts News Publisher Access"; content: "SID: 5099 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105099; sid: 6105099; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Center Auction Weaver File Access"; content: "SID: 5100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105100; sid: 6105100; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Center Auction Weaver Attack"; content: "SID: 5101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105101; sid: 6105101; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW phpPhotoAlbum explorer.php Access"; content: "SID: 5102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105102; sid: 6105102; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SuSE Apache CGI Source Access"; content: "SID: 5103 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105103; sid: 6105103; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW YaBB File Access"; content: "SID: 5104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105104; sid: 6105104; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Ranson Johnson mailto.cgi Attack"; content: "SID: 5105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105105; sid: 6105105; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Ranson Johnson mailform.pl Access"; content: "SID: 5106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105106; sid: 6105106; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Mandrake Linux /perl Access"; content: "SID: 5107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105107; sid: 6105107; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Netegrity Site Minder Access"; content: "SID: 5108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105108; sid: 6105108; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Sambar Beta search.dll Access"; content: "SID: 5109 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105109; sid: 6105109; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SuSE Installed Packages Access"; content: "SID: 5110 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105110; sid: 6105110; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Solaris Answerbook 2 Access"; content: "SID: 5111 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105111; sid: 6105111; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Solaris Answerbook 2 Attack"; content: "SID: 5112 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105112; sid: 6105112; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CommuniGate Pro Access"; content: "SID: 5113 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105113; sid: 6105113; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Unicode Attack"; content: "SID: 5114 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105114; sid: 6105114; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape Enterprise Server with ?wp Tags"; content: "SID: 5115 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105115; sid: 6105115; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Endymion MailMan Remote Command Execution"; content: "SID: 5116 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105116; sid: 6105116; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpGroupWare Remote Command Exec"; content: "SID: 5117 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105117; sid: 6105117; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eWave ServletExec 3.0C File Upload"; content: "SID: 5118 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105118; sid: 6105118; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CGI Script Center News Update Admin Passwd Change"; content: "SID: 5119 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105119; sid: 6105119; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape Server Suite Buffer Overflow"; content: "SID: 5120 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105120; sid: 6105120; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet .shtml Buffer Overflow"; content: "SID: 5121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105121; sid: 6105121; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nokia IP440 Denial of Service"; content: "SID: 5122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105122; sid: 6105122; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Internet Printing Overflow"; content: "SID: 5123 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105123; sid: 6105123; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS CGI Double Decode"; content: "SID: 5124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105124; sid: 6105124; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PerlCal Directory Traversal"; content: "SID: 5125 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105125; sid: 6105125; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS .ida Indexing Service Overflow"; content: "SID: 5126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105126; sid: 6105126; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW viewsrc.cgi Directory Traversal"; content: "SID: 5127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105127; sid: 6105127; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW nph-maillist.pl Cmd Exec"; content: "SID: 5128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105128; sid: 6105128; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS HTTP Unauth Command Execution"; content: "SID: 5129 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105129; sid: 6105129; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bugzilla Privileged Information Disclosure"; content: "SID: 5130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105130; sid: 6105130; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] talkback.cgi Directory Traversal"; content: "SID: 5131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105131; sid: 6105131; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VirusWall catinfo Buffer Overflow"; content: "SID: 5132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105132; sid: 6105132; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net.Commerce Macro Path Disclosure"; content: "SID: 5133 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105133; sid: 6105133; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MacOS PWS DoS"; content: "SID: 5134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105134; sid: 6105134; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Application Server Shared Library Overflow"; content: "SID: 5138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105138; sid: 6105138; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net.Commerce Macro Denial of Service"; content: "SID: 5140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105140; sid: 6105140; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NCM Content.pl SQL Query Vulnerability"; content: "SID: 5141 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105141; sid: 6105141; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCShop File Disclosure"; content: "SID: 5142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105142; sid: 6105142; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS-DOS Device Name DoS"; content: "SID: 5146 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105146; sid: 6105146; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arcadia Internet Store Directory Traversal Attempt"; content: "SID: 5147 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105147; sid: 6105147; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Perception LiteServe Web Server CGI Source Code Disclosure"; content: "SID: 5148 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105148; sid: 6105148; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro Interscan Viruswall Configuration Modification"; content: "SID: 5149 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105149; sid: 6105149; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] InterScan VirusWall RegGo.dll Buffer Overflow"; content: "SID: 5150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105150; sid: 6105150; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebStore Admin Bypass"; content: "SID: 5151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105151; sid: 6105151; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebStore Command Exec"; content: "SID: 5152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105152; sid: 6105152; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW uDirectory Directory Traversal"; content: "SID: 5154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105154; sid: 6105154; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SiteWare Editor Directory Traversal"; content: "SID: 5155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105155; sid: 6105155; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Microsoft fp30reg.dll Overflow"; content: "SID: 5156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105156; sid: 6105156; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tarantella TTAWebTop.CGI Directory Traversal Bug"; content: "SID: 5157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105157; sid: 6105157; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet Proprietary Method Overflow"; content: "SID: 5158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105158; sid: 6105158; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpMyAdmin Cmd Exec"; content: "SID: 5159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105159; sid: 6105159; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache ? indexing file disclosure bug"; content: "SID: 5160 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105160; sid: 6105160; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SquirrelMail Command Exec"; content: "SID: 5161 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105161; sid: 6105161; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Classifieds Command Exec"; content: "SID: 5162 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105162; sid: 6105162; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mambo Site Server Administrative Password ByPass"; content: "SID: 5163 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105163; sid: 6105163; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPBB Remote SQL Query Manipulation"; content: "SID: 5164 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105164; sid: 6105164; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] php-nuke article.php sql query"; content: "SID: 5165 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105165; sid: 6105165; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] php-nuke modules.php DoS"; content: "SID: 5166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105166; sid: 6105166; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpMyAdmin Cmd Exec 2"; content: "SID: 5167 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105167; sid: 6105167; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snapstream PVS Directory Traversal Vulnerability"; content: "SID: 5168 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105168; sid: 6105168; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SnapStream PVS Plaintext Password Vulnerability"; content: "SID: 5169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105169; sid: 6105169; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Null Byte In HTTP Request"; content: "SID: 5170 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105170; sid: 6105170; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NC-Book book.cgi Cmd Exec"; content: "SID: 5171 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105171; sid: 6105171; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WinWrapper Admin Server Directory Traversal"; content: "SID: 5172 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105172; sid: 6105172; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Directory Manager Cmd Exec"; content: "SID: 5173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105173; sid: 6105173; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpmyexplorer directory traversal"; content: "SID: 5174 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105174; sid: 6105174; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hassan Shopping Cart Command Exec"; content: "SID: 5175 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105175; sid: 6105175; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange Address List Disclosure"; content: "SID: 5176 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105176; sid: 6105176; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoS Arnudp"; content: "SID: 5177 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105177; sid: 6105177; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS Index Server File/Path Recon"; content: "SID: 5178 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105178; sid: 6105178; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP-Nuke File Upload"; content: "SID: 5179 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105179; sid: 6105179; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] sgiMerchant Directory Traversal"; content: "SID: 5180 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105180; sid: 6105180; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MacOS Apache File Disclosure"; content: "SID: 5181 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105181; sid: 6105181; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebDiscount's eShop Arbitrary Command Exec"; content: "SID: 5182 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105182; sid: 6105182; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP File Inclusion Remote Exec"; content: "SID: 5183 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105183; sid: 6105183; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Authentication Module ByPass"; content: "SID: 5184 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105184; sid: 6105184; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Tunneling"; content: "SID: 5188 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105188; sid: 6105188; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Perl PerlIS.dll Buffer Overflow"; content: "SID: 5191 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105191; sid: 6105191; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Server .ht File Access"; content: "SID: 5194 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105194; sid: 6105194; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AS/400 '/' attack"; content: "SID: 5195 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105195; sid: 6105195; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Red Hat Stronghold Recon attack"; content: "SID: 5196 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105196; sid: 6105196; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Network Query Tool command Exec"; content: "SID: 5197 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105197; sid: 6105197; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] W3Mail Command Exec"; content: "SID: 5199 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105199; sid: 6105199; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Data Stream Source Disclosure"; content: "SID: 5200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105200; sid: 6105200; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP-Nuke Cross Site Scripting"; content: "SID: 5201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105201; sid: 6105201; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP-Nuke File Copy / Delete"; content: "SID: 5202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105202; sid: 6105202; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hosting Controller File Access and Upload"; content: "SID: 5203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105203; sid: 6105203; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AspUpload Sample Scripts"; content: "SID: 5204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105204; sid: 6105204; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache php.exe File Disclosure"; content: "SID: 5205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105205; sid: 6105205; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Horde IMP Session Hijack"; content: "SID: 5206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105206; sid: 6105206; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Entrust GetAccess directory traversal"; content: "SID: 5207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105207; sid: 6105207; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Network Tools shell metacharacters"; content: "SID: 5208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105208; sid: 6105208; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Agora.cgi Cross Site Scripting"; content: "SID: 5209 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105209; sid: 6105209; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FAQManager.cgi directory traversal"; content: "SID: 5210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105210; sid: 6105210; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] zml.cgi File Disclosure"; content: "SID: 5211 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105211; sid: 6105211; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bugzilla Admin Authorization Bypass"; content: "SID: 5212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105212; sid: 6105212; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bugzilla Command Exec"; content: "SID: 5213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105213; sid: 6105213; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FAQManager.cgi null bytes"; content: "SID: 5214 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105214; sid: 6105214; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] lastlines.cgi cmd exec/traversal"; content: "SID: 5215 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105215; sid: 6105215; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Rocket Directory Traversal"; content: "SID: 5216 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105216; sid: 6105216; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webmin Directory Traversal"; content: "SID: 5217 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105217; sid: 6105217; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Boozt Buffer Overflow"; content: "SID: 5218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105218; sid: 6105218; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Domino database DoS"; content: "SID: 5219 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105219; sid: 6105219; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CSVForm Remote Command Exec"; content: "SID: 5220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105220; sid: 6105220; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hosting Controller Directory Traversal"; content: "SID: 5221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105221; sid: 6105221; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoS Beer"; content: "SID: 5222 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105222; sid: 6105222; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Pi3Web Buffer Overflow"; content: "SID: 5223 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105223; sid: 6105223; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SquirrelMail SquirrelSpell Command Exec"; content: "SID: 5224 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105224; sid: 6105224; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCP Portal Root Path Disclosure"; content: "SID: 5229 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105229; sid: 6105229; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Domino Authentication Bypass"; content: "SID: 5230 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105230; sid: 6105230; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MRTG Directory Traversal"; content: "SID: 5231 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105231; sid: 6105231; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] URL with XSS"; content: "SID: 5232 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105232; sid: 6105232; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP fileupload Buffer Overflow"; content: "SID: 5233 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105233; sid: 6105233; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] pforum sql-injection"; content: "SID: 5234 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105234; sid: 6105234; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mac OS X URI Handler Arbitrary Code Execution"; content: "SID: 5235 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105235; sid: 6105235; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xoops sql-injection"; content: "SID: 5236 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105236; sid: 6105236; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP CONNECT Tunnel"; content: "SID: 5237 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105237; sid: 6105237; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EZNET Ezboard Buffer Overflow"; content: "SID: 5238 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105238; sid: 6105238; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sambar cgitest.exe Buffer Overflow"; content: "SID: 5239 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105239; sid: 6105239; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Marcus Xenakis Shell Command Exec"; content: "SID: 5240 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105240; sid: 6105240; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Avenger System Command Exec"; content: "SID: 5241 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105241; sid: 6105241; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CS .cgi Script Cmd Exec"; content: "SID: 5243 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105243; sid: 6105243; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PhpSmsSend Command Exec"; content: "SID: 5244 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105244; sid: 6105244; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP 1.1 Chunked Encoding Transfer"; content: "SID: 5245 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105245; sid: 6105245; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ISAPI Filter Buffer Overflow"; content: "SID: 5246 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105246; sid: 6105246; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ASP SSI Buffer Overflow"; content: "SID: 5247 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105247; sid: 6105247; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS HTR ISAPI Buffer Overflow"; content: "SID: 5248 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105248; sid: 6105248; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Allaire JRun // Directory Disclosure"; content: "SID: 5251 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105251; sid: 6105251; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Allaire JRun Session ID Recon"; content: "SID: 5252 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105252; sid: 6105252; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Axis StorPoint CD Authentication Bypass"; content: "SID: 5253 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105253; sid: 6105253; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Linux Directory traceroute / nslookup Command Exec"; content: "SID: 5255 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105255; sid: 6105255; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Dot Dot Slash in URI"; content: "SID: 5256 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105256; sid: 6105256; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPNetToolpack traceroute Command Exec"; content: "SID: 5257 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105257; sid: 6105257; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Script source disclosure with CodeBrws.asp"; content: "SID: 5258 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105258; sid: 6105258; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snitz Forums SQL injection"; content: "SID: 5259 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105259; sid: 6105259; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xpede sprc.asp SQL Injection"; content: "SID: 5260 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105260; sid: 6105260; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BackOffice Server Web Administration Access"; content: "SID: 5261 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105261; sid: 6105261; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large number of Slashes URL"; content: "SID: 5262 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105262; sid: 6105262; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ecware.exe Access"; content: "SID: 5263 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105263; sid: 6105263; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RedHat cachemgr.cgi Access"; content: "SID: 5265 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105265; sid: 6105265; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iCat Carbo Server File Disclosure"; content: "SID: 5266 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105266; sid: 6105266; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Catalyst Remote Command Execution"; content: "SID: 5268 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105268; sid: 6105268; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ColdFusion CFDOCS Directory Access"; content: "SID: 5269 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105269; sid: 6105269; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EZ-Mall order.log File Access"; content: "SID: 5270 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105270; sid: 6105270; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] search.cgi Directory Traversal"; content: "SID: 5271 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105271; sid: 6105271; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] count.cgi GIF File Disclosure"; content: "SID: 5272 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105272; sid: 6105272; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bannermatic Sensitive File Access"; content: "SID: 5273 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105273; sid: 6105273; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netpad.cgi Directory Traversal/Cmd Exec"; content: "SID: 5274 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105274; sid: 6105274; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Phorum Remote Cmd Exec"; content: "SID: 5275 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105275; sid: 6105275; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Dansie cart.cgi Vulnerability"; content: "SID: 5276 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105276; sid: 6105276; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] dfire.cgi Command Exec"; content: "SID: 5277 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105277; sid: 6105277; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VP-ASP shoptest.asp access"; content: "SID: 5278 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105278; sid: 6105278; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JJ Cgi Cmd Exec"; content: "SID: 5279 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105279; sid: 6105279; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS idq.dll Directory Traversal"; content: "SID: 5280 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105280; sid: 6105280; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Carello add.exe Access"; content: "SID: 5281 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105281; sid: 6105281; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ExAir advsearch.asp Access"; content: "SID: 5282 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105282; sid: 6105282; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] info2www CGI Directory Traversal"; content: "SID: 5283 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105283; sid: 6105283; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS webhits.dll Directory Traversal"; content: "SID: 5284 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105284; sid: 6105284; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPEventCalendar Cmd Exec"; content: "SID: 5285 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105285; sid: 6105285; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebScripts WebBBS Cmd Exec"; content: "SID: 5286 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105286; sid: 6105286; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SiteServer AdSamples SITE.CSC File Access"; content: "SID: 5287 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105287; sid: 6105287; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Verity search97 Directory Traversal"; content: "SID: 5288 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105288; sid: 6105288; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SQLXML ISAPI Buffer Overflow"; content: "SID: 5289 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105289; sid: 6105289; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat DefaultServlet File Disclosure"; content: "SID: 5290 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105290; sid: 6105290; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WEB-INF Dot File Disclosure"; content: "SID: 5291 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105291; sid: 6105291; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SalesCart shop.mdb File Access"; content: "SID: 5292 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105292; sid: 6105292; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] robots.txt File Access"; content: "SID: 5293 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105293; sid: 6105293; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BearShare File Disclosure"; content: "SID: 5294 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105294; sid: 6105294; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] finger CGI Recon"; content: "SID: 5295 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105295; sid: 6105295; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape Server PageServices Directory Access"; content: "SID: 5296 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105296; sid: 6105296; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] order_log.dat File Access"; content: "SID: 5297 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105297; sid: 6105297; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] shopper.conf File Access"; content: "SID: 5298 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105298; sid: 6105298; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] quikstore.cfg File Access"; content: "SID: 5299 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105299; sid: 6105299; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] reg_echo.cgi Recon"; content: "SID: 5300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105300; sid: 6105300; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] /consolehelp/ CGI File Access"; content: "SID: 5301 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105301; sid: 6105301; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] /file/ WebLogic File Access"; content: "SID: 5302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105302; sid: 6105302; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] pfdispaly.cgi Command Execution"; content: "SID: 5303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105303; sid: 6105303; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] files.pl File Access"; content: "SID: 5304 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105304; sid: 6105304; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] .bash_history File Access"; content: "SID: 5305 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105305; sid: 6105305; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SoftCart storemgr.pw File Access"; content: "SID: 5306 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105306; sid: 6105306; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mercantec Softcart Overflow"; content: "SID: 5307 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105307; sid: 6105307; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rpc-nlog.pl Command Execution"; content: "SID: 5308 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105308; sid: 6105308; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Handler CGI Command Execution"; content: "SID: 5309 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105309; sid: 6105309; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] INDEX / directory access"; content: "SID: 5310 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105310; sid: 6105310; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] 8.3 file name access"; content: "SID: 5311 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105311; sid: 6105311; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] *.jsp/*.jhtml Java Execution"; content: "SID: 5312 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105312; sid: 6105312; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] order.log File Access"; content: "SID: 5313 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105313; sid: 6105313; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] windmail.exe Command Execution"; content: "SID: 5314 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105314; sid: 6105314; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] changedisplay.pl WWWthreads Privilege Elevation"; content: "SID: 5315 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105315; sid: 6105315; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BadBlue Admin Command Exec"; content: "SID: 5316 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105316; sid: 6105316; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tivoli Endpoint Buffer Overflow"; content: "SID: 5317 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105317; sid: 6105317; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tivoli ManagedNode Buffer Overflow"; content: "SID: 5318 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105318; sid: 6105318; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SoftCart orders Directory Access"; content: "SID: 5319 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105319; sid: 6105319; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ColdFusion administrator Directory Access"; content: "SID: 5320 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105320; sid: 6105320; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Guest Book CGI access"; content: "SID: 5321 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105321; sid: 6105321; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long HTTP Request"; content: "SID: 5322 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105322; sid: 6105322; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] midicart.mdb File Access"; content: "SID: 5323 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105323; sid: 6105323; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Query (?/)"; content: "SID: 5324 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105324; sid: 6105324; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Contivity cgiproc DoS"; content: "SID: 5325 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105325; sid: 6105325; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Root.exe access"; content: "SID: 5326 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105326; sid: 6105326; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tilde in URI"; content: "SID: 5327 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105327; sid: 6105327; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP phone DoS"; content: "SID: 5328 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105328; sid: 6105328; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache/mod_ssl Worm Probe"; content: "SID: 5329 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105329; sid: 6105329; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache/mod_ssl Worm Buffer Overflow"; content: "SID: 5330 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105330; sid: 6105330; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Image Javascript insertion"; content: "SID: 5331 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105331; sid: 6105331; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wordtrans-web Command Exec"; content: "SID: 5332 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105332; sid: 6105332; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FUDForum File Disclosure"; content: "SID: 5333 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105333; sid: 6105333; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DB4Web File Disclosure"; content: "SID: 5334 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105334; sid: 6105334; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DB4WEB Proxy Scan"; content: "SID: 5335 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105335; sid: 6105335; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Abyss Web Server File Disclosure"; content: "SID: 5336 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105336; sid: 6105336; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Dot Dot Slash in HTTP Arguments"; content: "SID: 5337 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105337; sid: 6105337; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Front Page Admin password retrival"; content: "SID: 5338 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105338; sid: 6105338; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SunONE Directory Traversal"; content: "SID: 5339 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105339; sid: 6105339; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Killer Protection Credential File Access"; content: "SID: 5340 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105340; sid: 6105340; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Procurve 4000M Switch DoS"; content: "SID: 5341 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105341; sid: 6105341; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invision Board phpinfo.php Recon"; content: "SID: 5342 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105342; sid: 6105342; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Host Header Cross Site Scripting"; content: "SID: 5343 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105343; sid: 6105343; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS MDAC RDS Buffer Overflow"; content: "SID: 5344 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105344; sid: 6105344; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTPBench Information Disclosure"; content: "SID: 5345 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT: classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105345; sid: 6105345; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BadBlue Information Disclosure"; content: "SID: 5346 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105346; sid: 6105346; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xoops WebChat SQL Injection"; content: "SID: 5347 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105347; sid: 6105347; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cobalt RaQ Server overflow.cgi Cmd Exec"; content: "SID: 5348 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105348; sid: 6105348; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Polycom ViewStation Admin Password"; content: "SID: 5349 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105349; sid: 6105349; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPnuke email attachment access"; content: "SID: 5350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105350; sid: 6105350; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS IE Help Overflow"; content: "SID: 5351 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105351; sid: 6105351; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] H-Sphere Webshell Buffer Overflow"; content: "SID: 5352 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105352; sid: 6105352; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] H-Sphere Webshell 'mode' URI exec"; content: "SID: 5353 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105353; sid: 6105353; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] H-Sphere Webshell 'zipfile' URI exec"; content: "SID: 5354 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105354; sid: 6105354; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DotBr exec.php3 exec"; content: "SID: 5355 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105355; sid: 6105355; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DotBr system.php3 exec"; content: "SID: 5356 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105356; sid: 6105356; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMP SQL Injection"; content: "SID: 5357 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105357; sid: 6105357; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Psunami.CGI Remote Command Execution"; content: "SID: 5358 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105358; sid: 6105358; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Scan CGI Scripts Access"; content: "SID: 5359 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105359; sid: 6105359; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage htimage.exe Buffer Overflow"; content: "SID: 5360 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105360; sid: 6105360; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage dvwssr.dll Buffer Overflow"; content: "SID: 5362 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105362; sid: 6105362; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage imagemap.exe Buffer Overflow"; content: "SID: 5363 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105363; sid: 6105363; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS WebDAV Overflow"; content: "SID: 5364 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105364; sid: 6105364; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long WebDAV Request"; content: "SID: 5365 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105365; sid: 6105365; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Shell Code in HTTP URL / Args"; content: "SID: 5366 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105366; sid: 6105366; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache CR LF DoS"; content: "SID: 5367 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105367; sid: 6105367; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ACS Windows CSAdmin Overflow"; content: "SID: 5368 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105368; sid: 6105368; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Win32 Apache Batch File CmdExec"; content: "SID: 5369 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105369; sid: 6105369; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTDig File Disclosure"; content: "SID: 5370 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105370; sid: 6105370; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] bdir.htr Access"; content: "SID: 5371 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105371; sid: 6105371; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ASP %20 source disclosure"; content: "SID: 5372 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105372; sid: 6105372; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS 5 Translate: f Source Disclosure"; content: "SID: 5373 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105373; sid: 6105373; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Executable File Command Exec"; content: "SID: 5374 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105374; sid: 6105374; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache mod_dav Overflow"; content: "SID: 5375 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105375; sid: 6105375; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iisPROTECT Admin SQL Injection"; content: "SID: 5376 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105376; sid: 6105376; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP args to xp_cmdshell in HTTP Request"; content: "SID: 5377 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105377; sid: 6105377; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Vignette TCL Injection Command Exec"; content: "SID: 5378 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105378; sid: 6105378; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Services Logging ISAPI Overflow"; content: "SID: 5379 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105379; sid: 6105379; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpBB SQL injection"; content: "SID: 5380 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105380; sid: 6105380; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VPASP SQL injection"; content: "SID: 5381 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105381; sid: 6105381; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xpressions SQL Admin Bypass"; content: "SID: 5382 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105382; sid: 6105382; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cyberstrong eShop SQL Injection"; content: "SID: 5383 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105383; sid: 6105383; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CiscoWorks User Priviledge Modification"; content: "SID: 5385 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105385; sid: 6105385; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CiscoWorks Command Exec"; content: "SID: 5386 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105386; sid: 6105386; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerio MailServer Webmail multiple overflows"; content: "SID: 5388 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105388; sid: 6105388; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebAdmin Long User Name Logon Buffer Overflow"; content: "SID: 5389 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105389; sid: 6105389; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Swen Worm HTTP Counter Update Attempt"; content: "SID: 5390 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105390; sid: 6105390; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage Server Extensions Buffer Overflow"; content: "SID: 5391 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105391; sid: 6105391; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer XML Object Overflow Type 1"; content: "SID: 5392 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105392; sid: 6105392; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer XML Object Overflow Type 2"; content: "SID: 5393 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105393; sid: 6105393; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache mod_gzip Overflow"; content: "SID: 5394 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105394; sid: 6105394; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ACNS Authentication Library Buffer Overflow"; content: "SID: 5395 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105395; sid: 6105395; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SiteInteractive Subscribe Me setup.pl Command Exec"; content: "SID: 5397 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105397; sid: 6105397; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ALT-N MDaemon form2raw.cgi Buffer Overflow"; content: "SID: 5399 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105399; sid: 6105399; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Beagle.B (Bagle.B) Web Beacon"; content: "SID: 5400 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105400; sid: 6105400; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook mailto Quote Malformed URI"; content: "SID: 5401 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105401; sid: 6105401; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer URL Spoofing"; content: "SID: 5402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105402; sid: 6105402; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL SSL OR TLS Malformed Handshake DoS"; content: "SID: 5403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105403; sid: 6105403; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Uninitialized Memory Corruption"; content: "SID: 5404 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105404; sid: 6105404; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS nsiislog.dll long argument overflow"; content: "SID: 5405 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105405; sid: 6105405; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Illegal MHTML URL"; content: "SID: 5406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105406; sid: 6105406; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS PCT Overflow"; content: "SID: 5407 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105407; sid: 6105407; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows HCP URI Parsing Script Exec"; content: "SID: 5408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105408; sid: 6105408; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft HCP Remote Code Execution"; content: "SID: 5409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105409; sid: 6105409; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] APSIS Pound Remote Format String Overflow"; content: "SID: 5410 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105410; sid: 6105410; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Linksys Http DoS"; content: "SID: 5411 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105411; sid: 6105411; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AIM Goaway Message Overflow"; content: "SID: 5412 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105412; sid: 6105412; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WhatsUp Gold Buffer Overflow Vulnerability"; content: "SID: 5413 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105413; sid: 6105413; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft NNTP Heap Overflow Vulnerability"; content: "SID: 5414 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105414; sid: 6105414; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE object data remote execution"; content: "SID: 5416 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105416; sid: 6105416; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Object Tag Overflow"; content: "SID: 5417 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105417; sid: 6105417; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Cross Site Scripting .htw"; content: "SID: 5418 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105418; sid: 6105418; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Frontpage Path Disclosure"; content: "SID: 5419 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105419; sid: 6105419; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS TRACK Requests"; content: "SID: 5420 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105420; sid: 6105420; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS UNC Disclosure"; content: "SID: 5421 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105421; sid: 6105421; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ISAPI Extension Enumeration"; content: "SID: 5422 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105422; sid: 6105422; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ism.dll Access"; content: "SID: 5423 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105423; sid: 6105423; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HRAlign Buffer Overflow"; content: "SID: 5424 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105424; sid: 6105424; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer IFRAME Tag Overflow"; content: "SID: 5425 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105425; sid: 6105425; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape NSS SSLv2 Hello Message Overflow"; content: "SID: 5426 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105426; sid: 6105426; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Space Character DoS"; content: "SID: 5427 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105427; sid: 6105427; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CNS Registrar DoS"; content: "SID: 5428 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105428; sid: 6105428; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WINS Replication Protocol Buffer Overflow"; content: "SID: 5429 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105429; sid: 6105429; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Darwin Streaming Server DoS"; content: "SID: 5430 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105430; sid: 6105430; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS W3Who Vulnerabilties"; content: "SID: 5431 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105431; sid: 6105431; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Script Embedded in HTTP Header"; content: "SID: 5432 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105432; sid: 6105432; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jabberd Username Overflow"; content: "SID: 5433 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105433; sid: 6105433; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Registration Request Overflow"; content: "SID: 5434 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105434; sid: 6105434; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Crystal Reports Remote Code Execution"; content: "SID: 5435 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105435; sid: 6105435; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RXBot Activity"; content: "SID: 5436 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105436; sid: 6105436; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpBB highlight parameter"; content: "SID: 5437 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105437; sid: 6105437; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Call Processing Solutions DoS"; content: "SID: 5438 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105438; sid: 6105438; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Loadimage API Overflow"; content: "SID: 5439 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105439; sid: 6105439; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IRC Bot Activity"; content: "SID: 5440 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105440; sid: 6105440; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Help File Overflow Vulnerability"; content: "SID: 5441 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105441; sid: 6105441; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cursor/Icon File Format Buffer Overflow"; content: "SID: 5442 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105442; sid: 6105442; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft ActiveX Help Control"; content: "SID: 5443 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105443; sid: 6105443; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebAgent logon Buffer Overflow"; content: "SID: 5444 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105444; sid: 6105444; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AWStats configdir Command Exec"; content: "SID: 5445 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105445; sid: 6105445; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Install Engine Overflow"; content: "SID: 5446 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105446; sid: 6105446; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VB.aw Trojan/Back Door"; content: "SID: 5447 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105447; sid: 6105447; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Blaster Worm"; content: "SID: 5448 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105448; sid: 6105448; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Massacre Virus Attachment"; content: "SID: 5449 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105449; sid: 6105449; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Love Letter Worm Attachment"; content: "SID: 5450 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105450; sid: 6105450; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS WebDAV DoS"; content: "SID: 5451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105451; sid: 6105451; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office XP URL Processing Buffer Overflow"; content: "SID: 5452 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105452; sid: 6105452; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AWStats Plugin Command Exec"; content: "SID: 5453 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105453; sid: 6105453; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exim SPA Authentication Buffer Overflow"; content: "SID: 5454 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105454; sid: 6105454; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arkeia Type 77 Request Buffer Overflow"; content: "SID: 5455 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105455; sid: 6105455; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer 5 ie5filex Exploit"; content: "SID: 5456 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105456; sid: 6105456; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WU-FTPD DoS"; content: "SID: 5457 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105457; sid: 6105457; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebConnect MS-DOS Device Name DoS"; content: "SID: 5458 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105458; sid: 6105458; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebConnect Directory Traversal Vulnerability"; content: "SID: 5459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105459; sid: 6105459; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpMyAdmin phpmyadmin.css.php File Disclosure"; content: "SID: 5460 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105460; sid: 6105460; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BadBlue MFCISAPICommand Buffer Overflow"; content: "SID: 5461 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105461; sid: 6105461; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpBB Authentication Bypass"; content: "SID: 5462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105462; sid: 6105462; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Software GETCONFIG Buffer Overflow"; content: "SID: 5463 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105463; sid: 6105463; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite Network Buffer Overflow"; content: "SID: 5464 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105464; sid: 6105464; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite Checksum Buffer Overflow"; content: "SID: 5465 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105465; sid: 6105465; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite PUTOLF Buffer Overflow"; content: "SID: 5466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105466; sid: 6105466; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite PUTOLF Directory Traversal"; content: "SID: 5467 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105467; sid: 6105467; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite Invalid Command Overflow"; content: "SID: 5468 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105468; sid: 6105468; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TrackerCam PHP Argument Overflow"; content: "SID: 5469 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105469; sid: 6105469; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SafeNet Sentinel Buffer Overflow"; content: "SID: 5471 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105471; sid: 6105471; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Sysimage Handler Local Executable Reference"; content: "SID: 5472 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105472; sid: 6105472; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java JNLP File Command Injection"; content: "SID: 5473 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105473; sid: 6105473; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SQL Query in HTTP Request"; content: "SID: 5474 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105474; sid: 6105474; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor ARCserve Backup Universal Agent Overflow"; content: "SID: 5475 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105475; sid: 6105475; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Application Execution"; content: "SID: 5476 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105476; sid: 6105476; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Possible Heap Payload Construction"; content: "SID: 5477 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105477; sid: 6105477; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Exchange SMTP Overflow"; content: "SID: 5478 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105478; sid: 6105478; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebDAV Lock-Token Overflow"; content: "SID: 5479 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105479; sid: 6105479; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebDAV If Header Overflow"; content: "SID: 5480 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105480; sid: 6105480; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebDBM Overflow"; content: "SID: 5481 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105481; sid: 6105481; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server Login Overflow"; content: "SID: 5482 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105482; sid: 6105482; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Content Advisor Buffer Overflow"; content: "SID: 5483 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105483; sid: 6105483; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sambar Server Search Overflow"; content: "SID: 5484 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105484; sid: 6105484; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ISS PAM.dll ICQ Parser Buffer Overflow"; content: "SID: 5485 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105485; sid: 6105485; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple File Service LoginExt Overflow"; content: "SID: 5486 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105486; sid: 6105486; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IA WebMail Buffer Overflow"; content: "SID: 5487 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105487; sid: 6105487; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Icecast Server HTTP Header Buffer Overflow"; content: "SID: 5488 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105488; sid: 6105488; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MyTOB Virus Activity"; content: "SID: 5489 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105489; sid: 6105489; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript IFRAME Exploitation"; content: "SID: 5490 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105490; sid: 6105490; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript Install Trigger Function"; content: "SID: 5491 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105491; sid: 6105491; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wurmark Virus Activity"; content: "SID: 5492 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105492; sid: 6105492; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Llsrpc Bind"; content: "SID: 5493 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105493; sid: 6105493; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webview Script Injection"; content: "SID: 5494 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105494; sid: 6105494; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LDAP Active Directory Stack Overflow"; content: "SID: 5495 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105495; sid: 6105495; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] License Logging Service Overflow"; content: "SID: 5496 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105496; sid: 6105496; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP BDAT Vulnerability"; content: "SID: 5497 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105497; sid: 6105497; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Media Player IE Zone Bypass"; content: "SID: 5498 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105498; sid: 6105498; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Link in Object Tag in IE"; content: "SID: 5499 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105499; sid: 6105499; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE .asp File Execution"; content: "SID: 5500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105500; sid: 6105500; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE ActiveX ADODB Stream"; content: "SID: 5501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105501; sid: 6105501; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Llssrv RPC Activity"; content: "SID: 5502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105502; sid: 6105502; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Object Creation In IE Local Zone"; content: "SID: 5503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105503; sid: 6105503; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow"; content: "SID: 5504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105504; sid: 6105504; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIP Trace"; content: "SID: 5505 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105505; sid: 6105505; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Orifice Ping"; content: "SID: 5506 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105506; sid: 6105506; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unreal Engine /secure/ Overflow"; content: "SID: 5507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105507; sid: 6105507; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed IKE Packet DoS"; content: "SID: 5508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105508; sid: 6105508; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tftp Passwd File"; content: "SID: 5509 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105509; sid: 6105509; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TFTPD Directory Traversal"; content: "SID: 5510 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105510; sid: 6105510; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ascend Denial of Service"; content: "SID: 5511 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105511; sid: 6105511; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco SNMP Message Processing DoS"; content: "SID: 5512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105512; sid: 6105512; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Community String Public"; content: "SID: 5513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105513; sid: 6105513; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP VC Embedded Community Names"; content: "SID: 5514 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105514; sid: 6105514; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE DHTML Edit Control"; content: "SID: 5515 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105515; sid: 6105515; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Wildcard DoS"; content: "SID: 5516 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105516; sid: 6105516; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AnswerBook2 Format String"; content: "SID: 5517 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105517; sid: 6105517; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quake Server Connect DoS"; content: "SID: 5518 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105518; sid: 6105518; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Popup Blocker Bypass"; content: "SID: 5519 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105519; sid: 6105519; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XEXCH50 Command Usage"; content: "SID: 5520 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105520; sid: 6105520; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nested Array Sort Loop DoS"; content: "SID: 5521 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105521; sid: 6105521; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jet Database Engine Shell Command Injection"; content: "SID: 5523 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105523; sid: 6105523; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Font Tag Split"; content: "SID: 5524 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105524; sid: 6105524; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Express Overflow"; content: "SID: 5525 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105525; sid: 6105525; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Telnet Environment Option Information Disclosure"; content: "SID: 5526 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105526; sid: 6105526; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Index HTW Cross Site Scripting"; content: "SID: 5527 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105527; sid: 6105527; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS5 SEARCH overflow"; content: "SID: 5528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105528; sid: 6105528; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CheckPoint Firewall RDP ByPass"; content: "SID: 5529 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105529; sid: 6105529; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Discover"; content: "SID: 5530 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105530; sid: 6105530; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Status Bar Spoof"; content: "SID: 5531 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105531; sid: 6105531; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Door Deltasource"; content: "SID: 5532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105532; sid: 6105532; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Door Remote Boot Tool"; content: "SID: 5533 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105533; sid: 6105533; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KaZaA UDP Client Probe"; content: "SID: 5534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105534; sid: 6105534; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Overnet Client Scan"; content: "SID: 5535 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105535; sid: 6105535; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gnutella File Search"; content: "SID: 5536 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105536; sid: 6105536; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICQ Client DNS Request"; content: "SID: 5537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105537; sid: 6105537; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AIM Client DNS request"; content: "SID: 5538 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105538; sid: 6105538; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Yahoo Messenger Client DNS Request"; content: "SID: 5539 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105539; sid: 6105539; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSN Messenger Client DNS Request"; content: "SID: 5540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105540; sid: 6105540; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modem DoS"; content: "SID: 5541 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105541; sid: 6105541; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PingTunnel ICMP Tunneling"; content: "SID: 5543 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105543; sid: 6105543; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Door Blaaaaa"; content: "SID: 5544 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105544; sid: 6105544; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Request Smuggling Attempt"; content: "SID: 5545 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105545; sid: 6105545; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Key Exchange DoS"; content: "SID: 5546 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105546; sid: 6105546; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB File Name Overflow"; content: "SID: 5547 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105547; sid: 6105547; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Windows Remote Agent Password Overflow"; content: "SID: 5548 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105548; sid: 6105548; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Evolution Message Size Overflow"; content: "SID: 5549 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105549; sid: 6105549; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access Cross Site Scripting Vulnerability"; content: "SID: 5551 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105551; sid: 6105551; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player Skin File Code Execution Vulnerability"; content: "SID: 5552 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105552; sid: 6105552; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger and cFinger Double Star User List Search"; content: "SID: 5553 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105553; sid: 6105553; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Object Tag Overflow Runtime Script Exploit"; content: "SID: 5554 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105554; sid: 6105554; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ONS Telnet DOS"; content: "SID: 5555 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105555; sid: 6105555; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Javaprxy.dll Heap Overflow"; content: "SID: 5556 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105556; sid: 6105556; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ICC Color Management Module Vulnerability"; content: "SID: 5557 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105557; sid: 6105557; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webcart Command Injection"; content: "SID: 5558 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105558; sid: 6105558; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Format String"; content: "SID: 5559 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105559; sid: 6105559; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MailEnable IMAP Overflow"; content: "SID: 5560 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105560; sid: 6105560; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows SMTP Overflow"; content: "SID: 5561 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105561; sid: 6105561; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Qpopper Overflow"; content: "SID: 5562 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105562; sid: 6105562; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ARCserve Backup MS-SQL Overflow"; content: "SID: 5564 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105564; sid: 6105564; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Print Spooler Service Overflow"; content: "SID: 5565 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105565; sid: 6105565; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Potential IE Cross Frame Scripting"; content: "SID: 5566 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105566; sid: 6105566; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Remote Registry Access"; content: "SID: 5567 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105567; sid: 6105567; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Agent Remote File Access"; content: "SID: 5568 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105568; sid: 6105568; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MDaemon Imap Authentication Overflow"; content: "SID: 5569 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105569; sid: 6105569; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ZOTOB Worm Activity"; content: "SID: 5570 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105570; sid: 6105570; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RBOT.CBQ Worm Activity"; content: "SID: 5571 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105571; sid: 6105571; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Design Tools Diagram Surface ActiveX Control"; content: "SID: 5572 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105572; sid: 6105572; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory Server iMonitor Buffer Overflow"; content: "SID: 5573 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105573; sid: 6105573; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenView Network Node Manager Command Injection"; content: "SID: 5574 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105574; sid: 6105574; rev: 4;) ##alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBIOS Session Service Failed Login"; content: "SID: 5575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105575; sid: 6105575; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBIOS Session Failed Login - Brute Force [5/3]"; content: "SID: 5575 ,"; xbits: set,brute_force,21600; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 3, seconds 300; fwsam: src, 1 day; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107002; sid: 6107002; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Login successful with Guest Privileges"; content: "SID: 5576 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105576; sid: 6105576; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NULL login attempt"; content: "SID: 5577 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105577; sid: 6105577; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB 95 98 Password File Access"; content: "SID: 5578 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105578; sid: 6105578; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Registry Access Attempt"; content: "SID: 5579 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105579; sid: 6105579; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt"; content: "SID: 5580 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105580; sid: 6105580; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt"; content: "SID: 5581 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105581; sid: 6105581; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Enum Share DoS"; content: "SID: 5582 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105582; sid: 6105582; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote SAM Service Access Attempt"; content: "SID: 5583 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105583; sid: 6105583; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB .eml email file remote access"; content: "SID: 5584 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105584; sid: 6105584; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Suspicious Password Usage"; content: "SID: 5585 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105585; sid: 6105585; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Locator Service Overflow"; content: "SID: 5586 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105586; sid: 6105586; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability"; content: "SID: 5587 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105587; sid: 6105587; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows DCOM Overflow"; content: "SID: 5588 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105588; sid: 6105588; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt"; content: "SID: 5589 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105589; sid: 6105589; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB User Enumeration"; content: "SID: 5590 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105590; sid: 6105590; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Windows Share Enumeration"; content: "SID: 5591 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105591; sid: 6105591; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB RFPoison Attack"; content: "SID: 5592 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105592; sid: 6105592; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NIMDA Infected File Transfer"; content: "SID: 5593 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105593; sid: 6105593; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba call_trans2open Overflow"; content: "SID: 5594 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105594; sid: 6105594; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Startup Folder Remote Access"; content: "SID: 5595 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105595; sid: 6105595; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows SMB/RPC NoOp Sled"; content: "SID: 5596 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105596; sid: 6105596; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB MSRPC Messenger Overflow"; content: "SID: 5597 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105597; sid: 6105597; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Workstation Service Overflow"; content: "SID: 5598 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105598; sid: 6105598; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Anig Worm File Transfer"; content: "SID: 5599 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105599; sid: 6105599; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow"; content: "SID: 5600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105600; sid: 6105600; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows LSASS RPC Overflow"; content: "SID: 5601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105601; sid: 6105601; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows System32 Directory File Access"; content: "SID: 5602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105602; sid: 6105602; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSRPC Protocol violation"; content: "SID: 5603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105603; sid: 6105603; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Account Locked"; content: "SID: 5605 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105605; sid: 6105605; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Authorization Failure"; content: "SID: 5606 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105606; sid: 6105606; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Network Supervisor Directory Traversal Vulnerability"; content: "SID: 5608 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105608; sid: 6105608; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE COM Object Memory Corruption Vulnerability"; content: "SID: 5609 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105609; sid: 6105609; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cacti Graph_Image.PHP Remote Command Execution Vulnerability"; content: "SID: 5610 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105610; sid: 6105610; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Cookie cache_lastpostdate Overflow"; content: "SID: 5611 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105611; sid: 6105611; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Unsolicited Response Storm"; content: "SID: 5612 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105612; sid: 6105612; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Cold Restart Request"; content: "SID: 5613 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105613; sid: 6105613; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Disable Unsolicited Responses"; content: "SID: 5614 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105614; sid: 6105614; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Read Request to a PLC"; content: "SID: 5615 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105615; sid: 6105615; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Stop Application"; content: "SID: 5616 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105616; sid: 6105616; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Warm Restart"; content: "SID: 5617 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105617; sid: 6105617; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Broadcast Request"; content: "SID: 5618 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105618; sid: 6105618; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-DNP3 Communication on a DNP3 Port"; content: "SID: 5619 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105619; sid: 6105619; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Write Request to a PLC"; content: "SID: 5620 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105620; sid: 6105620; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Miscellaneous Request to a PLC"; content: "SID: 5621 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105621; sid: 6105621; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Force Listen Only Mode"; content: "SID: 5622 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105622; sid: 6105622; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Restart Communications Option"; content: "SID: 5623 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105623; sid: 6105623; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Clear Counters and Diagnostic Registers"; content: "SID: 5624 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105624; sid: 6105624; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Read Device Identification"; content: "SID: 5625 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105625; sid: 6105625; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Report Server Information"; content: "SID: 5626 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105626; sid: 6105626; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Illegal Packet Size"; content: "SID: 5627 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105627; sid: 6105627; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus Slave Device Busy Exception Code Delay"; content: "SID: 5628 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105628; sid: 6105628; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus Acknowledge Exception Code Delay"; content: "SID: 5629 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105629; sid: 6105629; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Read Request to a PLC"; content: "SID: 5630 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105630; sid: 6105630; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Write Request to a PLC"; content: "SID: 5631 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105631; sid: 6105631; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Non-Modbus Communication"; content: "SID: 5632 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105632; sid: 6105632; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] .HTR Source View"; content: "SID: 5633 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105633; sid: 6105633; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Barracuda Spam Firewall Command Execution"; content: "SID: 5634 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105634; sid: 6105634; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Plug and Play Overflow"; content: "SID: 5635 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105635; sid: 6105635; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] vBulletin Template PHP Code Injection Vulnerability"; content: "SID: 5636 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105636; sid: 6105636; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer FTP Download Path Traversal"; content: "SID: 5637 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105637; sid: 6105637; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Command Injection"; content: "SID: 5638 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105638; sid: 6105638; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Web View Script Injection Vulnerability"; content: "SID: 5639 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105639; sid: 6105639; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XML Race Condition in Internet Explorer"; content: "SID: 5640 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105640; sid: 6105640; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS DTC DoS"; content: "SID: 5641 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105641; sid: 6105641; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow Overflow"; content: "SID: 5642 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105642; sid: 6105642; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sox WAV File Overflow"; content: "SID: 5643 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105643; sid: 6105643; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Client Service for NetWare Overflow"; content: "SID: 5644 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105644; sid: 6105644; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH URI Handler"; content: "SID: 5645 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105645; sid: 6105645; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gatekeeper Overflow"; content: "SID: 5646 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105646; sid: 6105646; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Savant Webserver Request Overflow"; content: "SID: 5647 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105647; sid: 6105647; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tomcat Denial of Service Attack"; content: "SID: 5648 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105648; sid: 6105648; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ESignal Remote Buffer Overflow"; content: "SID: 5649 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105649; sid: 6105649; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finjan SurfinGate FHTTP Restart Command Execution"; content: "SID: 5650 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105650; sid: 6105650; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix Server DoS"; content: "SID: 5651 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105651; sid: 6105651; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Directory Traversal"; content: "SID: 5652 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105652; sid: 6105652; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WLSE/HSE Default Username"; content: "SID: 5653 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105653; sid: 6105653; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Root Drive Access Attempt"; content: "SID: 5654 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105654; sid: 6105654; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cobalt RaQ Cross Site Scripting Vulnerability"; content: "SID: 5655 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105655; sid: 6105655; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle TNS Listener DoS"; content: "SID: 5656 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105656; sid: 6105656; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AMLServer Local Path Disclosure"; content: "SID: 5657 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105657; sid: 6105657; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat JSP Engine DoS"; content: "SID: 5658 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105658; sid: 6105658; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VMWare GSX Server Authentication Server Overflow"; content: "SID: 5659 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105659; sid: 6105659; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SquirrelMail Email Header Script Injection"; content: "SID: 5660 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105660; sid: 6105660; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long HTTP Request"; content: "SID: 5661 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105661; sid: 6105661; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP POST Content-Type Overflow"; content: "SID: 5662 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105662; sid: 6105662; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NoOp Sled On HTTPS Port"; content: "SID: 5663 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105663; sid: 6105663; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat Null Byte File Disclosure"; content: "SID: 5664 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105664; sid: 6105664; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ultimate PHP Board Code Execution "; content: "SID: 5665 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105665; sid: 6105665; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unix chetcpasswd.cgi File Disclosure Vulnerability"; content: "SID: 5666 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105666; sid: 6105666; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Site Searcher Arbitrary Code Execution"; content: "SID: 5667 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105667; sid: 6105667; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unauthenticated FTP Connection"; content: "SID: 5668 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105668; sid: 6105668; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arkeia Type 74 Request Overflow"; content: "SID: 5669 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105669; sid: 6105669; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Select Excessive Length"; content: "SID: 5671 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105671; sid: 6105671; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates Message Queuing Buffer Overflow"; content: "SID: 5672 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105672; sid: 6105672; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Format String"; content: "SID: 5673 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105673; sid: 6105673; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snort Back Orifice Preprocessor Overflow"; content: "SID: 5674 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105674; sid: 6105674; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP-UX LPD Command Execution"; content: "SID: 5675 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105675; sid: 6105675; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] News Manager Lite Authentication Bypass"; content: "SID: 5676 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105676; sid: 6105676; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix Universal Server Overflow"; content: "SID: 5677 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105677; sid: 6105677; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AWStats Plugin Log Access"; content: "SID: 5678 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105678; sid: 6105678; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle TNS Listener Denial Of Service"; content: "SID: 5679 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105679; sid: 6105679; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Line Feed DoS"; content: "SID: 5680 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105680; sid: 6105680; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ISC DHCP Daemon Buffer Overflow"; content: "SID: 5681 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105681; sid: 6105681; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Vista Feed Headlines Gadget Remote Code Execution"; content: "SID: 5683 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105683; sid: 6105683; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed SIP Packet"; content: "SID: 5684 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105684; sid: 6105684; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebBBS Command Execution Vulnerability"; content: "SID: 5685 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105685; sid: 6105685; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long POPPASSWD String Overflow"; content: "SID: 5686 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105686; sid: 6105686; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Frame Cross Zone Scripting"; content: "SID: 5687 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105687; sid: 6105687; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RSA WebAgent Redirect Overflow"; content: "SID: 5688 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105688; sid: 6105688; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Keep-Alive DoS"; content: "SID: 5689 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105689; sid: 6105689; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Flash Overflow"; content: "SID: 5692 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105692; sid: 6105692; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metafile Buffer Overflow"; content: "SID: 5693 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105693; sid: 6105693; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Enhanced Metafile Buffer Overflow"; content: "SID: 5694 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105694; sid: 6105694; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Enhanced Metafile DoS"; content: "SID: 5695 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105695; sid: 6105695; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Midi Decoder Overflow"; content: "SID: 5696 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105696; sid: 6105696; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Script in Email Body"; content: "SID: 5697 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105697; sid: 6105697; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LanMan DoS"; content: "SID: 5698 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105698; sid: 6105698; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SalesLogix File Upload Vulnerability"; content: "SID: 5699 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105699; sid: 6105699; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP cURL Arbitrary File Access"; content: "SID: 5700 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105700; sid: 6105700; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Soap Request"; content: "SID: 5701 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105701; sid: 6105701; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Video Surveillance IP Gateway Encoder/Decoder Telnet Authentication Vulnerability"; content: "SID: 5703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105703; sid: 6105703; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet Web Server Remote Root Command Execution"; content: "SID: 5705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105705; sid: 6105705; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Persistent Content in a Dynamic Webpage"; content: "SID: 5706 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105706; sid: 6105706; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SWAT Pre-Authentication Buffer Overflow"; content: "SID: 5708 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105708; sid: 6105708; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Eicar Standard Anti-Virus Test File"; content: "SID: 5710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105710; sid: 6105710; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed URL"; content: "SID: 5711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105711; sid: 6105711; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Zip File Name Overflow"; content: "SID: 5713 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105713; sid: 6105713; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GKrellM Buffer Overflow"; content: "SID: 5714 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105714; sid: 6105714; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SAP Internet Transaction Server Information Disclosure"; content: "SID: 5715 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105715; sid: 6105715; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Stack Group Bidding Protocol DoS"; content: "SID: 5716 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105716; sid: 6105716; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ipswitch SMTP Format String"; content: "SID: 5717 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105717; sid: 6105717; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VERITAS NetBackup Volume Manager Daemon Buffer Overflow"; content: "SID: 5718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105718; sid: 6105718; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lyris ListManager SQL Command Injection"; content: "SID: 5720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105720; sid: 6105720; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Appliance ProxyStyleSheet Command Execution"; content: "SID: 5722 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105722; sid: 6105722; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IIS .dll DoS"; content: "SID: 5723 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105723; sid: 6105723; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nikto Scan"; content: "SID: 5724 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105724; sid: 6105724; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell NMAP Agent Buffer Overflow"; content: "SID: 5725 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105725; sid: 6105725; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Directory Failed Login"; content: "SID: 5726 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105726; sid: 6105726; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco VPN 3000 Concentrator HTTP Attack Vulnerability"; content: "SID: 5727 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105727; sid: 6105727; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows IGMP DoS"; content: "SID: 5728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105728; sid: 6105728; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player Browser Plug-in Overflow"; content: "SID: 5729 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105729; sid: 6105729; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winamp Playlist File Handling Buffer Overflow"; content: "SID: 5730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105730; sid: 6105730; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player BMP Processing Vulnerability"; content: "SID: 5731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105731; sid: 6105731; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Web Client Remote Code Execution Vulnerability"; content: "SID: 5732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105732; sid: 6105732; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long HTTP Header Hostname"; content: "SID: 5733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105733; sid: 6105733; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE isComponentInstalled() Overflow"; content: "SID: 5734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105734; sid: 6105734; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Flash Player ActionDefineFunction Code Execution"; content: "SID: 5735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105735; sid: 6105735; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WinVNC Client Buffer Overflow"; content: "SID: 5736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105736; sid: 6105736; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Action Handlers Overflow"; content: "SID: 5737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105737; sid: 6105737; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ACS Registry Access"; content: "SID: 5738 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105738; sid: 6105738; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Directory Failed Login"; content: "SID: 5739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105739; sid: 6105739; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerio Personal Firewall Remote Authentication Buffer Overflow"; content: "SID: 5740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105740; sid: 6105740; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PeerCast Buffer Overflow"; content: "SID: 5743 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105743; sid: 6105743; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Login DoS"; content: "SID: 5744 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105744; sid: 6105744; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP REST command"; content: "SID: 5745 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105745; sid: 6105745; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP ALLO command"; content: "SID: 5746 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105746; sid: 6105746; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MDAC Function Remote Code Execution"; content: "SID: 5747 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105747; sid: 6105747; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-SMTP Session Start"; content: "SID: 5748 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105748; sid: 6105748; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Double Byte Character Parsing"; content: "SID: 5749 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105749; sid: 6105749; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WLSE Cross Site Scripting"; content: "SID: 5750 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105750; sid: 6105750; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ultr@VNC Client Overflow"; content: "SID: 5751 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105751; sid: 6105751; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sybase EAServer Overflow"; content: "SID: 5752 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105752; sid: 6105752; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Mailto Handler Vulnerability"; content: "SID: 5753 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105753; sid: 6105753; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PAJAX Remote Code Execution Vulnerability"; content: "SID: 5754 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105754; sid: 6105754; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Embedded TCP Connection Relay"; content: "SID: 5756 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105756; sid: 6105756; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Exchange Server Cross-Site Scripting"; content: "SID: 5757 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105757; sid: 6105757; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bomberclone Buffer Overflow"; content: "SID: 5758 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105758; sid: 6105758; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VNC Authentication Bypass"; content: "SID: 5759 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105759; sid: 6105759; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Messenger Accept-Language Value Overflow"; content: "SID: 5760 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105760; sid: 6105760; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ultr@VNC Server Overflow"; content: "SID: 5761 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105761; sid: 6105761; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wireless Control System Cross Server Site Scripting"; content: "SID: 5763 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105763; sid: 6105763; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ShixxNOTE Font Buffer Overflow"; content: "SID: 5764 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105764; sid: 6105764; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Horde Help Viewer Remote Code Execution"; content: "SID: 5765 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105765; sid: 6105765; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Resolution Response Code Execution"; content: "SID: 5766 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105766; sid: 6105766; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FreeSSHd Key Exchange Overflow"; content: "SID: 5767 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105767; sid: 6105767; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Warez Activity"; content: "SID: 5768 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105768; sid: 6105768; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed HTTP Request"; content: "SID: 5769 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105769; sid: 6105769; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS XSS"; content: "SID: 5770 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105770; sid: 6105770; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winny Activity"; content: "SID: 5771 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105771; sid: 6105771; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ASP.NET Information Disclosure Vulnerability"; content: "SID: 5772 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105772; sid: 6105772; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Simple PHP Blog Unauthorized File Access"; content: "SID: 5773 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105773; sid: 6105773; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player PNG Processing Remote Code Execution"; content: "SID: 5774 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105774; sid: 6105774; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MHTML Redirection"; content: "SID: 5775 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105775; sid: 6105775; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Routing and Remote Access Service Code Execution"; content: "SID: 5776 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105776; sid: 6105776; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Favicon Code Execution"; content: "SID: 5777 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105777; sid: 6105777; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Uplddrvinfo.htm File Deletion Vulnerability"; content: "SID: 5778 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105778; sid: 6105778; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Connection Request"; content: "SID: 5779 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105779; sid: 6105779; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Connection Established"; content: "SID: 5780 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105780; sid: 6105780; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Client Association"; content: "SID: 5781 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105781; sid: 6105781; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP MMS Write Request Attempt"; content: "SID: 5782 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105782; sid: 6105782; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP MMS Write Request Succeeded"; content: "SID: 5783 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105783; sid: 6105783; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Address Unknown Disconnect"; content: "SID: 5784 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105784; sid: 6105784; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Protocol Error Disconnect"; content: "SID: 5785 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105785; sid: 6105785; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Invalid OSI SSEL"; content: "SID: 5786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105786; sid: 6105786; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Invalid OSI PSEL"; content: "SID: 5787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105787; sid: 6105787; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Invalid TPKT Protocol"; content: "SID: 5788 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105788; sid: 6105788; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Tunnel Client Activity"; content: "SID: 5789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105789; sid: 6105789; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CS-MARS JBoss Vulnerability"; content: "SID: 5790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105790; sid: 6105790; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Hyperlink Object Library Buffer Overflow"; content: "SID: 5792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105792; sid: 6105792; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Server Driver Remote Execution"; content: "SID: 5793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105793; sid: 6105793; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Routing and Remote Access Service RASMAN Registry Stack Overflow"; content: "SID: 5794 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105794; sid: 6105794; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Option Overflow Code Execution"; content: "SID: 5795 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105795; sid: 6105795; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS HTTP Unauthorized Command Execution"; content: "SID: 5796 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105796; sid: 6105796; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange Calendar DoS"; content: "SID: 5797 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105797; sid: 6105797; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mambo PHP sbp File Inclusion Vulnerability"; content: "SID: 5798 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105798; sid: 6105798; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Server Service Code Execution"; content: "SID: 5799 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105799; sid: 6105799; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Large Content-Type"; content: "SID: 5800 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105800; sid: 6105800; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime JPEG Code Execution Overflow"; content: "SID: 5801 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105801; sid: 6105801; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MHTML URI Buffer Overflow"; content: "SID: 5802 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105802; sid: 6105802; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sygate Login Servlet SQL Injection"; content: "SID: 5803 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105803; sid: 6105803; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VPN3000 Concentrator Unauthenticated FTP Access"; content: "SID: 5804 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105804; sid: 6105804; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VPN3000 Concentrator FTP RMD Execution"; content: "SID: 5805 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105805; sid: 6105805; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winny P2P Connection Activity"; content: "SID: 5806 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105806; sid: 6105806; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Indexing Service Cross Site Scripting Vulnerability"; content: "SID: 5807 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105807; sid: 6105807; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCERPC Authentication DoS"; content: "SID: 5809 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105809; sid: 6105809; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SecureCRT SSH1 Buffer Overflow"; content: "SID: 5810 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105810; sid: 6105810; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IPS SSL DOS Vulnerability"; content: "SID: 5812 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105812; sid: 6105812; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Vector Markup Language Vulnerability"; content: "SID: 5813 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105813; sid: 6105813; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Step-by-Step Interactive Training Remote Code Execution"; content: "SID: 5814 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105814; sid: 6105814; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebViewFolderIcon setSlice() Overflow"; content: "SID: 5815 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105815; sid: 6105815; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TOR Client Activity"; content: "SID: 5816 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105816; sid: 6105816; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ASP .NET Cross Site Scripting"; content: "SID: 5817 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105817; sid: 6105817; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Shellcode Encoder"; content: "SID: 5818 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105818; sid: 6105818; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long FTP XCRC XSHA1 XMD5 Command"; content: "SID: 5819 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105819; sid: 6105819; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec AntiVirus and Client Security Buffer Overflow"; content: "SID: 5820 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105820; sid: 6105820; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectAnimation ActiveX Memory Corruption"; content: "SID: 5821 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105821; sid: 6105821; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Workstation Service Memory Corruption Vulnerability"; content: "SID: 5822 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105822; sid: 6105822; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee Epolicy Overflow"; content: "SID: 5823 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105823; sid: 6105823; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Header DoS"; content: "SID: 5824 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105824; sid: 6105824; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Malformed Invite Packet"; content: "SID: 5825 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105825; sid: 6105825; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EIQ ESA Topology Delete Device Overflow"; content: "SID: 5826 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105826; sid: 6105826; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer ActiveX Control Arbitrary Code Execution"; content: "SID: 5827 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105827; sid: 6105827; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Server Side Cross Site Scripting"; content: "SID: 5828 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105828; sid: 6105828; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid SSL Packet"; content: "SID: 5829 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105829; sid: 6105829; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure Access Control Server HTTP Request Overflow"; content: "SID: 5830 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105830; sid: 6105830; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure Access Control Server RADIUS Accounting Request Vulnerability"; content: "SID: 5831 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105831; sid: 6105831; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Crafted IP Option Vulnerability"; content: "SID: 5832 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105832; sid: 6105832; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime RTSP URL Vulnerability"; content: "SID: 5833 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105833; sid: 6105833; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS SIP DoS Vulnerability"; content: "SID: 5835 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105835; sid: 6105835; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed TCP packet"; content: "SID: 5837 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105837; sid: 6105837; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS NAM SNMP Traffic"; content: "SID: 5838 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105838; sid: 6105838; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer FTP Server Response Code Execution"; content: "SID: 5839 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105839; sid: 6105839; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CLSID Code Execution"; content: "SID: 5840 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105840; sid: 6105840; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CatOS NAM SNMP Traffic"; content: "SID: 5841 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105841; sid: 6105841; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris Telnet Authentication Bypass"; content: "SID: 5842 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105842; sid: 6105842; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor Tape Engine Overflow"; content: "SID: 5843 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105843; sid: 6105843; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Memory Corruption Exploit"; content: "SID: 5845 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105845; sid: 6105845; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP 230 Reply Code"; content: "SID: 5846 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105846; sid: 6105846; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Successful Privileged Login"; content: "SID: 5847 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105847; sid: 6105847; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Content Management Service Cross-site Scripting"; content: "SID: 5848 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105848; sid: 6105848; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Content Management Server Vulnerability"; content: "SID: 5849 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105849; sid: 6105849; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snort DCE/RPC Preprocessor Vulnerability"; content: "SID: 5850 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105850; sid: 6105850; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WCS Administrative Directory Access"; content: "SID: 5851 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105851; sid: 6105851; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Malformed String Vulnerability"; content: "SID: 5852 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105852; sid: 6105852; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Invite DoS"; content: "SID: 5853 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105853; sid: 6105853; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CUCM/CUPS Denial of Service Vulnerability"; content: "SID: 5854 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105854; sid: 6105854; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix Remote Code Execution"; content: "SID: 5855 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105855; sid: 6105855; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Agent URL Parsing Remote Code Execution"; content: "SID: 5856 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105856; sid: 6105856; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UPnP Memory Corruption Vulnerability"; content: "SID: 5857 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105857; sid: 6105857; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Server RPC Interface Buffer Overflow"; content: "SID: 5858 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105858; sid: 6105858; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] uTorrent File Handling Buffer Overflow"; content: "SID: 5859 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105859; sid: 6105859; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS FTPd Successful Login"; content: "SID: 5860 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105860; sid: 6105860; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CNS Netflow Collection Engine Default Password"; content: "SID: 5861 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105861; sid: 6105861; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access UTF Character Script Execution"; content: "SID: 5862 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105862; sid: 6105862; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CAPICOM.Certificates Remote Code Execution"; content: "SID: 5863 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105863; sid: 6105863; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange Server IMAP Literal Processing Vulnerability"; content: "SID: 5864 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105864; sid: 6105864; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft WMS Arbitrary File Rewrite Vulnerability"; content: "SID: 5865 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105865; sid: 6105865; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Domino IMAP CRAM-MD5 Overflow"; content: "SID: 5866 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105866; sid: 6105866; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Navigation Cancel Page Spoofing Vulnerability"; content: "SID: 5868 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105868; sid: 6105868; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CSS Tag Memory Corruption"; content: "SID: 5869 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105869; sid: 6105869; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Win32 API Vulnerability"; content: "SID: 5870 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105870; sid: 6105870; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Urlmon.dll COM Object Instantiation"; content: "SID: 5871 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105871; sid: 6105871; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow"; content: "SID: 5873 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105873; sid: 6105873; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow"; content: "SID: 5874 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105874; sid: 6105874; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WinZip ActiveX Control Instantiation"; content: "SID: 5876 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105876; sid: 6105876; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Protocol Handler Command Execution"; content: "SID: 5877 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105877; sid: 6105877; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VBE Object ID Buffer Overflow"; content: "SID: 5878 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105878; sid: 6105878; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple QuickTime Java QTPointer Vulnerability"; content: "SID: 5879 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105879; sid: 6105879; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Java Web Start JNLP File Stack Overflow"; content: "SID: 5880 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105880; sid: 6105880; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS NHRP Buffer Overflow"; content: "SID: 5884 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105884; sid: 6105884; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EnjoySAP kweditcontrol.kwedit Stack Overflow"; content: "SID: 5885 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105885; sid: 6105885; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Java Socks Proxy Overflow"; content: "SID: 5886 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105886; sid: 6105886; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PDWizard ActiveX Overflow"; content: "SID: 5887 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105887; sid: 6105887; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TLBINF32.DLL COM Object Instantiation"; content: "SID: 5888 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105888; sid: 6105888; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NeoTrace ActiveX Buffer Overflow"; content: "SID: 5889 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105889; sid: 6105889; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long IMAP SUBSCRIBE Command"; content: "SID: 5890 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105890; sid: 6105890; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Motive Communications ActiveUtils Buffer Overflow"; content: "SID: 5892 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105892; sid: 6105892; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP Phone Remote Denial of Service"; content: "SID: 5893 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105893; sid: 6105893; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Storm Worm"; content: "SID: 5894 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105894; sid: 6105894; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Agent HTTP Code Execution"; content: "SID: 5898 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105898; sid: 6105898; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSN Messenger Webcam Buffer Overflow"; content: "SID: 5899 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105899; sid: 6105899; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AIM Message HTML Injection"; content: "SID: 5902 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105902; sid: 6105902; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS SharePoint XSS"; content: "SID: 5903 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105903; sid: 6105903; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoof"; content: "SID: 5905 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105905; sid: 6105905; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Malformed Word Document Code Execution"; content: "SID: 5906 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105906; sid: 6105906; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NNTP Overflow"; content: "SID: 5908 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105908; sid: 6105908; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Browser Address Bar Spoofing Attack"; content: "SID: 5909 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105909; sid: 6105909; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM Centralized TFTP File Locator Service Buffer Overflow"; content: "SID: 5910 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105910; sid: 6105910; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM SIP INVITE UDP Denial of Service"; content: "SID: 5912 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105912; sid: 6105912; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PIX/ASA/FWSM MGCP DoS"; content: "SID: 5913 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105913; sid: 6105913; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft FoxPro ActiveX Vulnerability"; content: "SID: 5915 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105915; sid: 6105915; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] URL Handler Vulnerability"; content: "SID: 5916 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105916; sid: 6105916; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AskJeeves Toolbar ActiveX Buffer Overflow"; content: "SID: 5918 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105918; sid: 6105918; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Kodak Image Viewer Overflow"; content: "SID: 5919 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105919; sid: 6105919; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime VRPanoSampleAtom Heap Overflow"; content: "SID: 5920 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105920; sid: 6105920; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime Color Table Overflow"; content: "SID: 5921 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105921; sid: 6105921; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BEA WebLogic Admin Console Cross Site Scripting"; content: "SID: 5922 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105922; sid: 6105922; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer FTP Client Directory Traversal issue"; content: "SID: 5923 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105923; sid: 6105923; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Browsers JavaScript Argument Passing Code Execution Vulnerability"; content: "SID: 5924 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105924; sid: 6105924; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer HTML Object Memory Corruption"; content: "SID: 5925 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105925; sid: 6105925; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle ctxsys.driload Access Violation Vulnerability"; content: "SID: 5926 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105926; sid: 6105926; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise WebAccess Overflow"; content: "SID: 5927 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105927; sid: 6105927; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CSA for Windows System Driver Remote Buffer Overflow Vulnerability"; content: "SID: 5928 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105928; sid: 6105928; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee VirusScan File Name Overflow"; content: "SID: 5929 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105929; sid: 6105929; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic SQL Injection"; content: "SID: 5930 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105930; sid: 6105930; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Ratproxy"; content: "SID: 5931 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105931; sid: 6105931; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database DBMS_Scheduler Privilege Escalation"; content: "SID: 5933 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105933; sid: 6105933; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winamp MP4 Memory Corruption"; content: "SID: 5934 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105934; sid: 6105934; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime FlipFileTypeAtom_BtoN Underflow"; content: "SID: 5935 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105935; sid: 6105935; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime MOV Heap Overflow"; content: "SID: 5936 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105936; sid: 6105936; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database SUBSCRIPTION_NAME Parameter SQL Injection"; content: "SID: 5937 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105937; sid: 6105937; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database sys.pbsde.init Procedure Buffer Overflow"; content: "SID: 5938 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105938; sid: 6105938; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Text Box Memory Curruption"; content: "SID: 5939 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105939; sid: 6105939; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Objects Memory Corruption Vulnerability"; content: "SID: 5940 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105940; sid: 6105940; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows CSRSS Message Box Memory Corruption"; content: "SID: 5941 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105941; sid: 6105941; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Yahoo Messenger AudioConf ActiveX Overflow"; content: "SID: 5942 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105942; sid: 6105942; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server SQL Query Directory Traversal"; content: "SID: 5943 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105943; sid: 6105943; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eTrust IDS Encryption Key DoS"; content: "SID: 5944 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105944; sid: 6105944; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS IE Cross Frame Scripting Restriction Bypass"; content: "SID: 5945 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105945; sid: 6105945; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ingres Database uuid_from_char() Stack Overflow"; content: "SID: 5948 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105948; sid: 6105948; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple HP Web Jetadmin Vulnerabilities"; content: "SID: 5949 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105949; sid: 6105949; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Malformed String Code Execution"; content: "SID: 5950 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105950; sid: 6105950; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor ARCserve Backup MSRPC Memory Corruption"; content: "SID: 5951 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105951; sid: 6105951; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPerfect Importer/Exporter Heap Overflow"; content: "SID: 5952 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105952; sid: 6105952; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat Directory Traversal"; content: "SID: 5953 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105953; sid: 6105953; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ePolicy Orchestrator SiteManager ActiveX Buffer Overflow"; content: "SID: 5954 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105954; sid: 6105954; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime udta Buffer Overflow"; content: "SID: 5955 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105955; sid: 6105955; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Vendor SOAP DoS"; content: "SID: 5956 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105956; sid: 6105956; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime Heap Corruption"; content: "SID: 5957 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105957; sid: 6105957; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix ICA Client ActiveX Control Buffer Overflow Vulnerability"; content: "SID: 5959 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105959; sid: 6105959; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Regular Expressions Heap Corruption"; content: "SID: 5960 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105960; sid: 6105960; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server MD2 package SDO_CODE_SIZE procedure Buffer Overflow"; content: "SID: 5961 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105961; sid: 6105961; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerberos V5 Principal Name Buffer Overflow"; content: "SID: 5963 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105963; sid: 6105963; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup Server bpcd Long Request Buffer Overflow"; content: "SID: 5966 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105966; sid: 6105966; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow"; content: "SID: 5967 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105967; sid: 6105967; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE daxctle.ocx KeyFrame Memory Curruption"; content: "SID: 5971 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105971; sid: 6105971; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime Movie Buffer Overflow"; content: "SID: 5972 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105972; sid: 6105972; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Publisher Font Overflow"; content: "SID: 5973 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105973; sid: 6105973; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server SDO_CS.TRANSFORM_LAYER Buffer Overflow"; content: "SID: 5974 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105974; sid: 6105974; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Media Player ASX Playlist Parsing Buffer Overflow"; content: "SID: 5975 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105975; sid: 6105975; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Avast! Remote LHA Buffer Overflow"; content: "SID: 5976 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105976; sid: 6105976; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DB2 Handshake DoS"; content: "SID: 5977 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105977; sid: 6105977; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MailEnable SMTP Service SPF Lookup Buffer Overflow"; content: "SID: 5978 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105978; sid: 6105978; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer COM Object Instantiation Memory Corruption"; content: "SID: 5979 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105979; sid: 6105979; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Speech API Buffer Overflow"; content: "SID: 5980 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105980; sid: 6105980; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Basic for Applications SDK Overflow"; content: "SID: 5982 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105982; sid: 6105982; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer VML Buffer Overrun"; content: "SID: 5983 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105983; sid: 6105983; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE COM Object Code Execution"; content: "SID: 5984 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105984; sid: 6105984; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime RTSP Content-Type Excessive Length"; content: "SID: 5985 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105985; sid: 6105985; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI GIF Parsing Vulnerability"; content: "SID: 5986 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105986; sid: 6105986; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Products SVG layout vulnerability"; content: "SID: 5987 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105987; sid: 6105987; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MaxDB WebDBM Buffer Overflow"; content: "SID: 5991 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105991; sid: 6105991; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE COM Object Instantiation Memory Corruption"; content: "SID: 5993 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105993; sid: 6105993; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ImageMagick SGI Buffer Overflow"; content: "SID: 5994 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105994; sid: 6105994; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eGatherer RunEgatherer Buffer Overflow"; content: "SID: 5997 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105997; sid: 6105997; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SYS.KUPW-WORKER Package MAIN Procedure SQL Injection Attempt"; content: "SID: 5998 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105998; sid: 6105998; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Server Reports Command Execution"; content: "SID: 6000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106000; sid: 6106000; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMP Community String Private"; content: "SID: 6003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106003; sid: 6106003; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS HTTP Server Iframe Command Injection"; content: "SID: 6004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106004; sid: 6106004; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unencrypted SSL Traffic"; content: "SID: 6005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106005; sid: 6106005; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Management Console Cross-Site Scripting"; content: "SID: 6007 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106007; sid: 6106007; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] First 4 Internet XCP Uninstallation ActiveX Control"; content: "SID: 6008 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106008; sid: 6106008; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SYN Flood DOS"; content: "SID: 6009 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106009; sid: 6106009; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer FTP Command Injection"; content: "SID: 6011 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106011; sid: 6106011; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EIQ License Buffer Overflow"; content: "SID: 6012 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106012; sid: 6106012; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IRCBOT_JK DNS Lookup"; content: "SID: 6013 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106013; sid: 6106013; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash Player Improper Memory Access"; content: "SID: 6014 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106014; sid: 6106014; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash ActionDefineFunction Improper Memory Access"; content: "SID: 6015 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106015; sid: 6106015; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIM BlackBerry Enterprise Router DoS"; content: "SID: 6016 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106016; sid: 6106016; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution"; content: "SID: 6017 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106017; sid: 6106017; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime PictureViewer Buffer Overflow"; content: "SID: 6020 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106020; sid: 6106020; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebSphere J_Username Buffer Overflow"; content: "SID: 6022 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106022; sid: 6106022; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE JavaScript window() DoS"; content: "SID: 6023 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106023; sid: 6106023; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript Information Disclosure"; content: "SID: 6024 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106024; sid: 6106024; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jet DB Engine Buffer Overflow"; content: "SID: 6025 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106025; sid: 6106025; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid Gopher Protocol Handling Buffer Overflow"; content: "SID: 6026 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106026; sid: 6106026; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Word Malformed Object Tag"; content: "SID: 6027 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106027; sid: 6106027; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Message Queuing Service Code Execution"; content: "SID: 6030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106030; sid: 6106030; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mcafee FreeScan Information Disclosure"; content: "SID: 6031 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106031; sid: 6106031; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DOMNodeRemoved Mutation Memory Corruption"; content: "SID: 6039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106039; sid: 6106039; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Scan Engine Authentication Bypass"; content: "SID: 6040 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106040; sid: 6106040; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox CSS Letter-Spacing Heap Overflow"; content: "SID: 6041 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106041; sid: 6106041; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MHTTP Response Splitting"; content: "SID: 6045 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106045; sid: 6106045; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] InterNetNews NULL Path Denial of Service"; content: "SID: 6046 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106046; sid: 6106046; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TrendMicro InterScan Viruswall Directory Traversal"; content: "SID: 6047 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106047; sid: 6106047; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server SQL SYS.KUPV Injection"; content: "SID: 6048 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106048; sid: 6106048; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server Login Access Control Bypass Exploit"; content: "SID: 6049 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106049; sid: 6106049; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS HINFO Request"; content: "SID: 6050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106050; sid: 6106050; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Zone Transfer"; content: "SID: 6051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106051; sid: 6106051; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Zone Transfer from High Port"; content: "SID: 6052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106052; sid: 6106052; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Request for All Records"; content: "SID: 6053 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106053; sid: 6106053; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Version Request"; content: "SID: 6054 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106054; sid: 6106054; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Inverse Query Buffer Overflow"; content: "SID: 6055 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106055; sid: 6106055; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS NXT Buffer Overflow"; content: "SID: 6056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106056; sid: 6106056; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS SIG Buffer Overflow"; content: "SID: 6057 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106057; sid: 6106057; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS SRV DoS"; content: "SID: 6058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106058; sid: 6106058; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS TSIG Overflow"; content: "SID: 6059 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106059; sid: 6106059; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Complain Overflow"; content: "SID: 6060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106060; sid: 6106060; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Infoleak"; content: "SID: 6061 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106061; sid: 6106061; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Authors Request"; content: "SID: 6062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106062; sid: 6106062; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Incremental Zone Transfer"; content: "SID: 6063 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106063; sid: 6106063; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BIND Large OPT Record DoS"; content: "SID: 6064 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106064; sid: 6106064; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Query Name Loop DoS"; content: "SID: 6065 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106065; sid: 6106065; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS Tunneling"; content: "SID: 6066 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106066; sid: 6106066; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNS TSIG Bugtraq Overflow"; content: "SID: 6067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106067; sid: 6106067; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Wireless Control System Administrative Default Password"; content: "SID: 6068 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106068; sid: 6106068; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Format Remote Code Execution"; content: "SID: 6069 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106069; sid: 6106069; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Format Remote Code Execution"; content: "SID: 6070 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106070; sid: 6106070; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server XDB.DBMS_XMLSCHEMA Buffer Overflow"; content: "SID: 6071 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106071; sid: 6106071; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Basic VBP Buffer Overflow"; content: "SID: 6072 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106072; sid: 6106072; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Studio Crystal Reports RPT File Code Execution"; content: "SID: 6073 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106073; sid: 6106073; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectX RLE Compressed TGA Overflow"; content: "SID: 6074 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106074; sid: 6106074; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla SOAPParameter Integer Overflow"; content: "SID: 6075 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106075; sid: 6106075; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ISC BIND DNS resolver buffer overflow"; content: "SID: 6076 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106076; sid: 6106076; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Malformed GIF File"; content: "SID: 6077 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106077; sid: 6106077; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access XSS"; content: "SID: 6078 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106078; sid: 6106078; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ACDSee Products XPM Vulnerability"; content: "SID: 6079 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106079; sid: 6106079; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Products PNG Parsing"; content: "SID: 6080 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106080; sid: 6106080; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel BIFF Parsing"; content: "SID: 6081 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106081; sid: 6106081; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Column Record Handling"; content: "SID: 6082 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106082; sid: 6106082; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel SetFont"; content: "SID: 6083 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106083; sid: 6106083; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE 7 HTML Object Memory Corruption"; content: "SID: 6084 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106084; sid: 6106084; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Table Column Record Handling"; content: "SID: 6085 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106085; sid: 6106085; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Graphics Rendering Engine Buffer Overflow"; content: "SID: 6086 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106086; sid: 6106086; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec ISAKMP DoS"; content: "SID: 6087 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106087; sid: 6106087; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Compressed Folders Buffer Overflow"; content: "SID: 6088 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106088; sid: 6106088; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP memory_limit Vulnerability"; content: "SID: 6089 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106089; sid: 6106089; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Libpng Chunk Length Buffer Overflow"; content: "SID: 6090 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106090; sid: 6106090; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Acrobat Reader File Extension Buffer Overflow"; content: "SID: 6091 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106091; sid: 6106091; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Qt BMP Buffer Overflow"; content: "SID: 6092 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106092; sid: 6106092; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nullsoft Winamp M3U Remote Buffer Overflow"; content: "SID: 6094 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106094; sid: 6106094; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache apr-util IPv6 URI Parsing Vulnerability"; content: "SID: 6095 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106095; sid: 6106095; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port Registration"; content: "SID: 6100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106100; sid: 6106100; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port Unregistration"; content: "SID: 6101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106101; sid: 6106101; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Dump"; content: "SID: 6102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106102; sid: 6106102; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Proxied RPC Request"; content: "SID: 6103 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106103; sid: 6106103; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port Reg Spoof"; content: "SID: 6104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106104; sid: 6106104; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port UnReg Spoof"; content: "SID: 6105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106105; sid: 6106105; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS EAP-TLS Authentication Bypass"; content: "SID: 6106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106106; sid: 6106106; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS File Existence Information Disclosure"; content: "SID: 6107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106107; sid: 6106107; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FreeRADIUS Denial of Service"; content: "SID: 6108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106108; sid: 6106108; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RSTATD Sweep"; content: "SID: 6110 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106110; sid: 6106110; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RUSESRD Sweep"; content: "SID: 6111 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106111; sid: 6106111; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC NFS Sweep"; content: "SID: 6112 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106112; sid: 6106112; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC MOUNTD Sweep"; content: "SID: 6113 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106113; sid: 6106113; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC YPASSWDD Sweep"; content: "SID: 6114 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106114; sid: 6106114; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC SELECTION SVC Sweep"; content: "SID: 6115 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106115; sid: 6106115; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC REXD Sweep"; content: "SID: 6116 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106116; sid: 6106116; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC STATUS Sweep"; content: "SID: 6117 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106117; sid: 6106117; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC TTDB Sweep"; content: "SID: 6118 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106118; sid: 6106118; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Authentication Vulnerability"; content: "SID: 6119 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106119; sid: 6106119; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RSTATD Request"; content: "SID: 6120 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106120; sid: 6106120; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RUSESRD Request"; content: "SID: 6121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106121; sid: 6106121; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC NFS Request"; content: "SID: 6122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106122; sid: 6106122; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC MOUNTD Request"; content: "SID: 6123 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106123; sid: 6106123; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC YPASSWDD Request"; content: "SID: 6124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106124; sid: 6106124; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC SELECTION SVC Request"; content: "SID: 6125 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106125; sid: 6106125; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC REXD Request"; content: "SID: 6126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106126; sid: 6106126; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC STATUS Request"; content: "SID: 6127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106127; sid: 6106127; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC TTDB Request"; content: "SID: 6128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106128; sid: 6106128; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Message Queuing Overflow"; content: "SID: 6130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106130; sid: 6106130; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Plug and Play Overflow"; content: "SID: 6131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106131; sid: 6106131; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mod SSL- Mod Proxy Hook Format String"; content: "SID: 6132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106132; sid: 6106132; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Cell Length Buffer Overflow CVE-2004-0846"; content: "SID: 6133 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106133; sid: 6106133; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft ASP.NET Canonicalization"; content: "SID: 6134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106134; sid: 6106134; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Solaris in.rwhod Buffer Overflow"; content: "SID: 6135 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106135; sid: 6106135; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wordpad Default Font Overflow"; content: "SID: 6137 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106137; sid: 6106137; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-ASCII Hostname"; content: "SID: 6138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106138; sid: 6106138; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malicious BMP File"; content: "SID: 6139 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106139; sid: 6106139; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid ASN.1 Header Parsing Denial of Service"; content: "SID: 6140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106140; sid: 6106140; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia JRun 4.x Server File Disclosure"; content: "SID: 6141 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106141; sid: 6106141; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache HTTP Server Mod_Cache Module DoS"; content: "SID: 6142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106142; sid: 6106142; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Borland Interbase Database Service Create-Request Buffer Overflow"; content: "SID: 6143 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106143; sid: 6106143; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] X.Org X Font Server Buffer Overflow"; content: "SID: 6144 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106144; sid: 6106144; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro ServerProtect TMregChange Buffer Overflow"; content: "SID: 6145 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106145; sid: 6106145; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid WCCP Message Receive Buffer Overflow"; content: "SID: 6146 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106146; sid: 6106146; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer RealMedia Security Bypass"; content: "SID: 6147 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106147; sid: 6106147; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Off-by-one"; content: "SID: 6148 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106148; sid: 6106148; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Arbitrary Library Injection"; content: "SID: 6149 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106149; sid: 6106149; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypserv Portmap Request"; content: "SID: 6150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106150; sid: 6106150; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypbind Portmap Request"; content: "SID: 6151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106151; sid: 6106151; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] yppasswdd Portmap Request"; content: "SID: 6152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106152; sid: 6106152; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypupdated Portmap Request"; content: "SID: 6153 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106153; sid: 6106153; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypxfrd Portmap Request"; content: "SID: 6154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106154; sid: 6106154; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] mountd Portmap Request"; content: "SID: 6155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106155; sid: 6106155; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT Kerberos kadmind RPC Library Unix Authentication"; content: "SID: 6156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106156; sid: 6106156; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT Kerberos Kadmind Remote Code Injection"; content: "SID: 6157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106157; sid: 6106157; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT Kerberos Kadmind Rename Buffer Overflow"; content: "SID: 6158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106158; sid: 6106158; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Request DoS"; content: "SID: 6159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106159; sid: 6106159; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Buffer Overflow"; content: "SID: 6160 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106160; sid: 6106160; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ingres Database Communications Server Component Buffer Overflow"; content: "SID: 6161 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106161; sid: 6106161; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ipswitch IMail Server Date String Overflow"; content: "SID: 6162 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106162; sid: 6106162; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Document Parsing Buffer Overflow"; content: "SID: 6164 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106164; sid: 6106164; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] nfs-utils TCP Connection Termination Denial of Service"; content: "SID: 6165 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106165; sid: 6106165; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory HTTP Server Redirection Buffer Overflow"; content: "SID: 6166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106166; sid: 6106166; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates Products Message Engine RPC Server Buffer Overflow"; content: "SID: 6168 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106168; sid: 6106168; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] mod_tcl Module Format String Vulnerability"; content: "SID: 6169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106169; sid: 6106169; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function Overflow"; content: "SID: 6170 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106170; sid: 6106170; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Info Center HPInfoDLL.dll ActiveX Control Remote Code Execution"; content: "SID: 6171 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106171; sid: 6106171; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function"; content: "SID: 6172 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106172; sid: 6106172; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Empty DNS Query"; content: "SID: 6173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106173; sid: 6106173; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenLDAP Server BIND Request Denial of Service"; content: "SID: 6174 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106174; sid: 6106174; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rexd Portmap Request"; content: "SID: 6175 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106175; sid: 6106175; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed SIP Invite Packet"; content: "SID: 6177 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106177; sid: 6106177; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Message DoS"; content: "SID: 6178 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106178; sid: 6106178; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed MGCP Packet"; content: "SID: 6179 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106179; sid: 6106179; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rexd Attempt"; content: "SID: 6180 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106180; sid: 6106180; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP DoS"; content: "SID: 6181 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106181; sid: 6106181; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large SIP Message"; content: "SID: 6184 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106184; sid: 6106184; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIS Data Collector Heap Overflow"; content: "SID: 6186 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106186; sid: 6106186; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CallManager TCP Connection DoS"; content: "SID: 6187 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106187; sid: 6106187; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] statd dot dot"; content: "SID: 6188 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106188; sid: 6106188; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] statd automount attack"; content: "SID: 6189 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106189; sid: 6106189; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] statd Buffer Overflow"; content: "SID: 6190 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106190; sid: 6106190; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC.tooltalk Buffer Overflow"; content: "SID: 6191 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106191; sid: 6106191; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC mountd Buffer Overflow"; content: "SID: 6192 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106192; sid: 6106192; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC CMSD Buffer Overflow"; content: "SID: 6193 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106193; sid: 6106193; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] sadmind Buffer Overflow"; content: "SID: 6194 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106194; sid: 6106194; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sadmind RPC Buffer Overflow"; content: "SID: 6195 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106195; sid: 6106195; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] snmpXdmid Buffer Overflow"; content: "SID: 6196 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106196; sid: 6106196; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rpc yppaswdd overflow"; content: "SID: 6197 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106197; sid: 6106197; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long rwalld Message"; content: "SID: 6198 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106198; sid: 6106198; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cachefsd Overflow"; content: "SID: 6199 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106199; sid: 6106199; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ident Buffer Overflow"; content: "SID: 6200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106200; sid: 6106200; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ident Newline"; content: "SID: 6201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106201; sid: 6106201; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] sadmind directory traversal command exec"; content: "SID: 6203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106203; sid: 6106203; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Source Code Disclosure"; content: "SID: 6204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106204; sid: 6106204; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Vmd Buffer Overflow"; content: "SID: 6205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106205; sid: 6106205; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WorldMail IMAP Directory Traversal"; content: "SID: 6206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106206; sid: 6106206; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FreeBSD nfsd Request Denial of Service"; content: "SID: 6207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106207; sid: 6106207; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Volume Manager Buffer Overflow"; content: "SID: 6208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106208; sid: 6106208; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Vnetd Buffer Overflow"; content: "SID: 6209 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106209; sid: 6106209; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LPR Format String Overflow"; content: "SID: 6210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106210; sid: 6106210; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LPD NoOp Sled"; content: "SID: 6211 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106211; sid: 6106211; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HTML Tag Memory Corruption"; content: "SID: 6212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106212; sid: 6106212; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript Focus Buffer Overflow"; content: "SID: 6213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106213; sid: 6106213; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LibTIFF TIFFFetchData Integer Overflow"; content: "SID: 6214 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106214; sid: 6106214; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Print Services Integer Overflow"; content: "SID: 6215 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106215; sid: 6106215; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EMC Retrospect Client Buffer Overflow"; content: "SID: 6216 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106216; sid: 6106216; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eDirectory iMonitor NDS Server Buffer Overflow"; content: "SID: 6217 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106217; sid: 6106217; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MediaWiki Script Insertion"; content: "SID: 6218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106218; sid: 6106218; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CommuniGate Pro LDAP Server Buffer Overflow"; content: "SID: 6219 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106219; sid: 6106219; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Retrospect Backup Agent Denial of Service"; content: "SID: 6220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106220; sid: 6106220; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Director Agent DoS"; content: "SID: 6221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106221; sid: 6106221; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OpenView Client Configuration Manager Radia Notify Daemon Code Execution"; content: "SID: 6222 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106222; sid: 6106222; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix MetaFrame IMA Authentication Processing Buffer Overflow"; content: "SID: 6223 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106223; sid: 6106223; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows IGMP Overflow"; content: "SID: 6224 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106224; sid: 6106224; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KAME IKE raccoon HASH"; content: "SID: 6225 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106225; sid: 6106225; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trojan.Srizbi Bot"; content: "SID: 6226 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106226; sid: 6106226; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Basic Charts Control Memory Corruption"; content: "SID: 6227 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106227; sid: 6106227; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mac OSX Software Update Remote Code Execution"; content: "SID: 6228 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106228; sid: 6106228; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS SQL Server sqldmo.dll Overflow"; content: "SID: 6229 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106229; sid: 6106229; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] F-Secure Products Web Console Buffer Overflow"; content: "SID: 6230 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106230; sid: 6106230; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Presentation Server IMA"; content: "SID: 6231 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106231; sid: 6106231; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Distributed Transaction Coordinator Overflow"; content: "SID: 6232 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106232; sid: 6106232; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Tape Engine Service"; content: "SID: 6233 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106233; sid: 6106233; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VideoLAN VLC Subtitle Overflow"; content: "SID: 6234 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106234; sid: 6106234; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime SMIL Overflow"; content: "SID: 6235 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106235; sid: 6106235; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AMI Pro File Buffer Overflow"; content: "SID: 6236 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106236; sid: 6106236; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MailEnable IMAP Service Login Overflow"; content: "SID: 6237 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106237; sid: 6106237; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GNU RADIUS SQL Accounting Format String Vulnerability"; content: "SID: 6238 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106238; sid: 6106238; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple QuickTime RTSP Long URL"; content: "SID: 6239 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106239; sid: 6106239; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP LOGIN Negative Value"; content: "SID: 6240 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106240; sid: 6106240; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro ServerProtect eng50.dll Stack Overflow"; content: "SID: 6242 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106242; sid: 6106242; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun JRE Abstract Windowing Toolkit Module Memory Corruption"; content: "SID: 6243 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106243; sid: 6106243; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows SNMP Service Memory Corruption"; content: "SID: 6244 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106244; sid: 6106244; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Tivoli Storage Manager Initial Sign-on Request Buffer Overflow"; content: "SID: 6245 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106245; sid: 6106245; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gateway Weblaunch Activex Control"; content: "SID: 6246 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106246; sid: 6106246; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Microsystems Java GIF File Handling Memory Corruption"; content: "SID: 6247 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106247; sid: 6106247; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Mercury Loadrunner Agent Command Processing Buffer Overflow"; content: "SID: 6248 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106248; sid: 6106248; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Studio 6 ActiveX Exploit"; content: "SID: 6249 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106249; sid: 6106249; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Authorization Failure"; content: "SID: 6250 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106250; sid: 6106250; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Telnet Authorization Failure"; content: "SID: 6251 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106251; sid: 6106251; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Authorization Failure"; content: "SID: 6252 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106252; sid: 6106252; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] POP3 Authorization Failure"; content: "SID: 6253 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106253; sid: 6106253; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Authorization Failure"; content: "SID: 6255 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106255; sid: 6106255; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTTP Authorization Failure"; content: "SID: 6256 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106256; sid: 6106256; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Client DoS"; content: "SID: 6257 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106257; sid: 6106257; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE HTML Rendering Memory Corruption"; content: "SID: 6258 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106258; sid: 6106258; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Linux Printing And Imaging hpssd Command Injection"; content: "SID: 6259 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106259; sid: 6106259; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VERITAS Storage Foundation Administrator Buffer Overflow"; content: "SID: 6260 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106260; sid: 6106260; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ISC DHCP Remote DoS"; content: "SID: 6261 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106261; sid: 6106261; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure Access Control Server CGI Buffer Overflow"; content: "SID: 6262 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106262; sid: 6106262; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XSS in Cisco ACS Server"; content: "SID: 6263 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106263; sid: 6106263; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Malformed Header"; content: "SID: 6264 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106264; sid: 6106264; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Jet Database Engine Buffer Overflow"; content: "SID: 6265 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106265; sid: 6106265; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Malformed Header"; content: "SID: 6266 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106266; sid: 6106266; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Long FETCH Command"; content: "SID: 6267 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106267; sid: 6106267; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Openview Network Node Manager Buffer Overflow"; content: "SID: 6268 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106268; sid: 6106268; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Openview Operations Buffer Overflow"; content: "SID: 6269 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106269; sid: 6106269; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OpenView Network Node Manager Integer Overflow"; content: "SID: 6270 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106270; sid: 6106270; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VMWare ActiveX Arbitrary File Access"; content: "SID: 6271 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106271; sid: 6106271; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell iPrint Client ActiveX Buffer Overflow"; content: "SID: 6272 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106272; sid: 6106272; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works ActiveX WkImgSrv.dll Insecure Function"; content: "SID: 6273 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106273; sid: 6106273; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee ePolicy Orchestrator Format String"; content: "SID: 6274 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106274; sid: 6106274; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SGI fam Attempt"; content: "SID: 6275 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106275; sid: 6106275; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TooltalkDB overflow"; content: "SID: 6276 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106276; sid: 6106276; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Show Mount Recon"; content: "SID: 6277 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106277; sid: 6106277; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Web Components DataSource Vulnerability"; content: "SID: 6278 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106278; sid: 6106278; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Presentation Server Client ActiveX Overflow"; content: "SID: 6279 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106279; sid: 6106279; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Messenger Information Disclosure Vulnerability"; content: "SID: 6280 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106280; sid: 6106280; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed EPS Filter Vulnerability"; content: "SID: 6281 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106281; sid: 6106281; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed PICT Filter Vulnerability"; content: "SID: 6282 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106282; sid: 6106282; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed BMP Filter Vulnerability"; content: "SID: 6283 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106283; sid: 6106283; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Openwsman HTTP Basic Authentication Buffer Overflow"; content: "SID: 6284 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106284; sid: 6106284; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LANDesk Intel QIP Service Heal Packet Buffer Overflow"; content: "SID: 6295 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106295; sid: 6106295; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Sametime Server Multiplexer Stack Buffer Overflow"; content: "SID: 6296 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106296; sid: 6106296; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer ActiveX Import Method Buffer Overflow"; content: "SID: 6297 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106297; sid: 6106297; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Creative Software AutoUpdate Engine ActiveX Stack-Overflow"; content: "SID: 6298 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106298; sid: 6106298; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Namo ActiveSquare6 ActiveX Vulnerability"; content: "SID: 6299 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106299; sid: 6106299; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Loki ICMP Tunneling"; content: "SID: 6300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106300; sid: 6106300; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] General Loki ICMP Tunneling"; content: "SID: 6302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106302; sid: 6106302; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PingTunnel ICMP Tunneling"; content: "SID: 6303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106303; sid: 6106303; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS-SQL Query Abuse"; content: "SID: 6350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106350; sid: 6106350; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba SPOOLSS Notify Options Heap overflow"; content: "SID: 6402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106402; sid: 6106402; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Uninitialized Memory Corruption"; content: "SID: 6403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106403; sid: 6106403; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow WAV Parsing Remote Code Execution"; content: "SID: 6406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106406; sid: 6106406; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE DHTML Memory Corruption"; content: "SID: 6408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106408; sid: 6106408; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Invalid Object Memory Corruption"; content: "SID: 6409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106409; sid: 6106409; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Unsafe Memory Operation"; content: "SID: 6410 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106410; sid: 6106410; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed BGP Message"; content: "SID: 6412 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106412; sid: 6106412; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee Subscription Manager ActiveX Stack Buffer Overflow"; content: "SID: 6413 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106413; sid: 6106413; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ClamAV UPX File Handling Heap Overflow"; content: "SID: 6414 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106414; sid: 6106414; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Help HLP File Processing Memory Corruption"; content: "SID: 6416 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106416; sid: 6106416; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JavaScript Navigator Object Memory Corruption"; content: "SID: 6417 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106417; sid: 6106417; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache HTTP Server mod_rewrite Module LDAP Scheme Handling Buffer Overflow"; content: "SID: 6418 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106418; sid: 6106418; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database dbms_assert Filter Bypass Vulnerability"; content: "SID: 6419 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106419; sid: 6106419; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Malformed GIF File Processing Code Execution"; content: "SID: 6420 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106420; sid: 6106420; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Malformed SELECTION Record Code Execution"; content: "SID: 6421 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106421; sid: 6106421; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft ASP.NET Application Folder Information Disclosure"; content: "SID: 6422 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106422; sid: 6106422; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft XML Core Services Integer Overflow"; content: "SID: 6423 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106423; sid: 6106423; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint PPT File Parsing Memory Corruption"; content: "SID: 6424 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106424; sid: 6106424; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Malformed OBJECT Record Code Execution"; content: "SID: 6425 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106425; sid: 6106425; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word mso.dll LsCreateLine Memory Corruption"; content: "SID: 6426 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106426; sid: 6106426; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] zlib Denial of Service"; content: "SID: 6427 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106427; sid: 6106427; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CSS Memory Corruption"; content: "SID: 6430 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106430; sid: 6106430; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Web Cache Heap Overflow"; content: "SID: 6431 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106431; sid: 6106431; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Subversion svn Protocol String Parsing Vulnerability"; content: "SID: 6432 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106432; sid: 6106432; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Norton Internet Security NBNS Stack Overflow"; content: "SID: 6433 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106433; sid: 6106433; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Program Neighborhood Agent Buffer Overflow"; content: "SID: 6436 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106436; sid: 6106436; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks RealPlayer Compressed Skin Buffer Overflow"; content: "SID: 6437 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106437; sid: 6106437; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMail IMAP Fetch Buffer Overflow"; content: "SID: 6443 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106443; sid: 6106443; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iGateway Content-Length Buffer Overflow"; content: "SID: 6444 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106444; sid: 6106444; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SUSE Remote Manager Heap Overflow"; content: "SID: 6445 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106445; sid: 6106445; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Reader eBook plug-in Format String Vulnerability"; content: "SID: 6446 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106446; sid: 6106446; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat Mod_jk Stack Overflow"; content: "SID: 6449 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106449; sid: 6106449; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] pcAnywhere Buffer Overflow"; content: "SID: 6450 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106450; sid: 6106450; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MediaWiki Language Option PHP Code Execution"; content: "SID: 6451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106451; sid: 6106451; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Buffer Overflow"; content: "SID: 6454 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106454; sid: 6106454; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash Media Server DoS"; content: "SID: 6456 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106456; sid: 6106456; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Notes URI Handler Argument Injection"; content: "SID: 6457 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106457; sid: 6106457; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Media Player File Information Disclosure"; content: "SID: 6458 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106458; sid: 6106458; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Integer Overflow"; content: "SID: 6459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106459; sid: 6106459; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CDF Cross Domain Scripting"; content: "SID: 6462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106462; sid: 6106462; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid WCCP Message Parsing Denial of Service"; content: "SID: 6466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106466; sid: 6106466; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Click Event Classification Vulnerability"; content: "SID: 6467 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106467; sid: 6106467; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Vendor AV Gateway Virus Detection Bypass"; content: "SID: 6468 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106468; sid: 6106468; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Web Browsers Window Injection."; content: "SID: 6477 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106477; sid: 6106477; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell iManager Tomcat HTTP POST Request Handling Denial of Service"; content: "SID: 6486 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106486; sid: 6106486; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TikiWiki jhot.php Script File Upload Security Bypass"; content: "SID: 6487 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106487; sid: 6106487; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup Command Chaining"; content: "SID: 6488 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106488; sid: 6106488; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Buffer Overflow"; content: "SID: 6489 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106489; sid: 6106489; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Alt-N MDAEMON IMAP Server Heap Overflow"; content: "SID: 6491 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106491; sid: 6106491; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Graphics Rendering Engine Buffer Overflow Vulnerability"; content: "SID: 6493 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106493; sid: 6106493; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP APPEND Date Buffer Overflow"; content: "SID: 6494 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106494; sid: 6106494; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer URL Spoofing Vulnerability Details"; content: "SID: 6496 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106496; sid: 6106496; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RingZero Trojan"; content: "SID: 6500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106500; sid: 6106500; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tribe Flood Net Client Request"; content: "SID: 6501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106501; sid: 6106501; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tribe Flood Net Server Reply"; content: "SID: 6502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106502; sid: 6106502; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Stacheldraht Client Request"; content: "SID: 6503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106503; sid: 6106503; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Stacheldraht Server Reply"; content: "SID: 6504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106504; sid: 6106504; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo Client Request"; content: "SID: 6505 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106505; sid: 6106505; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo Server Reply"; content: "SID: 6506 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106506; sid: 6106506; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFN2K Control Traffic"; content: "SID: 6507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106507; sid: 6106507; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mstream Control Traffic"; content: "SID: 6508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106508; sid: 6106508; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft DXmedia SDK6 ActiveX Control"; content: "SID: 6509 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106509; sid: 6106509; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GOM Player ActiveX Control Buffer Overflow"; content: "SID: 6510 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106510; sid: 6106510; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macrovision FlexNet isusweb.dll DownloadAndExecute Method"; content: "SID: 6512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106512; sid: 6106512; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macrovision FlexNet DownloadManager Insecure Methods"; content: "SID: 6513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106513; sid: 6106513; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid SIP Response Code"; content: "SID: 6515 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106515; sid: 6106515; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed Via Header"; content: "SID: 6517 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106517; sid: 6106517; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Long Header Field"; content: "SID: 6518 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106518; sid: 6106518; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long SIP Message"; content: "SID: 6520 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106520; sid: 6106520; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Call Manager Overflow"; content: "SID: 6521 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106521; sid: 6106521; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Failed HTTP Login HTTP 401"; content: "SID: 6522 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106522; sid: 6106522; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-Printable in SIP Header"; content: "SID: 6523 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106523; sid: 6106523; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Yahoo! Assistant yNotifier.dll ActiveX Control Code Execution"; content: "SID: 6524 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106524; sid: 6106524; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lighttpd FastCGI Header Overrun"; content: "SID: 6526 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106526; sid: 6106526; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Publisher Invalid Memory Reference RCE"; content: "SID: 6527 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106527; sid: 6106527; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Application Server 10G EmChartBeam Remote Directory Traversal"; content: "SID: 6528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106528; sid: 6106528; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SynCE Command Injection"; content: "SID: 6530 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106530; sid: 6106530; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Perdition IMAP Proxy str_vwrite Format String"; content: "SID: 6532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106532; sid: 6106532; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Discovery Service"; content: "SID: 6533 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106533; sid: 6106533; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Backup Exec ActiveX Control"; content: "SID: 6534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106534; sid: 6106534; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Facebook Photo Uploader ActiveX Control"; content: "SID: 6535 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106535; sid: 6106535; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Aurigma ImageUploader ActiveX Control"; content: "SID: 6536 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106536; sid: 6106536; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kraken Botnet Traffic"; content: "SID: 6537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106537; sid: 6106537; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Malware Protection Engine DoS"; content: "SID: 6539 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106539; sid: 6106539; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM Certificate Trust List Memory Consumption DOS"; content: "SID: 6540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106540; sid: 6106540; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Project Malformed File Exploit"; content: "SID: 6541 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106541; sid: 6106541; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTPServer Error Overflow"; content: "SID: 6542 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106542; sid: 6106542; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CiscoWorks Common Services Arbitrary Code Injection"; content: "SID: 6543 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106543; sid: 6106543; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ActiveX Object Memory Corruption Vulnerability"; content: "SID: 6544 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106544; sid: 6106544; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WINS Local Privilege Escalation"; content: "SID: 6545 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106545; sid: 6106545; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SNMPv3 Malformed Authentication Attempt"; content: "SID: 6546 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106546; sid: 6106546; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server 7 TDS Denial Of Service"; content: "SID: 6702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106702; sid: 6106702; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snort SACK TCP Option Handling Denial of Service Details"; content: "SID: 6703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106703; sid: 6106703; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoofing Vulnerability"; content: "SID: 6704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106704; sid: 6106704; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Drag And Drop Vulnerability"; content: "SID: 6705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106705; sid: 6106705; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Remote Desktop Protocol DoS"; content: "SID: 6707 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106707; sid: 6106707; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Flash Player LoadMovie DoS"; content: "SID: 6710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106710; sid: 6106710; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Image Download Spoofing"; content: "SID: 6711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106711; sid: 6106711; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Script Engine Stack Exhaustion"; content: "SID: 6712 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106712; sid: 6106712; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Status Bar URL Spoofing"; content: "SID: 6717 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106717; sid: 6106717; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple AV Vendor Invalid Archive Checksum"; content: "SID: 6718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106718; sid: 6106718; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL COM_TABLE_DUMP Function Stack Overflow"; content: "SID: 6719 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106719; sid: 6106719; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Login Handshake Information Disclosure"; content: "SID: 6720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106720; sid: 6106720; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenBSD ISAKMP Message Handling Denial Of Service"; content: "SID: 6721 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106721; sid: 6106721; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Application Server 10g emagent.exe Stack Buffer Overflow"; content: "SID: 6722 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106722; sid: 6106722; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Directory Server LDAP Denial of Service Details"; content: "SID: 6723 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106723; sid: 6106723; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nullsoft Winamp Midi File Header Handling Buffer Overflow"; content: "SID: 6727 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106727; sid: 6106727; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows GUID Folder Code Execution"; content: "SID: 6728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106728; sid: 6106728; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Tivoli Storage Manager Express Buffer Overflow"; content: "SID: 6730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106730; sid: 6106730; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Username Buffer Overflow"; content: "SID: 6731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106731; sid: 6106731; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Password Buffer Overflow"; content: "SID: 6732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106732; sid: 6106732; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Arbitrary File Upload"; content: "SID: 6733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106733; sid: 6106733; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA ARCserve Backup LGServer Multiple Buffer Overflows"; content: "SID: 6734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106734; sid: 6106734; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer HHCtrl.ocx Image Property Heap Corruption"; content: "SID: 6735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106735; sid: 6106735; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple QuickTime FLIC Animation File Buffer Overflow Details"; content: "SID: 6736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106736; sid: 6106736; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Function Buffer Overflow"; content: "SID: 6737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106737; sid: 6106737; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Messenger HTTP POST Request Invalid Memory Access"; content: "SID: 6739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106739; sid: 6106739; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro OfficeScan Atxconsole ActiveX Control Format String"; content: "SID: 6740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106740; sid: 6106740; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Discovery XFERWAN Buffer overflow"; content: "SID: 6741 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106741; sid: 6106741; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint Malformed Record Code Execution"; content: "SID: 6742 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106742; sid: 6106742; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell ZENworks Asset Mangement Overflow"; content: "SID: 6743 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106743; sid: 6106743; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla FireFox DomNodeRemoved Memory Corruption"; content: "SID: 6744 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106744; sid: 6106744; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Remote Kernel TCPIP ICMP Vulnerability"; content: "SID: 6755 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106755; sid: 6106755; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Page Update Race Condition"; content: "SID: 6757 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106757; sid: 6106757; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visio Version Number Code Execution Vulnerability"; content: "SID: 6758 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106758; sid: 6106758; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari Regular Expression Overflow"; content: "SID: 6759 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106759; sid: 6106759; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer ActiveX Buffer overflow"; content: "SID: 6760 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106760; sid: 6106760; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Unified Communications Manager CTL Provider Heap Overflow"; content: "SID: 6761 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106761; sid: 6106761; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco PIX and ASA Time-to-Live DoS"; content: "SID: 6764 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106764; sid: 6106764; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Application Velocity System Default Passwords"; content: "SID: 6765 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106765; sid: 6106765; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Security Zone Bypass and Address Spoofing"; content: "SID: 6766 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106766; sid: 6106766; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows RSH Daemon Stack Overflow"; content: "SID: 6767 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106767; sid: 6106767; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba WINS Remote Code Execution Vulnerability"; content: "SID: 6768 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106768; sid: 6106768; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netware LSASS CIFS.NLM Driver Overflow"; content: "SID: 6769 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106769; sid: 6106769; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenOffice PRTDATA Heap Overflow"; content: "SID: 6770 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106770; sid: 6106770; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows WebDAV Mini Redirector"; content: "SID: 6771 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106771; sid: 6106771; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPerfect X3 Printer Selection Vulnerability"; content: "SID: 6773 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106773; sid: 6106773; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Works Converter Remote Code Execution"; content: "SID: 6775 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106775; sid: 6106775; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works Converter Input Validation Remote Code Execution"; content: "SID: 6776 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106776; sid: 6106776; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows OLE Automation Remote Code Execution"; content: "SID: 6777 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106777; sid: 6106777; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works Converter Index Table Vulnerability"; content: "SID: 6778 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106778; sid: 6106778; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Argument Handling Memory Corruption Vulnerability"; content: "SID: 6780 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106780; sid: 6106780; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Proxy Response Overflow"; content: "SID: 6781 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106781; sid: 6106781; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP MIME Request Boundary Overflow"; content: "SID: 6782 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106782; sid: 6106782; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe PDF Code Execution"; content: "SID: 6784 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106784; sid: 6106784; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visual Basic VBP File Processing Buffer Overflow"; content: "SID: 6785 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106785; sid: 6106785; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint Memory Corruption Vulnerability"; content: "SID: 6786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106786; sid: 6106786; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Cell Parsing Memory Corruption Vulnerability"; content: "SID: 6787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106787; sid: 6106787; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SonicWALL SSL VPN Client Remote ActiveX Vulnerability"; content: "SID: 6788 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106788; sid: 6106788; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winamp Ultravox Stream Title Stack Overflow"; content: "SID: 6789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106789; sid: 6106789; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access Privilege Escalation"; content: "SID: 6790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106790; sid: 6106790; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SQL Memory Corruption Vulnerability"; content: "SID: 6792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106792; sid: 6106792; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows GDI Image Handling"; content: "SID: 6793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106793; sid: 6106793; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCserve Backup Listservcntrl ActiveX Overflow"; content: "SID: 6794 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106794; sid: 6106794; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Panda ActiveScan ActiveX Overflow"; content: "SID: 6795 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106795; sid: 6106795; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP StorageWorks Buffer Overflow"; content: "SID: 6798 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106798; sid: 6106798; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM CTI DoS"; content: "SID: 6799 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106799; sid: 6106799; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood ICMP Reply"; content: "SID: 6901 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106901; sid: 6106901; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood ICMP Request"; content: "SID: 6902 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106902; sid: 6106902; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood ICMP Any"; content: "SID: 6903 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106903; sid: 6106903; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood UDP"; content: "SID: 6910 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: udp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106910; sid: 6106910; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood TCP"; content: "SID: 6920 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106920; sid: 6106920; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Code Execution"; content: "SID: 6921 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106921; sid: 6106921; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VBScript JScript Remote Code Execution"; content: "SID: 6922 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106922; sid: 6106922; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Memory Corruption Vulnerability"; content: "SID: 6923 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106923; sid: 6106923; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS Publisher Remote Code Execution"; content: "SID: 6924 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106924; sid: 6106924; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Property Memory Corruption"; content: "SID: 6925 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106925; sid: 6106925; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS DLSw DoS"; content: "SID: 6926 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106926; sid: 6106926; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Outlook mailto URI Remote Code Execution"; content: "SID: 6928 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106928; sid: 6106928; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Memory Corruption"; content: "SID: 6929 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106929; sid: 6106929; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Web Components URL Parsing Vulnerability"; content: "SID: 6930 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106930; sid: 6106930; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Virtual-Access Interface Exhaustion DoS"; content: "SID: 6931 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106931; sid: 6106931; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Objects Uninitialized Memory Corruption Vulnerability"; content: "SID: 6932 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106932; sid: 6106932; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI Buffer Overflow"; content: "SID: 6934 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106934; sid: 6106934; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVE-2008-1086 ActiveX Killbit Update"; content: "SID: 6935 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106935; sid: 6106935; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UCM Disaster Recovery Framework Command Execution"; content: "SID: 6936 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106936; sid: 6106936; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE File Handling Memory Corruption"; content: "SID: 6937 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106937; sid: 6106937; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE Argument Handling Memory Corruption Exploit"; content: "SID: 6938 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106938; sid: 6106938; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Project Remote Code Execution"; content: "SID: 6939 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106939; sid: 6106939; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer ActiveX Remote Code Execution"; content: "SID: 6940 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106940; sid: 6106940; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Yahoo ActiveX Buffer Overflow"; content: "SID: 6942 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106942; sid: 6106942; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUPS CGI Compile Search Overflow"; content: "SID: 6944 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106944; sid: 6106944; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OpenView OVAS.EXE Stack Overflow"; content: "SID: 6945 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106945; sid: 6106945; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Web Client Remote Code Execution Vulnerability"; content: "SID: 6946 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106946; sid: 6106946; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Drawing Object Vulnerability"; content: "SID: 6951 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106951; sid: 6106951; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Cascading Style Sheet (CSS) Vulnerability"; content: "SID: 6952 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106952; sid: 6106952; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM SIP Stack DoS"; content: "SID: 6954 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106954; sid: 6106954; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Null Pointer Dereference"; content: "SID: 6959 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106959; sid: 6106959; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Response Cross-Domain Info Disclosure"; content: "SID: 6960 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106960; sid: 6106960; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HTML Objects Memory Corruption"; content: "SID: 6961 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106961; sid: 6106961; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Unity DOS"; content: "SID: 6962 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106962; sid: 6106962; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MJPEG Decoder Vulnerability"; content: "SID: 6963 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106963; sid: 6106963; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asprox Injection Attempt"; content: "SID: 6964 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106964; sid: 6106964; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed Search File Code Execution"; content: "SID: 6966 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106966; sid: 6106966; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server Privilege Elevation"; content: "SID: 6967 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106967; sid: 6106967; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Access Snapshot Viewer ActiveX Remote Code Execution"; content: "SID: 6968 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106968; sid: 6106968; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Smart Tag Corruption Exploit"; content: "SID: 6969 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106969; sid: 6106969; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution"; content: "SID: 6970 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106970; sid: 6106970; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic Exploit Component"; content: "SID: 6971 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106971; sid: 6106971; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rosoft Media Player Overflow"; content: "SID: 6972 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106972; sid: 6106972; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS FTPd MKD Command Buffer Overflow"; content: "SID: 6973 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106973; sid: 6106973; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Motorola Timbuktu Pro Arbitrary File Deletion/Creation"; content: "SID: 6974 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106974; sid: 6106974; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arbitrary File Upload In CA ARCserve"; content: "SID: 6975 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106975; sid: 6106975; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Powerpoint 2003 Viewer Buffer Overflow"; content: "SID: 6976 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106976; sid: 6106976; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wonderware Suitlink Denial Of Service"; content: "SID: 6977 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106977; sid: 6106977; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PowerPoint Parsing Overflow"; content: "SID: 6978 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106978; sid: 6106978; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BEA WebLogic Server Apache Connector HTTP Version String BO"; content: "SID: 6979 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106979; sid: 6106979; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint Memory Allocation Exploit"; content: "SID: 6981 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106981; sid: 6106981; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PICT Filter Parsing Exploit"; content: "SID: 6983 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106983; sid: 6106983; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Image Color Management System RCE"; content: "SID: 6984 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106984; sid: 6106984; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office WPG Image File Heap Corruption Exploit"; content: "SID: 6985 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106985; sid: 6106985; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE HTML Objects Memory Corruption Exploit"; content: "SID: 6986 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106986; sid: 6106986; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebEx Meeting Manager ActiveX Overflow"; content: "SID: 6988 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106988; sid: 6106988; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOSFW HTTP Inspection Vulnerability"; content: "SID: 6989 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106989; sid: 6106989; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Studio Msmask32.ocx ActiveX Buffer Overflow"; content: "SID: 6990 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106990; sid: 6106990; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas Storage Foundation Null Session"; content: "SID: 6991 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106991; sid: 6106991; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS EAP Overflow"; content: "SID: 6994 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106994; sid: 6106994; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI EMF Memory Corruption Vulnerability"; content: "SID: 6995 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106995; sid: 6106995; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI+ BMP Integer Overflow"; content: "SID: 6996 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106996; sid: 6106996; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OneNote Uniform Resource Locator Validation Error Vulnerability"; content: "SID: 6997 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106997; sid: 6106997; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI-Plus WMF Buffer Overrun Exploit"; content: "SID: 6998 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106998; sid: 6106998; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco PIM Multicast Denial of Service Attack"; content: "SID: 6999 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106999; sid: 6106999; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Data Base TNS Connection"; content: "SID: 7000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107000; sid: 6107000; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TNS Redirect Request"; content: "SID: 7001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107001; sid: 6107001; rev: 4;) sagan-1.2.0/rules/classification.config0000644000175000017500000001335113310533411017056 0ustar champchamp# Sagan classification.config # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #************************************************************* # Sagan specific classifications! #************************************************************* config classification: correlated-attack,Correlated Attack,1 config classification: unsuccessful-admin,Unsuccessful Admin Privilege Gain,1 config classification: exploit-attempt,Exploit Attempt,1 config classification: program-error,Program Error,2 config classification: suspicious-command,Suspicious Command Execution,1 config classification: network-event,Network event,2 config classification: system-event,System event,2 config classification: configuration-change,Configuration Change,2 config classification: spam,Spam,3 config classification: permissions-violation,Attempted Access To File or Directory,3 config classification: suspicious-traffic,Suspicious Traffic,2 config classification: configuration-error,Configuration Error,2 config classification: hardware-event,Hardware Event,1 #************************************************************* # Snort's classifications #************************************************************* config classification: not-suspicious,Not Suspicious Traffic,3 config classification: unknown,Unknown Traffic,3 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,2 config classification: successful-recon-limited,Information Leak,2 config classification: successful-recon-largescale,Large Scale Information Leak,2 config classification: attempted-dos,Attempted Denial of Service,2 config classification: successful-dos,Denial of Service,2 config classification: attempted-user,Attempted User Privilege Gain,1 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 config classification: successful-user,Successful User Privilege Gain,1 config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 #************************************************************* # NEW Snort's classifications #************************************************************* config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable code was detected,1 config classification: string-detect,A suspicious string was detected,3 config classification: suspicious-filename-detect,A suspicious filename was detected,2 config classification: suspicious-login,An attempted login using a suspicious username was detected,2 config classification: system-call-detect,A system call was detected,2 config classification: tcp-connection,A TCP connection was detected,4 config classification: trojan-activity,A Network Trojan was detected, 1 config classification: unusual-client-port-connection,A client was using an unusual port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,access to a potentially vulnerable web application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: kickass-porn,SCORE! Get the lotion!,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to login by a default username and password,2 #************************************************************* # New class types go below here: #************************************************************* config classification: dynamic-rules,Dynamic loaded rules,2 config classification: system-error,System Error,2 sagan-1.2.0/rules/knockd.rules0000644000175000017500000000436413310533411015225 0ustar champchamp# Sagan knockd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Open Sesame"; content: "OPEN SESAME"; classtype: successful-user; program: knockd; parse_src_ip: 1; reference:url,wiki.quadrantsec.com/bin/view/Main/5000383; sid:5000383; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Sequence timeout"; content: "sequence timeout"; classtype: unsuccessful-user; program: knockd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000384; sid:5000384; rev:2;) sagan-1.2.0/rules/cisco-ios.rules0000644000175000017500000006336513310533411015652 0ustar champchamp# Sagan cisco-ios.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SNMP Authentication Failure [0/5]"; content: "SNMP-3-AUTHFAIL"; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000051; sid: 5000051; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Attempted RSHELL connection"; content: "RCMD-4-RSHPORTATTEMPT"; default_proto: tcp; default_dst_port: 514; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000052; sid: 5000052; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINK-3-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000053; sid: 5000053; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINEPROTO-5-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000054; sid: 5000054; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Configuration from console"; content: "SYS-5-CONFIG_I"; parse_src_ip: 1; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000055; sid: 5000055; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS configuration changed"; content: "SYS-5-CONFIG"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000111; sid:5000111; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Successful login"; content: "SEC_LOGIN-5-LOGIN_SUCCESS"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000112; sid:5000112; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001520; sid:5001520; rev:2;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; xbits: set,brute_force,21600; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000113; sid:5000113; rev:11;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fan failure - Fan not rotating [0/2]"; content: "ENVMON-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000388; sid:5000388; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fans had a rotation error reported [0/2]"; content: "%FAN-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001198; sid:5001198; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Power Controller reports power Imax error detected"; content: "%ILPOWER-3-CONTROLLER_PORT_ERR"; threshold: type limit, track by_src, count 1, seconds 3600; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid:5001199; rev:3;) # Rules submitted by Sniffty Dugen (July 31, 2012) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported Hardware Module"; content: "C6KPWR-SP-4-UNSUPPORTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1ab; sid: 5001476; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet recieved to short"; content: "EARL_L3_ASIC-SP-4-INTR_THROTTLE: Throttling"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1abb; sid: 5001477; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet with probable bad checksum Dropped"; content: "EARL_L3_ASIC-SP-3-INTR_WARN"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#EARL; sid: 5001478; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] NetFlow addressable memory almost full"; content: "EARL_NETFLOW-SP-4-TCAM_THRLD"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1a; sid: 5001479; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS Keepalive Loop Detected"; content: "ETHCNTR-3-LOOP_BACK_DETECTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1b; sid: 5001480; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Possible IOS System Crash"; content: "loadprog: error"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1bc; sid: 5001481; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Error in Layer 3 Forwarding ASIC [0/2]"; content: "L3_ASIC-DFC3-4-ERR_INTRPT"; threshold: type limit, track by_src, count 2, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#ASIC; sid: 5001482; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] MAC/IP length inconsistencies"; content: "MLS_STAT-SP-4-IP_LEN_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1; sid: 5001483; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IP Checksum detected"; content: "MLS_STAT-SP-4-IP_CSUM_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob2; sid: 5001484; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Excessive Multicast Traffic to IGMP reserved address"; content: "MCAST-SP-6-ADDRESS_ALIASING_FALLBACK"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob3; sid: 5001485; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] PIM Hold Time Out of range"; content: "MROUTE-3-TWHEEL_DELAY_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob5; sid: 5001486; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Maximum Number of L2 Multicast Group Entries Created"; content: "MCAST-SP-6-GC_LIMIT_EXCEEDED"; classtype: system-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob6; sid: 5001487; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Internal Table Manager Parity Error"; content: "MISTRAL-SP-3-ERROR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob7; sid: 5001488; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Short IP Packets Detected"; content: "MLS_STAT-4-IP_TOO_SHRT"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob8; sid: 5001489; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Creating Session to module/slot failed"; content: "Processor"; content: "cannot service session requests"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#Processor; sid: 5001490; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Firmware error detected"; content: "PM_SCP-1-LCP_FW_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob9; sid: 5001491; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Error Condition"; content: "PM_SCP-2-LCP_FW_ERR_INFORM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-error; sid: 5001492; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Error Detected [0/3]"; content: "PM_SCP-SP-2-LCP_FW_ERR_INFORM"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#mod-issue; sid: 5001493; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported SFP GBIC Detected"; content: "PM_SCP-SP-3-TRANSCEIVER_BAD_EEPROM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badkey; sid: 5001494; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] TCAM Resource Exhaustion Detected"; content: "QM-4-TCAM_ENTRY"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#TCAM; sid: 5001495; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Supervisor Engine Parity Errors [0/3]"; content: "SYSTEM_CONTROLLER-SP-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tmparity; sid: 5001496; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Memory Parity Error [0/3]"; content: "SYSTEM_CONTROLLER-SW2_SPSTBY-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-controller; sid: 5001497; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Linecard Endpoint Lost Sync"; content: "SP: Linecard endpoint of Channel 14 lost Sync"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#sp141; sid: 5001498; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Misconfigured Boot Variables"; content: "SYSTEM-1-INITFAIL: Network boot is not supported"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#nwboot; sid: 5001499; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Time Outs [0/3]"; content: "CPU_MONITOR-3-TIMED_OUT"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001500; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Not Heard [0/3]"; content: "CPU_MONITOR-6-NOT_HEARD"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001501; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IDPROM Image"; content: "Invalid IDPROM image for"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#idprom; sid: 5001502; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Module Powered Off"; content: "C6KPWR-4-DISABLED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#pwrdis; sid: 5001503; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC Failed to Synchronize"; content: "ONLINE-SP-6-INITFAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#onlinefail; sid: 5001504; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Flow Mask Request Failed"; content: "FM_EARL7-4-FLOW_FEAT_FLOWMASK_REQ_FAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#flowmask; sid: 5001505; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IGMP join packet Flood"; content: "MCAST-2-IGMP_SNOOP_DISABLE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#igmpsnoop; sid: 5001506; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC/Pinnacle Unrecoverable resources"; content: "C6KERRDETECT-2-FIFOCRITLEVEL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#dr; sid: 5001507; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Stalled"; content: "C6KERRDETECT-SP-4-SWBUSSTALL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001508; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Recovered"; content: "C6KERRDETECT-SP-4-SWBUSSTALL_RECOVERED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001509; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SP-RP ping test failed, High Traffic"; content: "SP-RP Ping Test[7]"; classtype: system-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#srp; sid: 5001510; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Sub-interface Limit Reached"; content: "SW_VLAN-4-MAX_SUB_INT"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#subint; sid: 5001511; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Hash Bucket Collision"; content: "MCAST-6-L2_HASH_BUCKET_COLLISION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#l2hash; sid: 5001512; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] QoS Hardware Resources Exceeded"; content: "QM-4-AGG_POL_EXCEEDED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#qm_agg; sid: 5001513; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel MTU Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "MTU"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-bundle; sid: 5001514; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel Flow Control Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "flow control"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#port; sid: 5001515; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Route entries about to reach FIB capacity"; content: "CFIB-7-CFIB_EXCEPTION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tcamexception; sid: 5001516; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Data Path Error"; content: "CONST_DIAG-SP-3-HM_PORT_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#disablingport; sid: 5001517; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Bad CRC on ASIC Line Card"; content: "CONST_DIAG-SP-4-ERROR_COUNTER_WARNING"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module; sid: 5001518; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Detected Unknown Protocol"; content: "SYS-3-PORT_RX_BADCODE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode; sid: 5001519; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001625; sid: 5001625; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; xbits: set,brute_force,21600; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001686; sid: 5001686; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] High CPU usage detected"; content: "HIGH CPU DETECTED"; threshold: type limit, track by_src, count 1, seconds 3600; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001626; sid: 5001626; rev:3;) # %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user cisco from 10.10.10.10 - sshd[27924] #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Authentication Failure SSH"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001668; sid: 5001668; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Authentication Failure SSH - Brute force [5/5]"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001670; sid: 5001670; rev:7;) # %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user cisco from 10.10.10.10 - sshd[27926] alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Illegal User SSH"; content: "%DAEMON-3-SYSTEM_MSG|3a|"; content: "sshd["; parse_src_ip: 1; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001669; sid: 5001669; rev:6;) # %USER-3-SYSTEM_MSG: FATAL: bad tty - login (no program) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] FATAL - bad tty - login (no program)"; content: "%USER-3-SYSTEM_MSG|3a|"; content: "FATAL: bad tty"; content: "no program"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001671; sid: 5001671; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Auth to privilege 15 failed"; content: "%SYS-5-PRIV_AUTH_FAIL"; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001672; sid: 5001672; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Multicast storm detected"; content: "%STORM_CONTROL-3-FILTERED"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001673; sid: 5001673; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid ARP"; content: "%SW_DAI-4-INVALID_ARP"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001674; sid: 5001674; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Low FAN RPM - Service recommended"; content: "%ENVMON-4-FAN_LOW_RPM"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001688; sid: 5001688; rev:4;) # Submitted by Robert Nunley (rnunley@quadrantsec.com) - 08/14/2013 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Up"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is up"; classtype: system-event; parse_src_ipl 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001707; sid: 5001707; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Down"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is down"; classtype: system-event; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001708; sid: 5001708; rev:6;) # Submittied by Robert Nunley (rnunley@quadrantsec.com) - 11/18/2013 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Up"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Up"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001718; sid: 5001718; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Down"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Down"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001719; sid: 5001719; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Neighbor Removed From Topology"; content: "%BGP_SESSION-5-ADJCHANGE"; content: "neighbor"; content: "topology"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001720; sid: 5001720; rev:2;) # Submitted by Adam Hall (ahall@quadrantsec.com) - 11/18.2013 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP Requesting Active State"; content: "Grp"; content: "Coup"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001721; sid: 5001721; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%STANDBY-6-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001722; sid: 5001722; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%HSRP-5-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001723; sid: 5001723; rev:2;) # %PARSER-5-CFGLOG_LOGGEDCMD: User:bob logged command:!exec: enable #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Command logged"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; classtype: misc-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5001871; sid: 5001871; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Enable command executed"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; content: "exec"; nocase; content: "enable"; nocase; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001872; sid: 5001872; rev:2;) # Jan 22 16:03:51: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: bob] [Source: 10.10.0.1] [localport: 22] at 16:03:51 UTC Wed Jan 22 2014 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Success"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; default_proto: tcp; classtype: successful-admin; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001952; sid: 5001952; rev:2;) sagan-1.2.0/rules/fortinet-geoip.rules0000644000175000017500000000631113310533411016701 0ustar champchamp# Sagan fortinet-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Login accepted from outside HOME_COUNTRY"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001947; sid: 5001947; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Administrator Login from outside HOME_COUNTRY"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001948; sid: 5001948; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Admin authentication success outside HOME_COUNTRY"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001949; sid: 5001949; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] SSH traffic detected from outside HOME_COUNTRY"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001971; sid: 5001971; rev:5;) sagan-1.2.0/rules/citrix-geoip.rules0000644000175000017500000000650113310533411016352 0ustar champchamp# Sagan citrix-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from outside home country (Champ Clark / 04/01/2015) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] Login from outside HOME_COUNTRY"; content: "SSLVPN LOGIN"; content:!"User anonymous"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002260; sid:5002260; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002280; sid:5002280; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY [0/5]"; content: "SSLVPN HTTPREQUEST"; content:!"Context anonymous"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; threshold: type limit, track by_src, count 5, seconds 300; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:5;) sagan-1.2.0/rules/fortinet-bluedot.rules0000644000175000017500000000647413310533411017246 0ustar champchamp# Sagan fortinet-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] Login accepted from suspicious source"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002881; sid:5002881; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] Administrator Login from suspicious source"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002882; sid:5002882; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] Admin authentication success suspicious source"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002883; sid:5002883; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-BLUEDOT] SSH traffic detected from suspicious source"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002884; sid:5002884; rev:4;) sagan-1.2.0/rules/f5-big-ip-geoip.rules0000644000175000017500000001130213310533411016522 0ustar champchamp# Sagan F5-BIG-IP-GEOIP.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # F5 Big-IP GEOIP rules submitted by Corey Fisher alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-GEOIP] Command-line Login from outside HOME_COUNTRY"; content: "start="; content: !"end="; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002776; sid:5002776; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-GEOIP] Command-line Logout from outside HOME_COUNTRY"; content: "start="; content: "end="; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002777; sid:5002777; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY"; content: "failed to login after"; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002778; sid:5002778; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY"; content: "Authentication failure for root"; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002779; sid:5002779; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-GEOIP] Successful Configuration Utility Login from outside HOME_COUNTRY"; content: "mod_auth_pam"; content: "httpd"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002780; sid:5002780; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-GEOIP] Unsuccessful Configuration Utility Login from outside HOME_COUNTRY"; content: "failed to login after"; content: "httpd"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002781; sid:5002781; rev:3;) sagan-1.2.0/rules/windows-emet.rules0000644000175000017500000000656713310533411016405 0ustar champchamp# Sagan windows-applocker.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows EMET rules # # See http://support.microsoft.com/kb/2458544 for more information on EMET # # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ # # Champ Clark (08/20/2014) # 10.5.1.1|daemon|err|err|1b|2014-08-19|23:03:56|EMET| 2: EMET detected Caller mitigation and will close the application: chrome.exe Caller check failed: Application : C:\Program Files\Google\Chrome\Application\chrome.exe User Name : Champ-BOX\champ Session ID : 1 PID : 0xBFC (3068) TID : 0xBE8 (3048) API Name : kernel32.LoadLibraryW ReturnAddress : 0x5BE777AC CalledAddress : 0x769FEFF2 StackPtr : 0x0031E51C alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-EMET] Detected Caller mitigation/will close application"; content: " 2|3a| "; classtype: suspicious-command; program: EMET; reference: url,wiki.quadrantsec.com/bin/view/Main/5002101; sid:5002101; rev:2;) # 10.5.1.1|daemon|notice|notice|1d|2014-08-20|12:03:23|Security-Auditing| 4689: A process has exited. Subject: Security ID: S-1-5-21-148272361-2449339356-1462517947-1000 Account Name: champ Account Domain: Champ-BOX Logon ID: 0x1a285 Process Information: Process ID: 0x120 Process Name: C:\Program Files\EMET 4.1\EMET_Agent.exe Exit Status: 0x40010004 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-EMET] EMET process stopped, but not due to reboot"; pcre: "/ 4689: | 593: /" ; content: "EMET_Agent.exe"; nocase; xbits: isnotset, by_src,reboot.windows; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002102; sid:5002102; rev:4;) sagan-1.2.0/rules/openssh.rules0000644000175000017500000004332313310533411015431 0ustar champchamp# Sagan openssh.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. # Failed password for root from 109.70.148.243 port 17298 ssh2 # error: PAM: Authentication failure for champ from 192.168.1.1 drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/1]"; content: "Authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize; parse_src_ip: 1; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; sid: 5000015; rev:13;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001634; sid: 5001634; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure - Brute force [20/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001635; sid: 5001635; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure - Brute force [30/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001636; sid: 5001636; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure - Brute force [40/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001637; sid: 5001637; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure - Brute force [50/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001638; sid: 5001638; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure - Brute force [100/5]"; content: "Authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; normalize; program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001639; sid: 5001639; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001523; normalize; program: sshd; sid: 5001523; rev:3;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure - Brute force [10/1]"; content: "authentication failure"; xbits: set, brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:14;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure - Brute force [10/5]"; content: "authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001628; sid: 5001628; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure - Brute force [20/5]"; content: "authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001629; sid: 5001629; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure - Brute force [30/5]"; content: "authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001630; sid: 5001630; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure - Brute force [40/5]"; content: "authentication failure"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001631; sid: 5001631; rev:4;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure - Brute force [50/5]"; content: "authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001632; sid: 5001632; rev:8;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure - Brute force [100/5]"; content: "authentication failure"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001633; sid: 5001633; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001524; sid: 5001524; rev:4;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure for root - Brute force [5/5]"; content: "Authentication failure for root"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin;program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:13;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin;program: sshd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001525; sid: 5001525; rev:8;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000018; sid: 5000018; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Not executable shell - login attempt"; content: "is not executable"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000020; sid: 5000020; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Message send write error"; content: "ssh_msg_send";default_proto: tcp; default_dst_port: $SSH_PORT; classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000021; sid:5000021; rev:4;) # General "illegal user" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [Brute Force] [10/1]"; pcre: "/invalid user|illegal user/i"; content:!"input_userauth_request"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; normalize; parse_src_ip: 1; parse_port; after: track by_src, count 10, seconds 300; threshold:type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000022; sid: 5000022; rev:17;) # Champ Clark (Quadrant Information Security) - Jan 27th 2010 - Out of band challenge - for more info see: http://sourceforge.net/projects/pamobc/ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Out-of-Band challenge failure"; content: "Failed auth"; content: "out-of-band challenge"; content: "pam_obc"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user;program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000023; sid: 5000023; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Bad protocol version - network scan or possible attack [0/3]"; content: "Bad protocol version identification"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: $SSH_PORT; parse_port; threshold: type limit, track by_src, count 3, seconds 300; classtype: non-standard-protocol; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000068; sid: 5000068; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any ( msg: "[OPENSSH] Timeout while logging in"; content:"Timeout before authentication" ;default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000069; sid: 5000069; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] No identification string - possible scan"; content:"Did not receive identification string"; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: network-scan; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000070; sid: 5000070; rev:6;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] OpenSSH challenge-response exploit"; content: "buffer_get_string: bad string"; xbits: set,brute_force,86400; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: exploit-attempt; program: sshd; parse_src_ip: 1; fwsam: src, 1 week; reference: url,wiki.quadrantsec.com/bin/view/Main/5000071; sid: 5000071; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Message without user-IP and context"; content: "Could not get shadow information for NOUSER"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: misc-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000072; sid: 5000072; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Corrupted traffic"; content: "Corrupted check bytes on"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000073; sid: 5000073; rev:3;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] CRC32 compensation attack"; content: "crc32 compensation attack"; nocase; xbits: set,brute_force,86400; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: shellcode-detect; program: sshd; fwsam: src, 1 week; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000074; reference: url, http://www.securityfocus.com/bid/2347/info/; sid: 5000074; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] configuration error [moduli]"; content: "Bad prime description in line"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: program-error; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000076; sid: 5000076; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Attempt to login using a denied user"; content: "not allowed because"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000077; sid:5000077; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] User logged into a disabled account"; pcre: "/accepted|authenticated/i"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000411; program: sshd; sid: 5000411; rev:4;) # Failed password for root from 10.10.0.1 port 17298 ssh2 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password - Brute force [10/1]"; content: "Failed password"; program: sshd; normalize; parse_port; parse_src_ip: 1; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; sid: 5001646; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001646; rev:9;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password"; content: "Failed password"; program: sshd; normalize; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; sid: 5001647; reference: url,wiki.quadrantsec.com/bin/view/Main/5001647; rev:4;) # AIX 5 has a tendency to log ssh connections via program: syslog :( # syslog ssh: failed login attempt for UNKNOWN_USER from 10.1.1.4 drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] SYSLOG Authentication failure - Brute force [5/1]"; content: "ssh|3a| failed login attempt"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001954; program: syslog; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; sid: 5001954; rev:10;) # Added by Robert Nunley - 02/20/2014 (rnunley@quadrantsec.com) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Fail2Ban SSH Suspicious Activity"; content: "Fail2Ban"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001974; parse_src_ip: 1; sid: 5001974; rev:2;) sagan-1.2.0/rules/README0000644000175000017500000000264713310533411013562 0ustar champchampWelcome to the "Sagan Rules" README file ---------------------------------------- This is the Git repository for the Sagan engine rule sets. You probably won't find these useful unless you're actually using Sagan! For more information, check out the Sagan main web site at: http://sagan.quadrantsec.com Github related site: http://github.com/beave/sagan What is Sagan? -------------- Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. The Sagan structure and Sagan rules work similarly to the Sourcefire "Snort" IDS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS databases via unified2/barnyard2, it is compatible with all Snort "consoles". For example, Sagan is compatible with Snorby [http://www.snorby.org], Sguil [http://sguil.sourceforge.net], BASE, and the Prelude IDS framework! (to name a few). Sagan supports many different output formats, log normalization (via liblognorm), script execution on event and automatic firewall support via "Snortsam" (see http://www.snortsam.net). For more information, please visit the Sagan web site: http://sagan.quadrantsec.com. sagan-1.2.0/rules/procurve.rules0000644000175000017500000000756413310533411015626 0ustar champchamp# Sagan procurve.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The rules below are based on SWITCH and L3-SWITCH. The L3 switches are # the 5300/8200 model chassis switches. The plain E-series are the L2 # access/edge switches. - John Babio / ESU alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Invalid username/password"; program: auth; content:"Invalid user name/password"; classtype: unsuccessful-user; sid:5001120; reference: url,wiki.quadrantsec.com/bin/view/Main/5001120; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] port is off-line"; program: ports; content:"is now off-line; classtype: hardware-event; sid: 5001121; reference: url,wiki.quadrantsec.com/bin/view/Main/5001121; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] System went down:"; program: system; content:"System went down:"; classtype: hardware-event; sid: 5001122; reference: url,wiki.quadrantsec.com/bin/view/Main/5001122; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Port Security Violation"; program: FFI; pcre: "/Security Violation/i"; normalize; classtype: policy-violation; sid: 5001123; reference: url,wiki.quadrantsec.com/bin/view/Main/5001123; rev:3;) # The "program" becomes the alert ID. So no "content:" is needed - Champ Clark III 06/25/2012 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] port is off-line"; program: 00077; classtype: hardware-event; sid: 5001124; reference: url,wiki.quadrantsec.com/bin/view/Main/5001124; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] Invalid username/password"; program: 00419; classtype: unsuccessful-user; sid: 5001125; reference: url,wiki.quadrantsec.com/bin/view/Main/5001125; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] Invalid username/password - Brute Force [5/1]"; program: 00419; classtype: unsuccessful-user; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; sid:5003205; reference: url,wiki.quadrantsec.com/bin/view/Main/5003205; rev:1;) sagan-1.2.0/rules/cisco-cucm.rules0000644000175000017500000000623013310533411015773 0ustar champchamp# Sagan cisco-cucm.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These rules are for the Cisco Unified Call Manager (VoIP) systems. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Call Manager Telephony Subsystem Shutdown"; content: "SS_SHUTDOWN"; content: "CMT subsystem"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001709; sid: 5001709; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Call Manager Telephony Subsystem ModuleStop"; content: "ModuleStop"; content: "CMT Subsystem"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001710; sid: 5001710; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Grammar Manager Telephony Subsystem ModuleStop"; content: "ModuleStop"; content: "Grammar Manager"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001711; sid: 5001711; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Cisco Unified CCX MGR Shutdown"; content: "MGR_SHUTDOWN"; content: "Cisco Unified CCX"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001712; sid: 5001712; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Socket Manager Telephony Subsystem ModuleStart"; content: "ModuleStart"; content: "Socket Manager"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001713; sid: 5001713; rev:2;) sagan-1.2.0/rules/fatpipe-aetas.rules0000644000175000017500000000532513310533411016475 0ustar champchamp# Sagan fatpipe-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-AETAS] Login Success at suspicious time"; content: "Login|3a| Success"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002041; sid: 5002041; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-AETAS] Login Success - ADMINISTRATOR - at supicious time"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002042; sid: 5002042; rev:2;) sagan-1.2.0/rules/windows-geoip.rules0000644000175000017500000001123013310533411016535 0ustar champchamp# Sagan windows-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon outside of HOME_COUNTRY"; pcre: "/ 540: | 4624: /"; content:!"0.0 Source Port|3a| 0"; default_proto: tcp; classtype: successful-user; program: *Security*; parse_src_ip: 1; parse_port; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001873; sid: 5001873; rev:8;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 from outside HOME_COUNTRY "; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; content: !"0.0 Source Port|3a| 0"; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002016; sid: 5002016; rev:5;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials from outside HOME_COUNTRY"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002020; sid: 5002020; rev:5;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Network Cleartext from outside HOME_COUNTRY "; pcre: "/ 540: | 4624: /"; content: "Logon Type|3a| 8 "; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002337; sid: 5002337; rev:2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002338; sid: 5002338; rev:2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows RDP Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; content: "RDP"; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002339; sid: 5002339; rev:2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Attempted explicit windows logon "; pcre: "/ 552: | 4648: /"; content: "Target"; content: "Process"; country_code: track by_src, isnot $HOME_COUNTRY; program: *Security*; parse_src_ip: 1; xbits: set, recon, 86400; threshold: type limit, track by_src, count 2, seconds 300; content:!"0.0 Port|3a| 0"; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002340; sid: 5002340; rev:5;) sagan-1.2.0/rules/proftpd-aetas.rules0000644000175000017500000000414513310533411016522 0ustar champchamp# Sagan proftpd-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD-AETAS] Authentication success at suspicious time"; content: "Login successful"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; parse_src_ip: 3; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002052; sid: 5002052; rev:4;) sagan-1.2.0/rules/fortinet.rules0000644000175000017500000005440113310533411015603 0ustar champchamp# Sagan fortinet.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These are mostly taken from Fortigate 4.0 Message reference manual. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Protect profile changed"; content: "32151 type="; content: "changed protection profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000898; sid: 5000898; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ICMP traffic disallowed"; content: "16003 type="; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000899; sid: 5000899; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login from LCD"; content: "32001 type="; content: "from LCD"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000900; sid: 5000900; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator Login"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000901; sid: 5000901; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login from LCD failed"; content: "32002 type="; content: "LCD failed"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000902; sid: 5000902; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failed"; content: "32002 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000903; sid: 5000903; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] To many bad admin login attempts"; content: "32002 type="; content: "bad attempts"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000904; sid: 5000904; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator logout"; content: "32003 type="; content: "action=logout"; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000905; sid: 5000905; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] IPS error mode"; content: "32004 type="; content: "error mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000906; sid: 5000906; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login failed [Brute Force] [5/5]"; content: "32005 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000907; sid: 5000907; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login accepted"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000908; sid: 5000908; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk full or almost full"; content: "32006 type="; content: "disk"; nocase; content: "log "; nocase; pcre: "/exceeds|full/"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000909; sid: 5000909; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has started"; content: "32006 type="; content: "Fortigate started"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000910; sid: 5000910; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has entered error mode"; content: "32006 type="; content: "entered error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000911; sid: 5000911; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has left error mode"; content: "32006 type="; content: "out of error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000912; sid: 5000912; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator session timeout"; content: "32007 type="; content: "session timed out"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000913; sid: 5000913; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Abnormal Admin session drop"; content: "32007 type="; content: "terminates the sessions"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000914; sid: 5000914; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Normal administrator logout"; content: "32007 type="; pcre: "/logs out from|is diconnected by/"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000915; sid: 5000915; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator is clearing/deleting logs"; content: "32007 type="; pcre: "/has removed|has deleted|has cleared/"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000916; sid: 5000916; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cannot store config. Low flash space"; content: "32007 type="; content: "Cannot store config"; content: "flash space"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000917; sid: 5000917; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin has left current VDOM"; content: "32007 type="; content: "has left the virtual domain"; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000918; sid: 5000918; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failure"; content: "32009 type="; content: "login failed from"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000919; sid: 5000919; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk logs usage have exceeded"; content: "32010 type="; pcre: "/Disk logs|error mode|Log disk|reason=disk-log-full/"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000920; sid: 5000920; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Memory usage has exceeded"; content: "32010 type="; content: "reason=memory-log-full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000921; sid: 5000921; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Reason unknown error"; content: "32010 type="; content: "reason=unknown"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000922; sid: 5000922; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Out of error mode"; content: "32012 type="; content: "out of error mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000923; sid: 5000923; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator removed logs"; content: "32013 type="; pcre: "/cleared|deleted|removed/"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000924; sid: 5000924; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] License about to expired"; content: "32014 type="; content: "license will expire"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000925; sid: 5000925; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Log disk is full"; content: "32015 type="; content: "Log disk is"; content: "full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000926; sid: 5000926; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Corrupted MAC packet detected"; content: "32020 type="; content: "Corrupted MAC packet detected"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000927; sid: 5000927; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reboot or shutdown"; content: "32095 type="; pcre: "/action=reboot|action=shutdown/i"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000928; sid: 5000928; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reload"; content: "32095 type="; content: "action=reload"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000929; sid: 5000929; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action factory_reset"; content: "32095 type="; content: "action=factory_reset"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000930; sid: 5000930; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New access profile added"; content: "32101 type="; content: "added new access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000931; sid: 5000931; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Configuration change"; content: "32102 type="; content: "made a change"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000932; sid: 5000932; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile changed"; content: "32102 type="; content: "setting of access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000933; sid: 5000933; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile deleted"; content: "32103 type="; content: "deleted an access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000934; sid: 5000934; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New admin user added"; content: "32120 type="; content: "added an admin user"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000935; sid: 5000935; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New user group added"; content: "32120 type="; content: "added an user group"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000936; sid: 5000936; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin changed another admin's password"; content: "32150 type="; content: "changed password of admin"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000971; sid: 5000971; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Flash memory is full!"; content: "20031 type="; content: "flash memory is full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000937; sid: 5000937; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication success"; content: "38001 type="; content: "succeeded in authentication"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000938; sid: 5000938; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38001 type="; content: "failed in authentication"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000939; sid: 5000939; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38002 type="; pcre: "/failed to authenticate|failed in authentication/i"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000940; sid: 5000940; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Failed authentication to many times"; content: "38003 type="; content: "failed authentication to many times"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000941; sid: 5000941; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis fan anomaly"; content: "99503 type="; content: "Chassis fan anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000942; sid: 5000942; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis temperature anomaly"; content: "99504 type="; content: "Chassis temperature anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000943; sid: 5000943; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis voltage anomaly"; content: "99505 type="; content: "Chassis voltage anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000944; sid: 5000944; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade fan anomaly"; content: "99506 type="; content: "Blade fan anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000945; sid: 5000945; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade temperature anomaly"; content: "99507 type="; content: "Blade temperature anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000946; sid: 5000946; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade voltage anomaly"; content: "99508 type="; content: "Blade voltage anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000947; sid: 5000947; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication success"; content: "29002 type="; content: "action=auth_success"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000948; sid: 5000948; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication failed"; content: "29003 type="; content: "action=auth_failed"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000949; sid: 5000949; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Max connection reached"; content: "29004 type="; content: "No more clients can connect"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000950; sid: 5000950; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Not enough memory"; content: "29024 type="; content: "not enough memory"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000951; sid: 5000951; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Data Leak Prevention Rule Matched"; content: "11000 type="; content: "Data Leak Prevention Rule matched"; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000952; sid: 5000952; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant messaging message"; content: "11600 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000953; sid: 5000953; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message file tranfer message"; content: "116001 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000954; sid: 5000954; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message chat message"; content: "116002 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000955; sid: 5000955; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Control instant message SIP session blocked message"; content: "116003 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000956; sid: 5000956; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message message"; content: "116010 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000957; sid: 5000957; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] An application control VoIP-SIP session blocked message"; content: "116011 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000958; sid: 5000958; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] E-mail of an infected file"; content: "60000 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000959; sid: 5000959; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File blocked via e-mail"; content: "63000 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000960; sid: 5000960; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File intercepted via e-mail"; content: "63002 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000961; sid: 5000961; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [1]"; content: "70000 type="; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000962; sid: 5000962; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [2]"; content: "73001 type="; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000963; sid: 5000963; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Banned word was found"; content: "90000 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000964; sid: 5000964; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cookie was removed"; content: "91000 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000965; sid: 5000965; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Java applet was removed"; content: "91005 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000966; sid: 5000966; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ActiveX script was removed"; content: "91010 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000967; sid: 5000967; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL was in blacklist"; content: "93002 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000968; sid: 5000968; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL belongs to a denied category"; content: "99501 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000969; sid: 5000969; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] calloc failed"; content: "93007 type="; content: "calloc"; content: "failed"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000970; sid: 5000970; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] FTP attempt"; content: "80000 type="; content: "user="; content: "group="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000972; sid: 5000972; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Entered system conserve mode!"; content: "22802 type="; content: "entered system conserve mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000973; sid: 5000973; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Leaving system conserve mode"; content: "22803 type="; content: "exited system conserve mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000974; sid: 5000974; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] General CRITICAL event"; content: "devname="; content: "pri=critical"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000975; sid: 5000975; rev:2;) # 01/04/2013 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Botnet traffic detected"; content: "app_list=|22|BotnetOnly|22| app_type=|22|Botnet|22|"; classtype: trojan-activity; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001627; sid: 5001627; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] SSH traffic detected"; content: " service=SSH "; classtype: trojan-activity; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001970; sid: 5001970; rev:2;) sagan-1.2.0/rules/wordpress.rules0000644000175000017500000000722013310533411015776 0ustar champchamp# Sagan wordpress.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WORDPRESS] - Wordpress authentication failed"; content: "User authentication failed"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000198; sid: 5000198; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WORDPRESS] - Wordpress authentication succeeded"; content: "User logged in"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000199; sid: 5000199; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WORDPRESS] - Wordpress WPsyslog was successfully initialized"; content: "WPsyslog was successfully init"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: system-event; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000200; sid: 5000200; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WORDPRESS] - Wordpress WPsyslog Plugin deactivated"; content: "Plugin deactivated"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: system-event; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000201; sid: 5000201; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WORDPRESS] - Wordpress Wordpress Comment Flood Attempt"; content: "Comment flood attempt"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: attempted-dos; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000202; sid: 5000202; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WORDPRESS] - Attack against Wordpress detected"; content: "Warning"; content: "IDS"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: misc-attack; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000203; sid: 5000203; rev:3;) sagan-1.2.0/rules/grsec.rules0000644000175000017500000000534013310533411015052 0ustar champchamp# Sagan grsec.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rule sets are for systems with hardened kernels (PaX/GRSec). If you don't run a hardened kernel, you won't # see these alerts. For more information, see: http://www.grsecurity.net/ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Time set"; content:"time set by";classtype: not-suspicious; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000029; sid: 5000029; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Signal 11 sent"; content:"signal 11 sent";classtype: program-error; parse_src_ip: 1; program: grsec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000030; sid: 5000030; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Denied resource overstep"; content:"denied resource overstep"; xbits: set,brute_force,86400; classtype: exploit-attempt; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000042; sid: 5000042; rev:6;) sagan-1.2.0/rules/cisco-pixasa.rules0000644000175000017500000037361613310533411016350 0ustar champchamp# Sagan cisco-pixasa.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Iman Khosravi updated many of these rules to support the Cisco FWSM (firewall service modules). # 06/25/2012. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize 4GE SSM I/O card"; program: %ASA*-1-114001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000416; sid: 5000416; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize SFP in 4GE SSM I/O card"; program: %ASA*-1-114002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000417; sid: 5000417; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to run cached commands in 4GE SSM I/O card"; program: %ASA*-1-114003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000418; sid: 5000418; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function"; program: %ASA*-1-216001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000419; sid: 5000419; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA Marking protocol server ip-addr in server group tag as FAILED"; program: %ASA*-2-113022|%FWSM-2-113022; parse_src_ip: 1; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000420; sid: 5000420; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in - function message"; program: %ASA*-2-216001|%FWSM-2-216001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000421; sid: 5000421; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot locate AK47 instance"; program: %ASA*-2-716500; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000422; sid: 5000422; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot attach AK47 instance"; program: %ASA*-2-716501; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000423; sid: 5000423; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate default arena"; program: %ASA*-2-716502|%FWSM-2-716502; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000424; sid: 5000424; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber descriptors pool"; program: %ASA*-2-716503; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000425; sid: 5000425; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber stacks pool"; program: %ASA*-2-716504; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000426; sid: 5000426; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber in unfinished state"; program: %ASA*-2-716505; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000427; sid: 5000427; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler has reached unreachable code. Cannot continue terminating"; program: %ASA*-2-716507; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000428; sid: 5000428; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating"; program: %ASA*-2-716508; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000429; sid: 5000429; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling alien fiber. Cannot continue terminating"; program: %ASA*-2-716509; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000430; sid: 5000430; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling finished fiber. Cannot continue terminating"; program: %ASA*-2-716510; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000431; sid: 5000431; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber waited upon by someone else"; program: %ASA*-2-716512; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000432; sid: 5000432; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber in callback blocked on other channel"; program: %ASA*-2-716513; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000433; sid: 5000433; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM failed to allocate memory for AK47 instance"; program: %ASA*-2-716515; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000434; sid: 5000434; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted ROL array. Cannot continue terminating"; program: %ASA*-2-716516|%FWSM-2-716516; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000435; sid: 5000435; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM cached block has no associated arena"; program: %ASA*-2-716517|%FWSM-2-716517; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000436; sid: 5000436; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no associated arena"; program: %ASA*-2-716518|%FWSM-2-716518; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000437; sid: 5000437; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted pool list. Cannot continue terminating"; program: %ASA*-2-716519|%FWSM-2-716519; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000438; sid: 5000438; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no block list"; program: %ASA*-2-716520|%FWSM-2-716520; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000439; sid: 5000439; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM no realloc allowed in named pool"; program: %ASA*-2-716521|%FWSM-2-716521; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000440; sid: 5000440; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM corrupted standalone block"; program: %ASA*-2-716522|%FWSM-2-716522; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000441; sid: 5000441; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL"; program: %ASA*-2-716526|%FWSM-2-716526; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000442; sid: 5000442; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL"; program: %ASA*-2-716527|%FWSM-2-716527; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000443; sid: 5000443; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected fiber scheduler error - possible out-of-memory condition"; program: %ASA*-2-716528|%FWSM-2-716528; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000444; sid: 5000444; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get port statistics in 4GE SSM I/O card"; program: %ASA*-3-114006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000445; sid: 5000445; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get current msr in 4GE SSM I/O card"; program: %ASA*-3-114007; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000446; sid: 5000446; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to enable port after link is up in 4GE SSM I/O card"; program: %ASA*-3-114008; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000447; sid: 5000447; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast address in 4GE SSM I/O card"; program: %ASA*-3-114009; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000448; sid: 5000448; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast hardware address in 4GE SSM I/O card"; program: %ASA*-3-114010; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000449; sid: 5000449; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast address in 4GE SSM I/O card"; program: %ASA*-3-114011; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000450; sid: 5000450; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast hardware address in 4GE SSM I/O card"; program: %ASA*-3-114012; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000451; sid: 5000451; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address table in 4GE SSM I/O card"; program: %ASA*-3-114013; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000452; sid: 5000452; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address in 4GE SSM I/O card"; program: %ASA*-3-114014; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000453; sid: 5000453; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mode in 4GE SSM I/O card"; program: %ASA*-3-114015; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000454; sid: 5000454; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast mode in 4GE SSM I/O card"; program: %ASA*-3-114016; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000455; sid: 5000455; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get link status in 4GE SSM I/O card"; program: %ASA*-3-114017; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000456; sid: 5000456; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set port speed in 4GE SSM I/O card"; program: %ASA*-3-114018; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000457; sid: 5000457; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set media type in 4GE SSM I/O card"; program: %ASA*-3-114019; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000458; sid: 5000458; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function message"; program: %ASA*-3-216001|%FWSM-3-216001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000459; sid: 5000459; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] I2C_API_name error"; program: %ASA*-3-219002|%FWSM-3-219002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000460; sid: 5000460; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPN Handle error protocol"; program: %ASA*-3-316002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000461; sid: 5000461; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot experienced a control channel communications failure"; program: %ASA*-3-323001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000462; sid: 5000462; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Hw-module reset is required before further use"; program: %ASA*-3-323004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000463; sid: 5000463; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot can not be powered on completely"; program: %ASA*-3-323005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000464; sid: 5000464; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Type Module in slot experienced a data channel communication failure, data channel is DOWN"; program: %ASA*-3-323006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000465; sid: 5000465; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [1]"; program: %ASA*-3-420001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000466; sid: 5000466; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [2]"; program: %ASA*-3-420001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000467; sid: 5000467; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is dropped because application has failed"; program: %ASA*-3-421001|%FWSM-3-421001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000468; sid: 5000468; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is skipped because application has failed"; program: %ASA*-3-421007|%FWSM-3-421007; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000469; sid: 5000469; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication to SSO server failed"; program: %ASA*-3-716056|%FWSM-3-716056; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000470; sid: 5000470; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy session pointer has terminated due to reason error"; program: %ASA*-3-719002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000471; sid: 5000471; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [1]"; program: %ASA*-3-722007|%FWSM-3-722007; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000472; sid: 5000472; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [2]"; program: %ASA*-3-722008|%FWSM-3-722008; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000473; sid: 5000473; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [3]"; program: %ASA*-3-722009|%FWSM-3-722009; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000474; sid: 5000474; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to shut down. Module Error"; program: %ASA*-4-413001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000475; sid: 5000475; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to reload. Module Error"; program: %ASA*-4-413002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000476; sid: 5000476; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Trying again"; program: %ASA*-4-413004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000477; sid: 5000477; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS requested to drop ICMP packets"; program: %ASA*-4-420002; default_proto: icmp; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000478; sid: 5000478; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBNS pkt"; program: %ASA*-4-423001|%FWSM-4-423001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000479; sid: 5000479; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBNS pkt"; program: %ASA*-4-423002|%FWSM-4-423002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000480; sid: 5000480; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBDGM pkt"; program: %ASA*-4-423003|%FWSM-4-423003; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000481; sid: 5000481; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBDGM pkt"; program: %ASA*-4-423004|%FWSM-4-423004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000482; sid: 5000482; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} NBDGM pkt"; program: %ASA*-4-423005|%FWSM-4-423005; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000483; sid: 5000483; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Packet denied. [Ingress|Egress] interface is in a backup state"; program: %ASA*-4-424001|%FWSM-4-424001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000484; sid: 5000484; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection to the backup interface is denied"; program: %ASA*-4-424002|%FWSM-4-424002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000485; sid: 5000485; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic, licensed host limit exceeded."; program: %ASA*-4-450001|%FWSM-4-450001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000486; sid: 5000486; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Received DH key with bad length"; program: %ASA*-4-713240|%FWSM-4-713240; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000487; sid: 5000487; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Unexpected error in Next Card Code mode while not doing SDI"; program: %ASA*-4-713247; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000488; sid: 5000488; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Received authentication failure message"; program: %ASA*-4-713251|%FWSM-4-713251; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000489; sid: 5000489; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize with Chunk Manager"; program: %ASA*-4-720001|%FWSM-4-720001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000490; sid: 5000490; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate chunk from Chunk Manager"; program: %ASA*-4-720007|%FWSM-4-720007; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000491; sid: 5000491; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to register to High Availability Framework"; program: %ASA*-4-720008; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000492; sid: 5000492; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to create version control block"; program: %ASA*-4-720009|%FWSM-4-720009; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000493; sid: 5000493; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate memory"; program: %ASA*-4-720011|%FWSM-4-720011; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000494; sid: 5000494; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to insert certificate in trust point"; program: %ASA*-4-720013|%FWSM-4-720013; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000495; sid: 5000495; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to queue add to message queue"; program: %ASA*-4-720033|%FWSM-4-720033; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000496; sid: 5000496; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type message id to standby unit"; program: %ASA*-4-720043|%FWSM-4-720043; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000497; sid: 5000497; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to receive message from active unit"; program: %ASA*-4-720044|%FWSM-4-720044; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000498; sid: 5000498; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to sync SDI node secret file for server on the standby unit"; program: %ASA*-4-720047|%FWSM-4-720047; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000499; sid: 5000499; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new SDI node secret file for server id on the standby unit"; program: %ASA*-4-720051|%FWSM-4-720051; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000500; sid: 5000500; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to delete SDI node secret file for server id on the standby unit"; program: %ASA*-4-720052|%FWSM-4-720052; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000501; sid: 5000501; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add cTCP IKE rule during bulk sync"; program: %ASA*-4-720053|%FWSM-4-720053; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000502; sid: 5000502; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP record"; program: %ASA*-4-720054|%FWSM-4-720054; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000503; sid: 5000503; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover can only be run in single/non-transparent mode"; program: %ASA*-4-720055; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000504; sid: 5000504; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP database"; program: %ASA*-4-720064|%FWSM-4-720064; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000505; sid: 5000505; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP IKE rule"; program: %ASA*-4-720065|%FWSM-4-720065; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000506; sid: 5000506; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate IKE database"; program: %ASA*-4-720066|%FWSM-4-720066; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000507; sid: 5000507; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate IKE database"; program: %ASA*-4-720067|%FWSM-4-720067; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000508; sid: 5000508; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to parse peer message"; program: %ASA*-4-720068|%FWSM-4-720068; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000509; sid: 5000509; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate cTCP database"; program: %ASA*-4-720069; classtype|%FWSM-4-720069: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000510; sid: 5000510; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate cTCP database"; program: %ASA*-4-720070|%FWSM-4-720070; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000511; sid: 5000511; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to insert certificate in trust point on the standby unit"; program: %ASA*-4-720073|%FWSM-4-720073; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000512; sid: 5000512; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error parsing SVC connect request"; program: %ASA*-4-722001|%FWSM-4-722001; parse_src_ip: 1; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000513; sid: 5000513; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error consolidating SVC connect request."; program: %ASA*-4-722002|%FWSM-4-722002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000514; sid: 5000514; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error authenticating SVC connect request"; program: %ASA*-4-722003|%FWSM-4-722003; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000515; sid: 5000515; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error responding to SVC connect request"; program: %ASA*-4-722004|%FWSM-4-722004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000516; sid: 5000516; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC frame length length expected"; program: %ASA*-4-722016|%FWSM-4-722016; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000517; sid: 5000517; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC framing 525446, reserved 0"; program: %ASA*-4-722017|%FWSM-4-722017; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000518; sid: 5000518; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC protocol version"; program: %ASA*-4-722018|%FWSM-4-722018; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000519; sid: 5000519; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to allocate a large memory block failed"; program: %ASA*-5-402128|%FWSM-5-402128; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000520; sid: 5000520; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Rekey initiation is being disabled during CRACK authentication"; program: %ASA*-5-713248|%FWSM-5-713248; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000521; sid: 5000521; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. VPN Tunnel creation rejected for client"; program: %ASA*-5-713252; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000522; sid: 5000522; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client"; program: %ASA*-5-713253; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000523; sid: 5000523; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize default timer"; program: %ASA*-5-720016; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000525; sid: 5000525; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update LB runtime data"; program: %ASA*-5-720017; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000526; sid: 5000526; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to get a buffer from the underlying core high availability subsystem"; program: %ASA*-5-720018; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000527; sid: 5000527; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP statistics"; program: %ASA*-5-720019; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000528; sid: 5000528; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type timer message"; program: %ASA*-5-720020; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000529; sid: 5000529; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] HA non-block send failed for peer msg. HA error code."; program: %ASA*-5-720021; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000530; sid: 5000530; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to look up CTCP flow handle"; program: %ASA*-5-720035; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000531; sid: 5000531; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to process state update message from the active peer"; program: %ASA*-5-720036; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000532; sid: 5000532; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP dynamic data"; program: %ASA*-5-720071; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000533; sid: 5000533; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Timeout waiting for Integrity Firewall Server to become available"; program: %ASA*-5-720072|%FWSM-5-720072; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000534; sid: 5000534; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to release a DMA memory block failed, location address"; program: %ASA*-6-402129|%FWSM-6-402129; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000535; sid: 5000535; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN access DENIED to specified location url"; program: %ASA*-6-716004; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000536; sid: 5000536; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN ACL Parse Error"; program: %ASA*-6-716005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000537; sid: 5000537; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN session not allowed. WebVPN ACL parse error"; program: %ASA*-6-716009; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000538; sid: 5000538; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Reboot pending, new sessions disabled. Denied user login"; program: %ASA*-6-716040|%FWSM-6-716040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000539; sid: 5000539; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding to ACL"; program: %ASA*-6-716050|%FWSM-6-716050; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000540; sid: 5000540; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding dynamic ACL for user"; program: %ASA*-6-716051|%FWSM-6-716051; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000541; sid: 5000541; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy feature is disabled on interface"; program: %ASA*-6-719010|%FWSM-6-719010; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000542; sid: 5000542; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization failed"; program: %ASA*-6-719019; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000543; sid: 5000543; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization completed successfully"; program: %ASA*-6-719020; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000544; sid: 5000544; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN has not been successfully authenticated. Access denied"; program: %ASA*-6-719023; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000545; sid: 5000545; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy piggyback auth fail session"; program: %ASA*-6-719024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000546; sid: 5000546; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy DNS name resolution failed for hostname"; program: %ASA*-6-719025; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000547; sid: 5000547; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Starting VPN Stateful Failover Subsystem"; program: %ASA*-6-720002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000548; sid: 5000548; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Initialization of VPN Stateful Failover Component completed successfully"; program: %ASA*-6-720003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000549; sid: 5000549; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover main thread started"; program: %ASA*-6-720004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000550; sid: 5000550; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover timer thread started"; program: %ASA*-6-720005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000551; sid: 5000551; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover sync thread started"; program: %ASA*-6-720006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000552; sid: 5000552; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is being disabled"; program: %ASA*-6-720010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000553; sid: 5000553; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update IPSec failover runtime data on the standby unit"; program: %ASA*-6-720012; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000554; sid: 5000554; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to active state"; program: %ASA*-6-720039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000555; sid: 5000555; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to standby state"; program: %ASA*-6-720040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000556; sid: 5000556; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Message Thread is being disabled"; program: %ASA*-6-720056; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000557; sid: 5000557; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Timer Thread is disabled"; program: %ASA*-6-720058; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000559; sid: 5000559; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Sync Thread is disabled."; program: %ASA*-6-720060; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000561; sid: 5000561; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Global Compression Disabled"; program: %ASA*-6-722025|%FWSM-6-722025; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000563; sid: 5000563; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Device failed SSL handshake"; program: %ASA*-6-725006|%FWSM-6-725006; classtype: network-event; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000564; sid: 5000564; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to inject {TCP|UDP} packet"; program: %ASA*-7-421004|%FWSM-7-421004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000565; sid: 5000565; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File access DENIED, filename"; program: %ASA*-7-716021|%FWSM-7-716021; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000566; sid: 5000566; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse the network"; program: %ASA*-7-716024|%FWSM-7-716024; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000567; sid: 5000567; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse domain domain"; program: %ASA*-7-716025|%FWSM-7-716025; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000568; sid: 5000568; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse directory"; program: %ASA*-7-716026|%FWSM-7-716026; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000569; sid: 5000569; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to view file"; program: %ASA*-7-716027|%FWSM-7-716027; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000570; sid: 5000570; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove file"; program: %ASA*-7-716028|%FWSM-7-716028; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000571; sid: 5000571; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to rename file"; program: %ASA*-7-716029|%FWSM-7-716029; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000572; sid: 5000572; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to modify file"; program: %ASA*-7-716030|%FWSM-7-716030; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000573; sid: 5000573; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create file"; program: %ASA*-7-716031|%FWSM-7-716031; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000574; sid: 5000574; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create folder"; program: %ASA*-7-716032|%FWSM-7-716032; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000575; sid: 5000575; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove folder"; program: %ASA*-7-716033|%FWSM-7-716033; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000576; sid: 5000576; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File Access User failed to login into the server"; program: %ASA*-7-716037|%FWSM-7-716037; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000577; sid: 5000577; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination"; program: %ASA*-7-722030|%FWSM-7-722030; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5000579; sid: 5000579; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination Out"; program: %ASA*-7-722031|%FWSM-7-722031; parse_src_ip: 1; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5000580; sid: 5000580; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix encountered bad flow control flow"; program: %ASA*-7-723004; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000581; sid: 5000581; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix SOCKS errors"; program: %ASA*-7-723006; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000582; sid: 5000582; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix receives bad SOCKS socks message length"; program: %ASA*-7-723011; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000583; sid: 5000583; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix received bad SOCKS socks message format"; program: %ASA*-7-723012; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000584; sid: 5000584; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL lib error"; program: %ASA*-7-725014|%FWSM-7-725014 ; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000585; sid: 5000585; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dynamic DNS Update failed"; program: %ASA*-3-331001|%PIX-3-331001|%FWSM-3-331001 ; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000586; sid: 5000586; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Switching to ACTIVE";program: %ASA*-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000587; sid: 5000587; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104002 [Primary] Switching to STNDBY [cause string]."; program: %ASA*-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000588; sid: 5000588; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104003 [Primary] Switching to FAILED"; program: %ASA*-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000589; sid: 5000589; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104004 [Primary] Switching to OK."; program: %ASA*-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000590; sid: 5000590; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-105037 The primary and standby units are switching back and forth as the active unit"; program: %ASA*-1-105037|%FWSM-1-105037; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000591; sid: 5000591; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test"; program: %ASA*-2-218004|%PIX-2-218004|%FWSM-2-218004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000592; sid: 5000592; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable OK"; program: %ASA*-1-101001|%PIX-1-101001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000595; sid: 5000595; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Bad failover cable"; program: %ASA*-1-101002|%PIX-1-101002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000596; sid: 5000596; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [this unit]"; program: %ASA*-1-101003|%PIX-1-101003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000597; sid: 5000597; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [other unit]"; program: %ASA*-1-101004|%PIX-1-101004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000598; sid: 5000598; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Error reading failover cable status"; program: %ASA*-1-101005|%PIX-1-101005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000599; sid: 5000599; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Power failure/System reload other side"; program: %ASA*-1-102001|%PIX-1-102001|%FWSM-1-102001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000600; sid: 5000600; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] No response from other firewall"; program: %ASA*-1-103001|%PIX-1-103001|%FWSM-1-103001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000601; sid: 5000601; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface OK"; program: %ASA*-1-103002|%PIX--1-103002|%FWSM-1-103002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000602; sid: 5000602; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface failed"; program: %ASA*-1-103003|%PIX-1-103003|%FWSM-1-103003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000603; sid: 5000603; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reports this firewall failed"; program: %ASA*-1-103004|%PIX-1-103004|%FWSM-1-103004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000604; sid: 5000604; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reporting failure"; program: %ASA*-1-103005|%PIX-1-103005|%FWSM-1-103005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000605; sid: 5000605; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to ACTIVE"; program: %ASA*-1-104001|%PIX-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000606; sid: 5000606; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to STNDBY"; program: %ASA*-1-104002|%PIX-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000607; sid: 5000607; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to FAILED"; program: %ASA*-1-104003|%PIX-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000608; sid: 5000608; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to OK"; program: %ASA*-1-104004|%PIX-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000609; sid: 5000609; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Disabling failover"; program: %ASA*-1-105001|%PIX-1-105001|%FWSM-1-105001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000610; sid: 5000610; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Enabling failover"; program: %ASA*-1-105002|%PIX-1-105002|%FWSM-1-105002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000611; sid: 5000611; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Lost Failover communications with mate on interface"; program: %ASA*-1-105005|%PIX-1-105005|%FWSM-1-105005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000612; sid: 5000612; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable communication failure"; program: %ASA*-1-105011|%PIX-1-105011; pcre: "/%PIX-|%ASA*-/"; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000614; sid: 5000614; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [failover_unit] Standby unit failed to sync due to a locked config"; program: %ASA*-1-105021|%PIX-1-105021|%FWSM-1-105021; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000615; sid: 5000615; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failover LAN interface is up"; program: %ASA*-1-105031|%PIX-1-105031; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000616; sid: 5000616; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LAN Failover interface is down"; program: %ASA*-1-105032|%PIX-1-105032; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000617; sid: 5000617; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN_FAILOVER_UP message from peer"; program: %ASA*-1-105034|%PIX-1-105034; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000618; sid: 5000618; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN failover interface down msg from peer"; program: %ASA*-1-105035|%PIX-1-105035; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000619; sid: 5000619; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] dropped a LAN Failover command message"; program: %ASA*-1-105036|%PIX-1-105036; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000620; sid: 5000620; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Unable to verify the Interface count with mate. Failover may be disabled in mate"; program: %ASA*-1-105039|%PIX-1-105039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000621; sid: 5000621; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Mate failover version is not compatible"; program: %ASA*-1-105040|%PIX-1-105040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000622; sid: 5000622; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface OK"; program: %ASA*-1-105042|%PIX-1-105042; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000623; sid: 5000623; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface failed"; program: %ASA*-1-105043|%PIX-1-105043; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000624; sid: 5000624; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol reverse path check"; program: %ASA*-1-106021|%PIX-1-106021|%FWSM-1-106021; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000625; sid: 5000625; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol connection spoof"; program: %ASA*-1-106022|%PIX-1-106022|%FWSM-1-106022; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000626; sid: 5000626; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The number of ACL log deny-flows has reached limit"; program: %ASA*-1-106101|%PIX-1-106101|%FWSM-1-106101; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000627; sid: 5000627; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP auth failed"; program: %ASA*-1-107001|%PIX-1-107001|%FWSM-1-107001; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000628; sid: 5000628; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP pkt failed"; program: %ASA*-1-107002|%PIX-1-107002|%FWSM-1-107002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000629; sid: 5000629; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound TCP connection denied"; program: %ASA*-2-106001|%PIX-2-106001|%FWSM-2-106001; default_proto: tcp; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000631; sid: 5000631; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection denied by outbound ACL"; program: %ASA*-2-106002|%PIX-2-106002|%FWSM-2-106002; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000632; sid: 5000632; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound UDP"; program: %ASA*-2-106006|%PIX-2-106006|%FWSM-2-106006; default_proto: udp; classtype: suspicious-traffic; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5000633; sid: 5000633; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound UDP from outside due to DNS {Response|Query}"; program: %ASA*-2-106007|%PIX-2-106007|%FWSM-2-106007; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000634; sid: 5000634; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping echo request"; program: %ASA*-2-106013|%PIX-2-106013|%FWSM-2-106013; default_proto: icmp; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000635; sid: 5000635; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP spoof [0/1]"; program: %ASA*-2-106016|%PIX-2-106016|%FWSM-2-106016; classtype: suspicious-traffic; threshold: type limit, track by_src, count 1, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000636; sid: 5000636; rev: 8;) # Land attacks (1997) are typically cause by configurations and are noisy. This rule has been disabled by default # Champ Clark - 2017/05/25 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP due to Land Attack [0/1]"; program: %ASA*-2-106017|%PIX-2-106017|%FWSM-2-106017; default_proto: tcp; classtype: suspicious-traffic; threshold: type limit, track by_src, count 1, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000637; sid: 5000637; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ICMP denied by outbound ACL"; program: %ASA*-2-106018|%PIX-2-106018|%FWSM-2-106018; default_proto: icmp; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000638; sid: 5000638; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP teardrop fragment [0/1]"; program: %ASA*-2-106020|%PIX-2-106020|%FWSM-2-106020; classtype: network-event; threshold: type limit, track by_src, count 1, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000639; parse_src_ip: 1; sid: 5000639; rev: 7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad route_compress"; program: %ASA*-2-215001|%PIX-2-215001|%FWSM-2-215001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000640; sid: 5000640; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test in slot"; program: %ASA*-2-218001|%PIX-2-218001|%FWSM-2-218001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000641; sid: 5000641; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropped DNS responses with mis-matched id"; program: %ASA*-2-410002|%PIX-2-410002|%FWSM-2-410002; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000642; sid: 5000642; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Configuration replication failed for command"; program: %ASA*-2-709007|%PIX-2-709007|%FWSM-2-709007; classtype: configuration-error ; reference: url, wiki.quadrantsec.com/bin/view/Main/5000643; sid: 5000643; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected event"; program: %ASA*-2-717011|%PIX-2-717011|%FWSM-2-717011; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000644; sid: 5000644; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover message block alloc failed"; program: %ASA*-3-105010|%PIX-3-105010|%FWSM-3-105010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000645; sid: 5000645; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound protocol"; program: %ASA*-3-106010|%PIX-3-106010|%FWSM-3-106010; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000646; sid: 5000646; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound [No xlate]"; program: %ASA*-3-106011|%PIX-3-106011|%FWSM-3-106011; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000647; sid: 5000647; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound ICMP"; program: %ASA*-3-106014|%PIX-3-106014|%FWSM-3-106014; default_proto: icmp; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000648; sid: 5000648; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [too many pending auths]"; program: %ASA*-3-109010|%PIX-3-109010|%FWSM-3-109010; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000649; sid: 5000649; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Can't find authorization ACL for user"; program: %ASA*-3-109016|%PIX-3-109016|%FWSM-3-109016; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000650; sid: 5000650; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has parsing error"; program: %ASA*-3-109019|%PIX-3-109019|%FWSM-3-109019; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000651; sid: 5000651; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has config error"; program: %ASA*-3-109020|%PIX-3-109020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000652; sid: 5000652; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to install ACL, downloaded for user"; program: %ASA*-3-109032|%PIX-3-109032|%FWSM-3-109032; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000653; sid: 5000653; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Kerberos error. Clock skew with server greater than 300 seconds"; program: %ASA*-3-113020|%PIX-3-113020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000654; sid: 5000654; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] FTP data connection failed"; program: %ASA*-3-201005|%PIX-3-201005|%FWSM-3-201005; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000655; sid: 5000655; rev: 5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RCMD backconnection failed "; program: %ASA*-3-201006|%PIX-3-201006|%FWSM-3-201006; default_proto: tcp; default_dst_port: 514; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000656; sid: 5000656; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU sw_module_name error"; program: %ASA*-3-210001|%PIX-3-210001|%FWSM-3-210001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000657; sid: 5000657; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate block [bytes] failed"; program: %ASA*-3-210002|%PIX-3-210002|%FWSM-3-210002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000658; sid: 5000658; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate connection failed"; program: %ASA*-3-210005|%PIX-3-210005|%FWSM-3-210005; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000659; sid: 5000659; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU look NAT failed"; program: %ASA*-3-210006|%PIX-3-210006|%FWSM-3-210006; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000660; sid: 5000660; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate xlate failed"; program: %ASA*-3-210007|%PIX-3-210007|%FWSM-3-210007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000661; sid: 5000661; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU make UDP connection for outside to inside failed"; program: %ASA*-3-210010|%PIX-3-210010|%FWSM-3-210010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000662; sid: 5000662; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU PAT port reserve failed"; program: %ASA*-3-210020|%PIX-3-210020|%FWSM-3-210020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000663; sid: 5000663; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU create static xlate interface failed"; program: %ASA*-3-210021|%PIX-3-210021|%FWSM-3-210021; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000664; sid: 5000664; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Memory allocation Error"; program: %ASA*-3-211001|%PIX-3-211001|%FWSM-3-211001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000665; sid: 5000665; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP channel"; program: %ASA*-3-212001|%PIX-3-212001|%FWSM-3-212001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000666; sid: 5000666; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP trap channel"; program: %ASA*-3-212002|%PIX-3-212002|%FWSM-3-212002; classtype: system-errorn; reference: url, wiki.quadrantsec.com/bin/view/Main/5000667; sid: 5000667; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to receive an SNMP request on interface"; program: %ASA*-3-212003|%PIX-3-212003|%FWSM-3-212003; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000668; sid: 5000668; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to send an SNMP response"; program: %ASA*-3-212004|%PIX-3-212004|%FWSM-3-212004; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000669; sid: 5000669; rev: 5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping SNMP request"; program: %ASA*-3-212006|%PIX-3-212006|%FWSM-3-212006; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000670; sid: 5000670; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPTP tunnel hashtable insert failed"; program: %ASA*-3-213002|%PIX-3-213002|%FWSM-3-213002; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000671; sid: 5000671; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPP virtual interface client ip allocation failed"; program: %ASA*-3-213004|%PIX-3-213004|%FWSM-3-213004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000672; sid: 5000672; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H.323 library_name ASN Library failed to initialize"; program: %ASA*-3-302019|%PIX-3-302019|%FWSM-3-302019; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000673; sid: 5000673; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ACL = deny no sa created"; program: %ASA*-3-302302|%PIX-3-302302|%FWSM-3-302302; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000674; sid: 5000674; rev: 5;) # Disabled on 04/12/2014 - Considered to noisy & of little value (Champ Clark III) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {outbound static|identity|portmap|regular] translation creation failed"; program: %ASA*-3-305006|%PIX-3-305006|%FWSM-3-305006; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000675; sid: 5000675; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA*-3-313001|%PIX-3-313001|%FWSM-3-313001; default_proto: icmp; classtype: network-event; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5000676; sid: 5000676; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMPv6"; program: %ASA*-3-313008|%PIX-3-313008|%FWSM-3-313008; default_proto: icmp; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000677; sid: 5000677; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to establish SSH session because RSA host key retrieval failed"; program: %ASA*-3-315004|%PIX-3-315004|%FWSM-3-315004; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000678; sid: 5000678; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied new tunnel limit exceeded"; program: %ASA*-3-316001|%PIX-3-316001|%FWSM-3-316001; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000679; sid: 5000679; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP routing table creation failure"; program: %ASA*-3-317003|%PIX-3-317003|%FWSM-3-317003; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000681; sid: 5000681; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA*-3-318001|%PIX-3-318001|%FWSM-3-318001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000682; sid: 5000682; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Arp update for IP address address to NPn failed"; program: %ASA*-3-319003|%PIX-3-319003|%FWSM-3-319003; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000683; sid: 5000683; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Route update for IP address failed"; program: %ASA*-3-319004|%PIX-3-319004|%FWSM-3-319004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000684; sid: 5000684; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny MAC address possible spoof attempt"; program: %ASA*-3-322001|%PIX-3-322001|%FWSM-3-322001; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5000685; sid: 5000685; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [1]"; program: %ASA*-3-322002|%PIX-3-322002|%FWSM-3-322002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000686; sid: 5000686; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [2]"; program: %ASA*-3-322003|%PIX-3-322003|%FWSM-3-322003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000687; sid: 5000687; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] GSN tunnel limit exceeded"; program: %ASA*-3-324006|%PIX-3-324006|%FWSM-3-324006; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000690; sid: 5000690; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Radius Accounting Request has a bad header length"; program: %ASA*-3-324301|%PIX-3-324301|%FWSM-3-324301; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000691; sid: 5000691; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected error in the timer library"; program: %ASA*-3-326001|%PIX-3-326001|%FWSM-3-326001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000692; sid: 5000692; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA*-3-326002|%PIX-3-326002|%FWSM-3-326002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000693; sid: 5000693; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA*-3-326004|%PIX-3-326004|%FWSM-3-326004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000694; sid: 5000694; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Mrib notification failed"; program: %ASA*-3-326005|%PIX-3-326005|%FWSM-3-326005; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000695; sid: 5000695; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-creation failed"; program: %ASA*-3-326006|%PIX-3-326006|%FWSM-3-326006; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000696; sid: 5000696; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-update failed"; program: %ASA*-3-326007|%PIX-3-326007|%FWSM-3-326007; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000697; sid: 5000697; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB registration failed"; program: %ASA*-3-326008|%PIX-3-326008|%FWSM-3-326008; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000698; sid: 5000698; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB connection-open failed"; program: %ASA*-3-326009|%PIX-3-326009|%FWSM-3-326009; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000699; sid: 5000699; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB unbind failed"; program: %ASA*-3-326010|%PIX-3-326010|%FWSM-3-326010; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000700; sid: 5000700; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB table deletion failed"; program: %ASA*-3-326011|%PIX-3-326011|%FWSM-3-326011; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000701; sid: 5000701; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization of string functionality failed"; program: %ASA*-3-326012|%PIX-3-326012|%FWSM-3-326012; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000702; sid: 5000702; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA*-3-326013|%PIX-3-326013|%FWSM-3-326013; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000703; sid: 5000703; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization failed"; program: %ASA*-3-326014|%PIX-3-326014|%FWSM-3-326014; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000704; sid: 5000704; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Communication error"; program: %ASA*-3-326015|%PIX-3-326015|%FWSM-3-326015; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000705; sid: 5000705; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set un-numbered interface"; program: %ASA*-3-326016|%PIX-3-326016|%FWSM-3-326016; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000706; sid: 5000706; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Interface Manager error"; program: %ASA*-3-326017|%PIX-3-326017|%FWSM-3-326017; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000707; sid: 5000707; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] List error"; program: %ASA*-3-326020|%PIX-3-326020|%FWSM-3-326020; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000708; sid: 5000708; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA*-3-326021|%PIX-3-326021|%FWSM-3-326021; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000709; sid: 5000709; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA*-3-326022|%PIX-3-326022|%FWSM-3-326022; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000710; sid: 5000710; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA*-3-326024|%PIX-3-326024|%FWSM-3-326024; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000711; sid: 5000711; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Server unexpected error"; program: %ASA*-3-326026|%PIX-3-326026|%FWSM-3-326026; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000712; sid: 5000712; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Corrupted update"; program: %ASA*-3-326027|%PIX-3-326027|%FWSM-3-326027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000713; sid: 5000713; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asynchronous error"; program: %ASA*-3-326028|%PIX-3-326028|%FWSM-3-326028; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000714; sid: 5000714; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Failed to initialize, will not work"; program: %ASA*-3-327002|%PIX-3-327002|%FWSM-3-327002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000715; sid: 5000715; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Generic Timer wheel timer functionality failed to initialize"; program: %ASA*-3-327003|%PIX-3-327003|%FWSM-3-327003; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000716; sid: 5000716; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADO - packet dropped"; program: %ASA*-3-403501|%PIX-3-403501|%FWSM-3-403501; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000717; sid: 5000717; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADS - dropping packet"; program: %ASA*-3-403502|%PIX-3-403502|%FWSM-3-403502; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000718; sid: 5000718; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoEPPPoE client on interface failed to locate PPPoE vpdn group"; program: %ASA*-3-403507|%PIX-3-403507|%FWSM-3-403507; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000719; sid: 5000719; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to save logging buffer using filename to FTP server"; program: %ASA*-3-414001|%PIX-3-414001|%FWSM-3-414001; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000720; sid: 5000720; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to save logging buffer to flash or syslog directory using file name filename"; program: %ASA*-3-414002|%PIX-3-414002|%FWSM-3-414002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000721; sid: 5000721; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Packet denied"; program: %ASA*-3-610001|%PIX-3-610001; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000722; sid: 5000722; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Authentication failed"; program: %ASA*-3-610002|%PIX-3-610002|%FWSM-3-610002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000723; sid: 5000723; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Backup Server List Error"; program: %ASA*-3-611313|%PIX-3-611313; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000724; sid: 5000724; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error processing payload"; program: %ASA*-3-713048|%PIX-3-713048|%FWSM-3-713048; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000725; sid: 5000725; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User matched with group name, check failed"; program: %ASA*-3-713059|%PIX-3-713059; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000726; sid: 5000726; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User not member of group, check failed"; program: %ASA*-3-713060|%PIX-3-713060; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000727; sid: 5000727; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to retrieve identity certificate"; program: %ASA*-3-713082|%PIX-3-713082; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000728; sid: 5000728; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Set Cert filehandle failure no IPSec SA in group"; program: %ASA*-3-713088|%PIX-3-713088; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000729; sid: 5000729; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Request attempt failed!"; program: %ASA*-3-713107|%PIX-3-713107; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000730; sid: 5000730; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to process CONNECTED notify!"; program: %ASA*-3-713112|%PIX-3-713112; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000731; sid: 5000731; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client-reported firewall does not match configured firewall action tunnel"; program: %ASA*-3-713141|%PIX-3-713141; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000732; sid: 5000732; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client did not report firewall in use, but there is a configured firewall action tunnel"; program: %ASA*-3-713142|%PIX--3-713142; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000733; sid: 5000733; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access"; program: %ASA*-3-713159|%PIX-3-713159; default_proto: tcp; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000734; sid: 5000734; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user network access has been restricted by the Firewall Server"; program: %ASA*-3-713161|%PIX-3-713161; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000735; sid: 5000735; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been rejected by the Firewall Server"; program: %ASA*-3-713162|%PIX-3-713162; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000736; sid: 5000736; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been terminated by the Firewall Server"; program: %ASA*-3-713163|%PIX-3-713163; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000737; sid: 5000737; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Headend security gateway has failed our user authentication attempt - check configured username and password"; program: %ASA*-3-713166|%PIX-3-713166; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000738; sid: 5000738; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote peer has failed user authentication - check configured username and password [10/5]"; program: %ASA*-3-713167|%PIX-3-713167; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000739; sid: 5000739; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error Username too long - connection aborted"; program: %ASA*-3-713185|%PIX-3-713185; classtype: attempted-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000740; sid: 5000740; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User Authorization failed"; program: %ASA*-3-713198|%PIX-3-713198|%FWSM-3-713198; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000741; sid: 5000741; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE Receiver Error reading from socket"; program: %ASA*-3-713203|%PIX-3-713203; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000742; sid: 5000742; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection failed with peer, no trust-point defined"; program: %ASA*-3-713226|%PIX-3-713226; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000743; sid: 5000743; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to lock bit that is already locked"; program: %ASA*-3-713230|%PIX-3-713230|%FWSM-3-713230; parse_src_ip: 1; parse_dst_ip: 2; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000744; sid: 5000744; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to unlock bit that is not locked"; program: %ASA*-3-713231|%PIX-3-713231|%FWSM-3-713231; parse_src_ip: 1; parse_dst_ip: 2; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000745; sid: 5000745; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Querying keypair failed"; program: %ASA*-3-717001|%PIX-3-717001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000746; sid: 5000746; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate enrollment failed for trustpoint"; program: %ASA*-3-717002|%PIX-3-717002; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000747; sid: 5000747; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate validation failed"; program: %ASA*-3-717009|%PIX-3-717009; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000748; sid: 5000748; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRL polling failed for trustpoint"; program: %ASA*-3-717010|%PIX-3-717010; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000749; sid: 5000749; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to refresh CRL cache entry from the server for trustpoint"; program: %ASA*-3-717012|%PIX-3-717012; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000750; sid: 5000750; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to query CA certificate for trustpoint"; program: %ASA*-3-717017|%PIX-3-717017; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000751; sid: 5000751; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to insert CRL for trustpoint"; program: %ASA*-3-717019|%PIX-3-717019; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000752; sid: 5000752; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL failed to set device certificate for trustpoint"; program: %ASA*-3-717023|%PIX-3-717023; classtype: sytem-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000753; sid: 5000753; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate chain failed validation"; program: %ASA*-3-717027|%PIX-3-717027; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000754; sid: 5000754; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol"; program: %ASA*-4-106023|%PIX-4-106023|%FWSM-4-106023; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000755; sid: 5000755; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context for the packetvlansource Vlan"; program: %ASA*-4-106027|%PIX-4-106027|%FWSM-4-106027; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000756; sid: 5000756; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NT Domain Authentication Failed rejecting guest login for username."; program: %ASA*-4-109031|%PIX-4-109031|%FWSM-4-109031; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000757; sid: 5000757; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for admin user"; program: %ASA*-4-109033|%PIX-4-109033|%FWSM-4-109033; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000758; sid: 5000758; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for network user"; program: %ASA*-4-109034|%PIX-4-109034|%FWSM-4-109034; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000759; sid: 5000759; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA*-4-313004|%PIX-4-313004|%FWSM-4-313004; default_proto: icmp; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000760; sid: 5000760; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No matching connection for ICMP error"; program: %ASA*-4-313005|%PIX-4-313005|%FWSM-4-313005; default_proto: icmp; classtype: network-event; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000761; sid: 5000761; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC Downloaded ACL parse failure"; program: %ASA*-4-335005|%PIX-4-335005|%FWSM-4-335005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000762; sid: 5000762; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Shun add failed unable to allocate resources"; program: %ASA*-4-401005|%PIX-4-401005|%FWSM-4-401005; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000763; sid: 5000763; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking [0/5]"; program: %ASA*-4-402119|%PIX-4-402119|%FWSM-4-402119; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000764; sid: 5000764; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an ESP packet from remote IP to local IP that failed authentication [0/5]"; program: %ASA*-4-402120|%PIX-4-402120; classtype: unsuccessful-user; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 3; reference: url, wiki.quadrantsec.com/bin/view/Main/5000765; sid: 5000765; rev: 8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command"; program: %ASA*-4-402123|%PIX-4-402123|%FWSM-4-402123; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000766; sid: 5000766; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE failed to assign PPP IP address"; program: %ASA*-4-403506|%PIX-4-403506|%FWSM-4-403506; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000767; sid: 5000767; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string"; program: %ASA*-4-404101|%PIX-4-404101|%FWSM-4-404101; default_proto: udp; default_dst_port: 500; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000768; sid: 5000768; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H225 message contains bad protocol discriminator hex"; program: %ASA*-4-405103|%PIX-4-405103|%FWSM-4-405103; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000769; sid: 5000769; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic for local-host, license limit of number exceeded"; program: %ASA*-4-407001|%PIX-4-407001|%FWSM-4-407001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000770; sid: 5000770; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropped UDP SNMP packet"; program: %ASA*-4-416001|%PIX-4-416001|%FWSM-4-416001; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000771; sid: 5000771; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Filter violation error conn number"; program: %ASA*-4-417004|%PIX-4-417004|%FWSM-4-417004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000772; sid: 5000772; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Through-the-device packet to/from management-only network is denied"; program: %ASA*-4-418001|%PIX-4-418001|%FWSM-4-418001; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000773; sid: 5000773; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping TCP packet, MSS exceeded/size - possible network scan."; program: %ASA*-4-419001|%PIX-4-419001|%FWSM-4-419001; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5000774; sid: 5000774; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTP conformance Dropping RTP packet"; program: %ASA*-4-431001|%PIX-4-431001|%FWSM-4-431001; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000775; sid: 5000775; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTCP conformance Dropping RTCP packet"; program: %ASA*-4-431002|%PIX-4-431002|%FWSM-4-431002; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000776; sid: 5000776; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too small"; program: %ASA*-4-608002|%PIX-4-608002|%FWSM-4-608002; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000777; sid: 5000777; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too large"; program: %ASA*-4-608003|%PIX-4-608003|%FWSM-4-608003; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000778; sid: 5000778; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value not allowed"; program: %ASA*-4-608004|%PIX-4-608004|%FWSM-4-608004; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000779; sid: 5000779; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value registration not complete"; program: %ASA*-4-608005|%PIX-4-608005|%FWSM-4-608005; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000780; sid: 5000780; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA*-4-612002|%PIX-4-612002|%FWSM-4-612002; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000781; sid: 5000781; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA*-4-612003|%PIX-4-612003|%FWSM-4-612003; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000782; sid: 5000782; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] DNS lookup for Server failed!"; program: %ASA*-4-713154|%PIX-4-713154|%FWSM-4-713154; default_proto: udp; default_dst_port: $DNS_PORT; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000783; sid: 5000783; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Name lookup failed for hostname during PKI operation"; program: %ASA*-4-717026|%PIX-4-717026|%FWSM-4-717026; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000784; sid: 5000784; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to find a suitable trustpoint for issuer"; program: %ASA*-4-717031|%PIX-4-717031|%FWSM-4-717031; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000785; sid: 5000785; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel group search using certificate maps failed"; program: %ASA*-4-717037|%PIX-4-717037; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000786; sid: 5000786; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP address end configuration {FAILED|OK}"; program: %ASA*-5-111004|%PIX-5-111004|%FWSM-5-111004; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000787; sid: 5000787; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] FTP cmd_string command unsupported - failed strict inspection"; program: %ASA*-5-303004|%PIX-5-303004|%FWSM-5-303004; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000788; sid: 5000788; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Access denied URL chars"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "http://"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000789; sid: 5000789; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asymmetric NAT rules matched for forward and reverse flows [0/1]"; program: %ASA*-5-305013|%PIX-5-305013|%FWSM-5-305013; threshold: type limit, track by_src, count 1, seconds 900; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000790; sid: 5000790; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP association failed to establish"; program: %ASA*-5-334003|%PIX-5-334003|%FWSM-5-334003; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000791; sid: 5000791; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP failed to get a response from host"; program: %ASA*-5-334006|%PIX-5-334006|%FWSM-5-334006; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000792; sid: 5000792; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] HTTP - matched string in policy-map verification failed"; program: %ASA*-5-415004|%PIX-5-415004|%FWSM-5-415004; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000793; sid: 5000793; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad TCP hdr length - Possible network scan"; program: %ASA*-5-500003|%PIX-5-500003|%FWSM-5-500003; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000794; sid: 5000794; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE area failed to find centry for message"; program: %ASA*-5-713010|%PIX-5-713010; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000796; sid: 5000796; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failure during phase 1 rekeying attempt due to collision"; program: %ASA*-5-713092|%PIX-5-713092; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000797; sid: 5000797; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Ignoring received malformed firewall record"; program: %ASA*-5-713144|%PIX-5-713144|%FWSM-5-713144; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000798; sid: 5000798; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create peer failure, already at maximum of number of peers"; program: %ASA*-5-718002|%PIX-5-718002; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000800; sid: 5000800; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to send to IP"; program: %ASA*-5-718005|%PIX-5-718005|%FWSM-5-718005; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000801; sid: 5000801; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket open failure"; program: %ASA*-5-718007|%PIX-5-718007|%FWSM-5-718007; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000802; sid: 5000802; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket bind failure"; program: %ASA*-5-718008|%PIX-5-718008|%FWSM-5-718008; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000803; sid: 5000803; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO response failure"; program: %ASA*-5-718009|%PIX-5-718008|%FWSM-5-718008; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000804; sid: 5000804; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO request failure"; program: %ASA*-5-718011|%PIX-5-718011|%FWSM-5-718011; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000805; sid: 5000805; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send CFG UPDATE failure"; program: %ASA*-5-718024|%PIX-5-718024|%FWSM-5-718024; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000806; sid: 5000806; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send OOS indicator failure"; program: %ASA*-5-718028|%PIX-5-718028|%FWSM-5-718028; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000807; sid: 5000807; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send TOPOLOGY indicator failure"; program: %ASA*-5-718033|%PIX-5-718033|%FWSM-5-718033; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000808; sid: 5000808; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create of secure tunnel failure"; program: %ASA*-5-718048|%PIX-5-718048; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000809; sid: 5000809; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Delete of secure tunnel failure"; program: %ASA*-5-718050|%PIX-5-718050; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000810; sid: 5000810; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Queue send failure from ISR"; program: %ASA*-5-718057|%PIX-5-718057; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000811; sid: 5000811; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket select fail"; program: %ASA*-5-718060|%PIX-5-718060|%FWSM-5-718060; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000812; sid: 5000812; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket read fail"; program: %ASA*-5-718061|%PIX-5-718061|%FWSM-5-718061; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000813; sid: 5000813; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cannot continue to run"; program: %ASA*-5-718065|%PIX-5-718065|%FWSM-5-718065; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000814; sid: 5000814; rev: 5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create access list for peer"; program: %ASA*-5-718074|%PIX-5-718074|%FWSM-5-718074; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000815; sid: 5000815; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create tunnel group for peer"; program: %ASA*-5-718076|%PIX-5-718076; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000816; sid: 5000816; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete tunnel group for peer"; program: %ASA*-5-718077|%PIX-5-718077; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000817; sid: 5000817; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto map for peer"; program: %ASA*-5-718078|%PIX-5-718078; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000818; sid: 5000818; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto map for peer"; program: %ASA*-5-718079|%PIX-5-718079; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000819; sid: 5000819; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto policy for peer"; program: %ASA*-5-718080|%PIX-5-718080; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000820; sid: 5000820; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto policy for peer"; program: %ASA*-5-718081|%PIX-5-718081; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000821; sid: 5000821; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to install LB NP rules"; program: %ASA*-5-718086|%PIX-5-718086; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000822; sid: 5000822; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete LB NP rules"; program: %ASA*-5-718087|%PIX-5-718087; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000823; sid: 5000823; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP [0/5]"; program: %ASA*-6-106012|%PIX-6-106012|%FWSM-6-106012; classtype: network-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000824; sid: 5000824; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny TCP [no connection]"; program: %ASA*-6-106015|%PIX-6-106015|%FWSM-6-106015; normalize; default_proto: tcp; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000825; sid: 5000825; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA*-6-106025|%PIX-6-106025|%FWSM-6-106025; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000826; sid: 5000826; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA*-6-106026|%PIX-6-106026|%FWSM-6-106026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000827; sid: 5000827; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] access-list ACL {permitted | denied | est-allowed} protocol"; program: %ASA*-6-106100|%PIX-6-106100|%FWSM-6-106100; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000828; sid: 5000828; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [server failed] on interface"; program: %ASA*-6-109002|%PIX-6-109002|%FWSM-6-109002; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000829; sid: 5000829; rev: 5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [all servers failed] on interface"; program: %ASA*-6-109003|%PIX-6-109003|%FWSM-6-109002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000830; sid: 5000830; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for user [0/5]"; program: %ASA*-6-109006|%PIX-6-109006|%FWSM-6-109006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000831; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000831; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization permitted for user"; program: %ASA*-6-109007|%PIX-6-109007|%FWSM-6-109007; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000832; sid: 5000832; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user from outside to inside on interface"; program: %ASA*-6-109008|%PIX-6-109008|%FWSM-6-109008; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000833; sid: 5000833; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied [not authenticated]"; program: %ASA*-6-109024|%PIX-6-109024|%FWSM-6-109024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000834; sid: 5000834; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user"; program: %ASA*-6-109025|%PIX-6-109025|%FWSM-6-109025; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000835; sid: 5000835; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User user locked out on exceeding number successive failed authentication attempts"; program: %ASA*-6-113006|%PIX-6-113006|%FWSM-6-113006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000836; sid: 5000836; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA unable to complete the request"; program: %ASA*-6-113013|%PIX-6-113013|%FWSM-6-113013; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000837; sid: 5000837; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] URL Server request failed URL"; program: %ASA*-6-304004|%PIX-6-304004|%FWSM-6-304004; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000838; sid: 5000838; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP hdr failed"; program: %ASA*-6-312001|%PIX-6-312001|%FWSM-6-312001; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000839; sid: 5000839; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No management IP address configured for transparent firewall"; program: %ASA*-6-322004|%PIX-6-322004|%FWSM-6-322004; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000840; sid: 5000840; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC is disabled for host"; program: %ASA*-6-335004|%PIX-6-335004|%FWSM-6-335004; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000841; sid: 5000841; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Login denied [Brute Force] [10/1]"; program: %ASA*-6-605004|%PIX-6-605004|%FWSM-6-605004; parse_src_ip: 1; parse_port; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000842; xbits: set,brute_force,21600; sid: 5000842; rev: 10;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization failed"; program: %ASA*-6-610101|%PIX-6-610101|%FWSM-6-610101; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000843; sid: 5000843; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed [0/5]"; program: %ASA*-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000844; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000844; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VNPClient XAUTH Failed"; program: %ASA*-6-611311|%PIX-6-611311; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000845; sid: 5000845; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Secure Unit Authentication Disabled"; program: %ASA*-6-611317|%PIX-6-611317; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000846; sid: 5000846; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient User Authentication Disabled"; program: %ASA*-6-611319|%PIX-6-611319; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000847; sid: 5000847; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Device Pass Thru Disabled"; program: %ASA*-6-611321|%PIX-6-611321; classtype: system-eventn; reference: url, wiki.quadrantsec.com/bin/view/Main/5000848; sid: 5000848; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Extended XAUTH conversation initiated when SUA disabled"; program: %ASA*-6-611322|%PIX-6-611322; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000849; sid: 5000849; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Checksum Failure in database"; program: %ASA*-6-613001|%PIX-6-613001|%FWSM-6-613001; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000850; sid: 5000850; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number not available for firewall interface"; program: %ASA*-6-615001|%PIX-6-615001|%FWSM-6-615001; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000851; sid: 5000851; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number available for firewall interface"; program: %ASA*-6-615002|%PIX-6-615002|%FWSM-6-615002; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000852; sid: 5000852; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad register"; program: %ASA*-6-621007|%PIX-6-621007|%FWSM-6-621007; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000853; sid: 5000853; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to send an IKE packet from standby unit. Dropping the packet! [0/1]"; program: %ASA*-6-713235|%PIX-6-713235|%FWSM-6-713235; type limit, track by_src, count 1, seconds 900; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000854; sid: 5000854; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate received from Certificate Authority for trustpoint"; program: %ASA*-6-717003|%PIX-6-717003|%FWSM-6-717003; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000855; sid: 5000855; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 export failed"; program: %ASA*-6-717004|%PIX-6-717004|%FWSM-6-717004; classtype: system-event reference: url, wiki.quadrantsec.com/bin/view/Main/5000856; sid: 5000856; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 import failed"; program: %ASA*-6-717006|%PIX-6-717006|%FWSM-6-717006; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000857; sid: 5000857; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] uauth_lookup_net fail for uauth_in"; program: %ASA*-7-109014|%PIX-7-109014|%FWSM-7-109014; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000858; sid: 5000858; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Uauth null proxy error"; program: %ASA*-7-109021|%PIX-7-109021|%FWSM-7-109021; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000859; sid: 5000859; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send failure"; program: %ASA*-7-713039|%PIX-7-713039|%FWSM-7-713039; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000861; sid: 5000861; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cert validation failure handle invalid for Main/Aggressive Mode Initiator/Responder!"; program: %ASA*-7-713094|%PIX-7-713094|%FWSM-7-713094; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000862; sid: 5000862; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to get Phase 1 ID data failed while hash computation"; program: %ASA*-7-713104|%PIX-7-713104; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000863; sid: 5000863; rev: 3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Processing firewall record"; program: %ASA*-7-713143|%PIX-7-713143|%FWSM-7-713143; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000864; sid: 5000864; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been granted access by the Firewall Server [Brute Force] [10/1]"; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; program: %ASA*-7-713160|%PIX-7-713160|%FWSM-7-713160; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000865; xbits: set,brute_force,21600; sid: 5000865; rev: 7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The Firewall Server has requested a list of active user sessions"; program: %ASA*-7-713164|%PIX-7-713164|%FWSM-7-713164; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000866; sid: 5000866; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Got bad refCnt assigning"; program: %ASA*-7-713190|%PIX-7-713190|%FWSM-7-713190; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000867; sid: 5000867; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine Q Send failure RetCode"; program: %ASA*-7-715004|%PIX-7-715004|%FWSM-7-715004; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000868; sid: 5000868; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine name Bad message code Cod"; program: %ASA*-7-715005|%PIX-7-715005|%FWSM-7-715005; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000869; sid: 5000869; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE received response to a request from the utility"; program: %ASA*-7-715042|%PIX-7-715042; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000870; sid: 5000870; rev: 3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ERROR malformed Keepalive payload"; program: %ASA*-7-715045|%PIX-7-715045|%FWSM-7-715045; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000871; sid: 5000871; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Claims to be IOS but failed authentication"; program: %ASA*-7-715050|%PIX-7-715050|%FWSM-7-715050; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000872; sid: 5000872; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropped received IKE fragment"; program: %ASA*-7-715060|%PIX-7-715060|%FWSM-7-715060; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000873; sid: 5000873; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error assembling fragments! Fragment numbers are non-continuous"; program: %ASA*-7-715062|%PIX-7-715062|%FWSM-7-715062; classtype: network-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000874; sid: 5000874; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE state_machine subtype FSM error history"; program: %ASA*-7-715065|%PIX-7-715065|%FWSM-7-715065; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000875; sid: 5000875; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal interprocess communication queue send failure"; program: %ASA*-7-718001|%PIX-7-718001|%FWSM-7-718001; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000876; sid: 5000876; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE request failure"; program: %ASA*-7-718018|%PIX-7-718018|%FWSM-7-718018; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000877; sid: 5000877; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE response failure"; program: %ASA*-7-718020|%PIX-7-718020|%FWSM-7-718020; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000878; sid: 5000878; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create group"; program: %ASA*-7-718047|%PIX-7-718047|%FWSM-7-718047; classtype: system-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000879; sid: 5000879; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Creation of group policy"; program: %ASA*-7-718046|%PIX-7-718046|%FWSM-7-718046; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000880; sid: 5000880; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Access denied URL"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-7-304002; content: "http://"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: policy-violation; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001086; sid: 5001086; rev: 6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication successful [0/5]"; program: %ASA*-6-113004|%PIX-6-113004|%FWSM-6-113004; default_proto: tcp; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001087; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001087; rev: 7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject [0/5]"; program: %ASA*-6-113005|%PIX-6-113005|%FWSM-6-113005; default_proto: tcp; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001092; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001092; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject - Brute force [10/1]"; program: %ASA*-6-113005|%PIX-6-113005|%FWSM-6-113005; default_proto: tcp; classtype: unsuccessful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001593; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; xbits: set,brute_force,21600; sid: 5001593; rev: 9;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Disconnect by SSH server"; program: %ASA*-6-315011|%PIX-6-315011|%FWSM-6-315011; default_proto: tcp; classtype: not-suspicious; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001088; sid: 5001088; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Access denied URL chars - HTTPS"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5001089; sid: 5001089; rev: 4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Access denied URL - HTTPS"; program: %ASA*-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: policy-violation; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5001091; sid: 5001091; rev: 5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed - Brute force [5/1]"; program: %ASA*-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001654; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 5, seconds 300; xbits: set,brute_force,21600; sid: 5001654; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL - Brute force [25/1]"; program: %ASA*-3-710003; default_proto: tcp; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001714; normalize; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 25, seconds 300; xbits: set,brute_force,21600; sid: 5001714; rev: 8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL"; program: %ASA*-3-710003; default_proto: tcp; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001715; parse_src_ip: 1; parse_dst_ip: 2; parse_port; sid: 5001715; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN console/admin failed"; program: %ASA*-3-113021; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5001963; sid: 5001963; rev: 2;) sagan-1.2.0/rules/bluedot.rules0000644000175000017500000000632213310533411015406 0ustar champchamp# Sagan bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # These are CATCH ALL rules. This means it will parse _all_ logs. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious IP detected via Bluedot"; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; content:!"drop"; nocase; content:!"denied"; nocase; content:!"deny"; nocase; content:!"qipapikey"; classtype: suspicious-traffic; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 2, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002288; sid:5002288; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Malicious MD5 hash detected via Bluedot"; bluedot: type file_hash,Malicious; parse_hash: md5; classtype: suspicious-traffic; parse_src_ip: 1; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002288; sid:5003118; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Malicious SHA1 hash detected via Bluedot"; bluedot: type file_hash,Malicious; parse_hash: sha1; classtype: suspicious-traffic; parse_src_ip: 1; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002288; sid:5003119; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Malicious SHA256 hash detected via Bluedot"; bluedot: type file_hash,Malicious; parse_hash: sha256; classtype: suspicious-traffic; parse_src_ip: 1; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002288; sid:5003120; rev:1;) sagan-1.2.0/rules/ssh-tectia-server-bluedot.rules0000644000175000017500000000446413310533411020761 0ustar champchamp# Sagan ssh-tectia-server-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-BLUEDOT] Authentication success from a suspicious source"; content: "Login_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002915; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; sid:5002915; rev:4;) sagan-1.2.0/rules/cisco-ise.rules0000644000175000017500000000720613310533411015630 0ustar champchamp# Sagan cisco-ise.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # cisco-ise.rules (Formally cisco-acs.rules - Access Countrol System) # 10.0.0.1|local6|notice|notice|b5|2018-05-23|20:28:37|CISE_Failed_Attempts| 0000111111 3 0 2018-05-23 20:28:37.108 -04:00 006708111r 5434 NOTICE RADIUS: Endpoint conducted several failed authentications of the same scenario, ConfigVersionId=139, Device IP Address=10.10.250.1, Device Port=1645, DestinationIPAddress=10.10.2.53, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=00-41-D2-A8-8F-22, Protocol=Radius, RequestLatency=9, NetworkDeviceName=DEMO, User-Name=001111111111, NAS-IP-Address=10.10.250.1, NAS-Port=60000, Service-Type=Call Check, Framed-MTU=9216, Called-Station-ID=00-11-11-22-33-44, Calling-Station-ID=00-11-22-33-88-22, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet101/2/0/31, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1111111100011111111111, cisco-av-pair=method=mab, OriginalUserName=001111111111, IsEndpointInRejectMode=true, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=11111111-8c11-4b11-119c-1bbfe1111111, IsThirdPartyDeviceFlow=false, # alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ISE] Failed Login Attempt"; program: CISE_Failed_Attempts|CSCOacs_Failed_Attempts; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001655; sid: 5001655; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ISE] Failed Login Attempt - Brute force [5/5]"; program: CISE_Failed_Attempts|CSCOacs_Failed_Attempts; xbits: set,brute_force,21600; content: "UserName="; content:!"session timed out"; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001656; sid: 5001656; rev:8;) sagan-1.2.0/rules/proftpd.rules0000644000175000017500000002117313310533411015427 0ustar champchamp# Sagan proftpd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Session opened"; content: "FTP session opened"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000078; sid: 5000078; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Session closed"; content: "FTP session closed"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000079; sid: 5000079; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Attempt to login as a non-existent user [Brute Force] [5/5]"; content: "no such user"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000080; sid: 5000080; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Login failed accessing the FTP server [Brute Force] [5/5]"; pcre: "/Incorrect password|Login failed/i"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000081; sid: 5000081; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Authentication success"; content: "Login successful"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000082; sid: 5000082; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Connection refused by TCP Wrappers"; content: "refused connect from"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: tcp-connection; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000083; sid: 5000083; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Small PassivePorts range in config file"; content: "unable to find open port in PassivePorts range"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000084; sid: 5000084; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Attempt to bypass firewall - cannot keep state of FTP traffic"; content: "Refused PORT"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000085; sid: 5000085; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Maximum login attempts reached [DoS?]"; content: "Maximum login attempts"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-dos; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000086; sid: 5000086; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Host name or host address mismatch"; pcre: "/name mismatch|address mismatch/i"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000087; sid: 5000087; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Reverse lookup failure"; content: "can't verify hostname"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000088; sid: 5000088; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host connected to FTP server"; content: "connect from"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000089; sid: 5000089; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host disconnected due to inactivity"; content: "FTP no transfer timeout, disconnected"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000090; sid: 5000090; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host disconnected due to login time out" ;content: "FTP login timed out"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000091; sid: 5000091; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host disconnected due to time out" ;content: "FTP session idle timeout"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000374; sid: 5000374; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Data transfer stall timeout" ;content: "Data transfer stall timeout"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000092; sid: 5000092; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] terminated [crash]" ; content: "ProFTPD terminating"; content: "signal 11"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000093; sid: 5000093; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Unable to bind to address" ; content: "listen"; content: "failed in"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000094; sid:5000094; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PROFTPD] User logged into an disabled account"; content: "Login successful"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000413; program: sshd; sid: 5000413; rev:3;) # Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PROFTP] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; parse_src_ip: 3; program: proftpd; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; reference: url,wiki.quadrantsec.com/bin/view/Main/5002951; sid:5002951; rev: 3;) sagan-1.2.0/rules/cylance.rules0000644000175000017500000001567413310533411015400 0ustar champchamp# Sagan cylance.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Robert Nunley - 10142015 #successful-user #Event Type: AuditLog, Event Name: DeviceEdit, #Event Type: AuditLog, Event Name: LoginSuccess, alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Device Edit"; content: "Event Name|3a| DeviceEdit"; content: "AuditLog"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002567; parse_src_ip: 1; sid:5002567; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Login Success"; content: "Event Name|3a| LoginSuccess"; content: "AuditLog; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002568; parse_src_ip: 1; sid:5002568; rev:4;) #configuration-change #Event Type: AuditLog, Event Name: SyslogSettingsSave, #Event Type: AuditLog, Event Name: ZoneAddDevice, alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Syslog Settings Saved"; content: "Event Name|3a| SyslogSettingsSave"; content: "AuditLog; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5002569; parse_src_ip: 1; sid:5002569; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Zone Add Device"; content: "Event Name|3a| ZoneAddDevice"; content: "AuditLog; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5002570; parse_src_ip: 1; sid:5002570; rev:4;) #system-event #Event Type: Device, Event Name: Devices #Event Type: Device, Event Name: Registration, ##Event Type: Device, Event Name: SystemSecurity, alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Device - Action Taken"; content: "Event Name|3a| Device"; content: "Device"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002571; parse_src_ip: 1; sid:5002571; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Device - Registration"; content: "Event Name|3a| Registration"; content: "Device"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002572; parse_src_ip: 1; sid:5002572; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Device - System Security"; content: "Event Name|3a| SystemSecurity"; content: "Device"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002573; parse_src_ip: 1; sid:5002573; rev:4;) #exploit-attempt #Event Type: ExploitAttempt, Event Name: blocked, #Event Type: ExploitAttempt, Event Name: none, alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] ExploitAttempt - Blocked"; content: "Event Name|3a| blocked"; content: "ExploitAttempt"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5002574; parse_src_ip: 1; sid:5002574; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] ExploitAttempt - No Action Taken"; content: "Event Name|3a| none"; content: "ExploitAttempt"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5002575; parse_src_ip: 1; sid:5002575; rev:4;) #misc-attack #Event Type: Threat, Event Name: threat_changed, #Event Type: Threat, Event Name: threat_found, #Event Type: Threat, Event Name: threat_quarantined, #Event Type: Threat, Event Name: threat_removed, alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Changed"; content: "threat_changed"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002576; parse_src_ip: 1; sid:5002576; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Found"; content: "threat_found"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002577; parse_src_ip: 1; sid:5002577; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Quarantined"; content: "threat_quarantined"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002578; parse_src_ip: 1; sid:5002578; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Removed"; content: "threat_removed"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002579; parse_src_ip: 1; sid:5002579; rev:4;) sagan-1.2.0/rules/linux-kernel.rules0000644000175000017500000001126213310533411016364 0ustar champchamp# linux-kernel.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These detect "generic" netfilter/iptables messages. Normalization will _not_ work if your using a user-defined iptables LOG "prefix" options! #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=TCP"; default_proto: tcp; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001104; normalize; program: kernel; sid: 5001104; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=UDP"; default_proto: tcp; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001105; normalize; program: kernel; sid: 5001105; rev:3;) # General file system errors (Champ Clark - 01/09/2014) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] ReiserFS error"; content: "REISERFS error"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001943; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001943; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Unhandled error code"; content: "Unhandled error code"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001944; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001944; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] I/O error"; content: "I/O error, dev"; content:!"dev fd"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001945; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001945; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] hostbyte=DID_ERROR"; content: "hostbyte=DID_ERROR"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001946; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001946; rev:2;) # HPSA (HP Raid controllers) - (Champ Clark - 05/07/2015) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Hard drive/RAID - FAILED abort on device"; content: "hpsa "; content: "FAILED abort on device"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002278; program: kernel; sid:5002278; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Hard drive/RAID - probably means device no longer present"; content: "hpsa "; content: "probably means device no longer present"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002279; program: kernel; sid:5002279; rev:2;) # UDP: bad checksum. From 10.XX.X.XXX:137 to 10.XX.X.XXX:137 ulen 76 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Bad UDP checksum"; program: UDP; content: "bad checksum.""; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003115; sid:5003115; rev:1;) sagan-1.2.0/rules/cacti-thold.rules0000644000175000017500000000443113310533411016142 0ustar champchamp# Sagan cacti-thold.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CACTI] CPU went above threshold"; content: "CPU went above threshold"; classtype: system-event; program: CactiTholdLog; reference: url,wiki.quadrantsec.com/bin/view/Main/5001076; sid: 5001076; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CACTI] CPU restored to normal"; content: "CPU restored to normal"; classtype: system-event; program: CactiTholdLog; reference: url,wiki.quadrantsec.com/bin/view/Main/5001077; sid: 5001077; rev:2;) sagan-1.2.0/rules/hordeimp.rules0000644000175000017500000000662613310533411015566 0ustar champchamp# Sagan hordeimp.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Informational message"; content: "[info]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000371; sid:5000371; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Notice message"; content: "[notice]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000263; sid:5000263; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Error message"; content: "[error]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: network-event; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000372; sid:5000372; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Emergency message"; content: "[emergency]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: network-event; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000369; sid:5000369; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] IMP successful login"; content: "Login success for"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: successful-user; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000370; sid:5000370; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Failed login"; content: "FAILED LOGIN"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000368; sid:5000368; rev:3;) sagan-1.2.0/rules/ossec.rules0000644000175000017500000001326513310533411015070 0ustar champchamp# Sagan ossec.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Agent started"; content: "Agent started"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000285; sid: 5000285; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ossec started"; content: "Ossec started"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000287; sid: 5000287; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Agent disconnect"; content: "Agent disconnected"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000288; sid: 5000288; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignored common NTFS ADS entries"; pcre: "/Zone.Identifier|Exchsrvrr/Mailroot|vsi|encryptable/i"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000289; sid: 5000289; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Audit"; content: "Windows Audit"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000290; sid: 5000290; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Malware"; content: "Windows Malware"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000291; sid: 5000291; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows application monitor event"; content: "Application Found"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000292; sid: 5000292; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignoring rootcheck/syscheck scan messages"; pcre: "/^Starting rootcheck scan|^Ending rootcheck scan|^Starting syscheck scan|^Ending syscheck scan/i"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000293; sid: 5000293; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] System Audit"; content: "System Audit"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000294; sid: 5000294; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Adware/Spyware application found"; pcre: "/Adware|Spyware/i"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000295; sid: 5000295; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Partition usage reached 100% [disk space monitor]"; content: "output"; content: "dh -h"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000296; sid: 5000296; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignoring external medias"; pcre: "/\/cdrom|\/media|usb|\/mount|floppy|dvd/"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000297; sid: 5000297; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Integrity checksum for agentless device changed"; content: "agentless"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000298; sid: 5000298; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Log file rotated"; content: "File rotated"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000299; sid: 5000299; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] File size reduced"; content: "File size reduced"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000300; sid: 5000300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Microsoft event log cleared"; content: "Event log cleared"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000301; sid: 5000301; rev:1;) sagan-1.2.0/rules/fortinet-aetas.rules0000644000175000017500000000621013310533411016671 0ustar champchamp# Sagan fortinet-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Login accepted at suspicious time"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002043; sid: 5002043; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Administrator Login at suspicious time"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002044; sid: 5002044; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Admin authentication access at suspicious time"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002045; sid: 5002045; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] SSH traffic detected at suspicious time"; content: " service=SSH "; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002046; sid: 5002046; rev:4;) sagan-1.2.0/rules/ssh-tectia-server-correlated.rules0000644000175000017500000000673013310533411021445 0ustar champchamp# Sagan ssh-tectia-server-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-CORRELATED] Authentication success after recon activity"; content: "Login_success"; xbits: isset,by_src,recon; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003313; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; sid:5003313; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-CORRELATED] Authentication success after honeypot activity"; content: "Login_success"; xbits: isset,by_src,honeypot; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003314; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; sid:5003314; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-CORRELATED] Authentication success after exploit attempt"; content: "Login_success"; xbits: isset,by_src,exploit_attempt; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003315; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; sid:5003315; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-CORRELATED] Authentication success after brute force activity"; content: "Login_success"; xbits: isset,by_src,brute_force; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003316; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; sid:5003316; rev:1;) sagan-1.2.0/rules/fipaypin.rules0000644000175000017500000001411013310533411015561 0ustar champchamp# Sagan fipaypin.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Rules to be used with PoS (Point of Sales) FiPay PIN (Flexable Integrated Payment System) credit card # processing devices. For information about AJB Software's web site: # # http://www.ajbsoftware.com/ # http://support.ajbsoftware.com/index.aspx?menuId=10305 # 10.11.11.11|daemon|warning|warning|1c|2015-11-28|16:31:49|xxx_RTS_FIPEMV2| 8: 2015/11/28 16:31:49.423 C-400008 FIPAYPIN FIPEMV2 : Call Remote: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.11.11.11:26008 # 10.11.11.11|daemon|warning|warning|1c|2015-12-07|02:06:24|xxx_RTS_FIPAYPIN| 8: 2015/12/07 02:06:24.537 C-400008 FIPAYPIN FIPAYPIN : Unable to connect Fipay Node 'whatever' #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Connection failed to Fipay [5/2]"; content: "C-400008"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; parse_src_ip: 1; parse_port; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002764; sid:5002764; rev:2;) # 10.11.11.11|daemon|warning|warning|1c|2015-11-07|16:55:15|xxx_RTS_FIPEMV1| 2046: 2015/11/07 16:55:15.154 S-302046 FIPAYPIN FIPEMV1 : Slow send (from 16:55:14.622 --> 531ms).Thread ID:9 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Slow send!"; content: "S-302046"; default_proto: tcp; classtype: misc-activity; program: *FIPEMV*; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002765; sid:5002765; rev:2;) # See sagan.conf for $CREDIT_CARD_PREFIXES. # 10.11.11.11|daemon|warning|warning|1c|2015-11-03|10:27:43|xxx_RTS_FIPAYPIN| 0: 2015/11/03 10:27:43.379 S-300000 FIPAYPIN FIPAYPIN : Swpe: Response Success track2=666666******6666 svc=6666 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Invalid credit card detected"; content: "S-300000"; content: "Swpe: Response"; meta_content:!"track2=%sagan%", $CREDIT_CARD_PREFIXES; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002766; sid:5002766; rev:3;) # 10.11.11.11|daemon|warning|warning|1c|2015-11-27|10:46:42|xxx_RTS_FIPAYPIN| 0: 2015/11/27 10:46:41.999 S-300000 FIPAYPIN FIPAYPIN : Bad/No Pin Block and KSN returned - Check to ensure your pinpad had DUKPT keys loaded. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Bad/No Pin Block and KSN returned"; content: "S-300000"; content: "Bad/No Pin Block and KSN returned"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002767; sid:5002767; rev:2;) # 10.11.11.11|daemon|warning|warning|1c|2015-11-15|15:38:02|xxx_RTS_FIPAYPIN| 0: 2015/11/15 15:38:02.220 S-300000 FIPAYPIN FIPAYPIN : Blocked the response to POS. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Blocked the response to POS"; content: "S-300000"; content: "Blocked the response to POS"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002768; sid:5002768; rev:2;) # 10.30.1.131|daemon|warning|warning|1c|2015-11-19|11:33:13|xxx_RTS_FIPAYPIN| 0: 2015/11/19 11:33:13.015 S-300000 FIPAYPIN FIPAYPIN : Failed to open pinpad COM9. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Failed to open pinpad [0/2]"; content: "S-300000"; content: "Failed to open pinpad"; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; threshold: type limit, track by_src, count 2, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002769; sid:5002769; rev:2;) # 10.11.11.11|daemon|warning|warning|1c|2015-11-04|13:57:27|xxx_RTS_FIPAYPIN| 0: 2015/11/04 13:57:27.037 S-300000 FIPAYPIN FIPAYPIN : Replace macro [RTS1_IP] with value '10.11.11.11' # See sagan.conf for RFC1918 var. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FIPAYPIN] Replace macro from outside RFC1918"; content: "S-300000"; content: "RTS1_IP"; meta_content:!"value ''%sagan%", $RFC1918; default_proto: tcp; classtype: misc-activity; program: *FIPAYPIN*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002770; sid:5002770; rev:2;) sagan-1.2.0/rules/citrix-blacklist.rules0000644000175000017500000000620313310533411017216 0ustar champchamp# Sagan citrix-blacklist.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from blacklisted IP (Champ Clark / 04/01/2015) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BLACKLIST] Login from outside blacklisted IP"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002261; sid: 5002261; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] AAA LOGIN_FAILED from blacklisted IP"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002281; sid:5002281; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] SSLVPN HTTPREQUEST from blacklisted IP"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002285; sid:5002285; rev:3;) sagan-1.2.0/rules/normalization.rulebase0000644000175000017500000013410613310533411017310 0ustar champchamp#version=2 # Sagan arp-normalize.rulebase # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= #***************************************************************************** # arpalert #***************************************************************************** # arpalert # seq=277, mac=00:01:d7:35:55:06, ip=172.22.1.53, reference=172.22.2.69, type=ip_change, dev=eth0, vendor="F5 Networks, Inc." rule=: seq=%-:word%, mac=%-:word%, ip=%src-ip:ipv4%, reference=%dst-ip:ipv4%, %-:rest% #***************************************************************************** # Bro #***************************************************************************** # This is a "custom" bro output Sagan uses for file hashes from Bro. rule=: files: %-:word% %-:word% %src-ip:ipv4% %dst-ip:ipv4% %-:word% %-:word% %-:number% %-:word% %mime-type:word% %-:word% %-:word% %-:word% %-:word% %-:number% %-:number% %-:number% %-:number% %-:word% %-:word% %filehash-md5:word% %filehash-sha1:word% %filehash-sha256:word% %-:rest% #***************************************************************************** # Cisco #***************************************************************************** # 1w3d: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 192.168.0.1 rule=: %uptime:word% %authfail:word% Authentication failure for SNMP req from host %src-ip:ipv4% # Dec 26 19:59:26: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.1.128.27 rule=: %month:word% %day:word% %hour:word% %%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% # Access denied URL http://www.example.com/somethings.txt SRC 192.168.0.1 DEST 10.10.10.10 on interface inside rule=: Access denied URL %url:word% SRC %src-ip:ipv4% DEST %dst-ip:ipv4% %-:rest% # Caused by WebVPN or IPSec # AAA user authentication Successful : server = 10.10.10.10 : user = domain\bob rule=: AAA user authentication Successful : server = %ip-src:ipv4% : user = %username:word% rule=: AAA user authentication Rejected : reason = AAA failure : server = %src-ip:ipv4% : user = %username:word% # User authentication failed: Uname: timothy rule=: User authentication failed: Uname: %username:word% # Space at the end of this line! # %ASA-6-315011: SSH session from 192.168.0.1 on interface Outside2 for user "test" disconnected by SSH server, reason: "Internal error" (0x00) # SSH session from 10.20.10.200 on interface Outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00) rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% rule=: Configured from console by %-:word% (%src-ip:ipv4%) rule=: Authentication failure for %proto:word% req from host %src-ip:ipv4% rule=: Attempted to connect to %username:word% from %src-ip:ipv4% # 02:19:47.007 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.10.10.10 # rule=: %-:word% %-:word% %-:word% %-:word% %%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% # Deny TCP (no connection) from perforce/139 to 192.168.73.1/2048 flags RST ACK on interface INSIDE # rule=: Deny %proto:word% (no connection) from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% flags %-:rest% # Mar 31 02:30:42.815 UTC: %SYS-5-CONFIG_I: Configured from console by sachen on vty0 (10.32.23.63) # rule=: %-:word% %-:word% %-:word% %-:word% %%SYS-5-CONFIG_I: Configured from console by %username:word% on %-:word% (%src-ip:ipv4%) # Deny inbound UDP from 46.161.166.49/63905 to 214.20.10.211/65257 on interface OUTSIDE # rule=: Deny inbound UDP from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% %-:rest% # Denied ICMP type=8, code=0 from 159.101.118.111 on interface INSIDE # rule=: Denied ICMP type=%-:number%, code=%-:number% from %src-ip:ipv4% %-:rest% # These cover a lot of WebVPN, etc rules. # # Group User IP <10.10.10.10> WebVPN session terminated: User Requested. # Group User IP <10.10.10.10> WebVPN session terminated: Idle Timeout. # Group User IP <10.10.10.10> SVC closing connection: Transport closing. # Group User IP <10.10.10.10> SVC Message: 17/ERROR: Reconnecting to recover from error.. # rule=: Group <%-:char-to:\x3e%> User <%username:char-to:\x3e%> IP <%src-ip:char-to:\x3e%> %-:rest% # Teardown UDP connection 31929471 for inside:10.10.10.10/1111 to dmz:239.254.0.4/12224 duration 0:00:00 bytes 0 # Teardown TCP connection 1829067148 for outside:10.10.10.10/443 to inside:192.168.1.1/10830 duration 0:03:04 bytes 8699 TCP FINs" rule=: Teardown %proto:word% connection %connection:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Teardown ICMP connection for faddr 10.10.10.10/0 gaddr 192.168.1.1/10000 laddr 192.168.1.1/100001 rule=: Teardown %proto:word% connection for %-:word% %src-ip:ipv4%/%src-port:number% %-:word% %dst-ip:ipv4%/28694 %-:rest% # access-list inside_egress permitted tcp inside/10.10.10.1(10000) -> outside/192.186.1.1(80) hit-cnt 1 first hit [0xf83f456b, 0x0] rule=: access-list %-:word% permitted %proto:word% %-:char-to:\x2f%/%src-ip:ipv4%(%src-port:number%) -> %-:char-to:\x2f%/%dst-ip:ipv4%(%dst-port:number%) %-:rest% # Built inbound TCP connection 3171137 for outside:10.10.10.10/10000 (10.10.10.10/10000)(DOMAIN\Bob) to inside:192.168.1.10/80 (192.168.1.1/80) (Bob) rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% (%-:ipv4%/58521)(%domain:char-to:\x5c%\%username:char-to:\x29%) to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Built inbound TCP connection 1834111354 for outside:10.10.10.10/28490 (10.10.10.10/28490) to dmz:192.168.1.1/80 (192.168.1.1/80) rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% %-:word% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Group = Employee, Username = bob, IP = 10.10.10.10, Error processing payload: Payload ID: 14 rule=: Group = %-:word%, Username = %username:word%, IP = %src-ip:ipv4%, %-:rest% rule=: Group = %-:char-to:\x2c%, Username = %username:char-to:\x2c%, IP = %src-ip:ipv4%, %-:rest% # FTP connection from inside:10.10.1.1/3789 to outside:12.12.12.12/21, user bob Retrieved file somefile.txt rule=: FTP connection from %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number%, user %username:word% %-:rest% # TCP access denied by ACL from 10.10.10.10/28490 to inside:192.168.1.1/80 rule =: TCP access denied by ACL from %src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% # Teardown TCP connection 361112504 for outside:10.10.1.100/61160(LOCAL\Bob) to inside:12.159.2.124/443 duration 0:00:13 bytes 3216 TCP FINs (Bob) rule=: Teardown %proto:word% connection %-:number% for outside:%src-ip:ipv4%/%src-port:number%%-:word% to inside:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Cisco ACS normalization rule=: %-:word% %-:number% %-:number% %-:word% %-:word% %-:word% %-:word% %-:word% NOTICE Failed-Attempt: Authentication failed, ACSVersion=%-:word% ConfigVersionId=%-:word% Device IP Address=%src-ip:char-to:\x2c%, Device Port=%src-port:char-to:\x2c%, UserName=%username:char-to:\x2c%, Protocol=%-:word% RequestLatency=%-:word% NetworkDeviceName=%-:word% Type=Authentication, Action=Login, Privilege-Level=%-:word% Authen-Type=%-:word% Service=Login, User=%-:word% Port=%-:word% Remote-Address=%dst-ip:char-to:\x2c%, %-:rest% #***************************************************************************** # DNS (bind, etc) #***************************************************************************** rule=: client %src-ip:ipv4%#%src-port:number%: update '%-:char-to:\x27%' denied rule=: client %src-ip:ipv4%#%src-port:number%: query (cache) '%-:char-to:\x27%' denied rule=: unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% rule=: error (unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% #***************************************************************************** # Fortinet/Fortigate #***************************************************************************** rule=: time=%-:word% devname=%-:word% devid=%-:word% logid=%-:word% type=%-:word% subtype=%-:word% level=%-:word% vd=%-:word% srcip=%src-ip:ipv4% srcport=%src-port:number% srcintf=%-:word% dstip=%dst-ip:ipv4% dstport=%dst-port:number% dstintf=%-:word% %-:rest% #***************************************************************************** # IMAP #***************************************************************************** rule=: Logout user=%username:word% host=%-:word% [%src-ip:ipv4%] rule=: Login excessive login failures user=%username:word% auth=%-:word% host=%-:word% [%src-ip:ipv4%] rule=: Login failed user=%username:word% auth=%-:word% host=%-:word% [%src-ip:ipv4%] rule=: authentication failure; logname= uid=%-:word% euid=%-:word% tty=%-:word% ruser=%-:word% rhost=%src-ip:ipv4% user=%username:word% #***************************************************************************** # Imperva #***************************************************************************** rule=: act=Block dst=%dst-ip:ipv4% dpt=%src-port:number% duser=%username:word% src=%src-ip:ipv4% spt=%src-port:number% proto=%proto:word% %all:rest% #***************************************************************************** # Linux kernel #***************************************************************************** # Rulebase notes: # # iptables TCP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) # # # [6251572.861709] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9133 DF PROTO=TCP SPT=50661 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% %-:word% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% # iptables UDP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) # # [6252395.294134] IN=fire OUT=fire PHYSIN=eth1 PHYSOUT=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=78 TOS=0x00 PREC=0x00 TTL=50 ID=8658 DF PROTO=UDP SPT=137 DPT=137 LEN=52 # [6255730.106539] IN=fire OUT=fire PHYSIN=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=76 TOS=0x00 PREC=0xC0 TTL=63 ID=34162 PROTO=UDP SPT=123 DPT=123 LEN=56 # [6256275.991117] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:word% ID=%-:number% PROTO=%-:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% #***************************************************************************** # nfcap / nfdump #***************************************************************************** # source_ip: 10.1.1.1/54630, destination_ip: 12.159.2.100/13620, protocol: TCP, duration: 0.204, flags: |.A..S.|, tos: 0, packets: 2, bytes: 92, last_time: 2015-06-04 18:29:58, reported by 10.5.1.1 rule=: source_ip: %src-ip:ipv4%/%src-port:number%, destination_ip: %dst-ip:ipv4%/%dst-port:number%, protocol: %proto:char-to:\x2c%, %-:rest% #***************************************************************************** # OpenSSH #***************************************************************************** rule=: Failed %-:word% for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted %-:word% for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted keyboard-interactive/pam for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: error: PAM: Authentication failure for %username:word% from %src-ip:ipv4% rule=: error: PAM: Authentication failure for %username:word% from %src-host:word% rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% user=%username:word% rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% rule=: PAM %number:number% more authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% rule=: Accepted publickey for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: error: PAM: Authentication failure for illegal user %username:word% from %src-ip:ipv4% rule=: Failed password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted gssapi-with-mic for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Postponed keyboard-interactive for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 [preauth] rule=: Failed keyboard-interactive/pam for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: input_userauth_request: invalid user %username:word% [preauth] rule=: Invalid user %username:word% from %src-ip:ipv4% rule=: Disconnecting: Too many authentication failures for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 [preauth] #***************************************************************************** # Palo-Alto # # Tested 04/10/17 by Cyber.Tao.Flow # These logs lack a program in the syslog header causing (at least on syslog-ng) the date field from the log message to become the program like so: # # 10.10.10.1|user|notice|notice|0d|2017-04-11|08:39:21|1,2017/04/11| 08:39:21,123456790,THREAT,url,0,2017/04/11 # #Therefore the two prefix's are included below. IF YOUR LOGGER LEAVES THE DATE AS PART OF THE MSG THEN USE THE OTHER PREFIX STARTING WITH %-:number # #Everything between rule= and : is an event tag to assist with troubleshooting lognorm parser issues. #***************************************************************************** #prefix= %-:number,%date:date-iso% %time:time-24hr%,%devserial:char-sep:\x2C%, prefix= %time:time-24hr%,%devserial:char-sep:\x2C%, rule=url-log,pattern4:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%http_uri:char-sep:\x2C%,(9999),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%, rule=url-log,pattern1:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:char-sep:\x2C%,%natdstip:char-sep:\x2C%,%policy:char-sep:\x2C%,%source_user:char-sep:\x2C%,%destination_user:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session_id:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:char-sep:\x2C%,%nat-dst-port:char-sep:\x2C%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,(%threatid:char-sep:\x2C%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=url-log,pattern2:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x28%,%ips-threat-id:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=url-log,pattern3:THREAT,url,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x22\x2C\x28%,(%ips-threat-id:char-sep:\x28%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%unusedfield:char-sep:\x2C%,%content-type:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%therest:rest% rule=url-log,pattern5:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,(9999),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=url-log,pattern6:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,%ips-threat-id:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=url-log,pattern7:THREAT,url,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,\"%url:char-sep:\x22\x2C%\",(%ips-threat-id:char-sep:\x28%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%unusedfield:char-sep:\x2C%,%content-type:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%therest:rest% rule=virus,pattern1:THREAT,virus,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,0x%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%virusinfo:quoted-string%,%virusname:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=vulnerability,pattern1:THREAT,vulnerability,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=vulnerability,pattern2:THREAT,vulnerability,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=file-detection,pattern1:THREAT,file,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%filename:quoted-string%,%filetype:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=spyware,pattern1:THREAT,spyware,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:char-sep:\x2C%,%vulnmsg:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=spyware-dns,pattern1:THREAT,spyware,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% rule=traffic,pattern1:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%,%therest:rest% rule=traffic,pattern2:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number% rule=traffic,pattern33:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%,%therest:rest% rule=traffic,pattern44:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number% rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern4:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x2C%,(9999),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest% #****************** #SET EMPTY PREFIX #***************** prefix= #***************************************************************************** # HP Procurve #***************************************************************************** #FFI: port 14 - Security Violation rule=: port %-:number% - Security Violation #***************************************************************************** # SMTP #***************************************************************************** rule=: %-:word% %-:word% [%src-ip:ipv4%]: expn %username:word% # p0IGs29E022795: ruleset=check_rcpt, arg1=, relay=mailhost.example.com [192.168.0.1], reject=553 5.1.8 ... Domain of sender address bogus@example.com does not exist rule=: %-:word% ruleset=check_rcpt, %-:word% relay=%y:word% [%src-ip:ipv4%] (may be forged), reject=%-:number% %-:rest% # p0I3FCpA013475: [192.168.0.1]: Possible SMTP RCPT flood, throttling. rule=: %-:word%: [%src-ip:ipv4%]: Possible SMTP RCPT flood, throttling. #***************************************************************************** # Snort #***************************************************************************** # Jun 2 00:41:47 demo snort: [1:19559:5] INDICATOR-SCAN SSH brute force login attempt [Classification: Misc activity] [Priority: 3] {TCP} 43.255.188.148:35236 -> 10.5.1.3:22 rule=: [%generator_id:number%:%sig_id:number%:%rev:number%] %sig_name:char-to:\x5b%[Classification: %classtype:char-to:\x5d%] [Priority: %pri:number%] {%proto:char-to:\x7d%} %src-ip:ipv4%:%src-port:number% -> %dst-ip:ipv4%:%dst-port:number% # Appears the later version of Snort add a : after the "Priority" field. rule=: [%generator_id:number%:%sig_id:number%:%rev:number%] %sig_name:char-to:\x5b%[Classification: %classtype:char-to:\x5d%] [Priority: %pri:number%]: {%proto:char-to:\x7d%} %src-ip:ipv4%:%src-port:number% -> %dst-ip:ipv4%:%dst-port:number% #***************************************************************************** # Sonicwall #***************************************************************************** # Remember the space at the end of the rule.. Also " counts as part of a %thing:word% rule=: id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg="Possible port scan detected" n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% note=%ports-scanned:quoted-string% #rule=: msg="%alert:char-to:\x22%" sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% rule=: id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg=%alert:quoted-string% sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% #***************************************************************************** # su/sudo #***************************************************************************** rule=: Successful su for %-:word% by %username:word% rule=: pam_unix(sudo:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% %-:word% ruser= rhost= user=%username:word% #***************************************************************************** # VMWare (ESXi, etc) #***************************************************************************** rule=: Accepted password for %username:word% from %src-ip:ipv4% #***************************************************************************** # Microsoft Windows (via Evt2sys or NXLog #***************************************************************************** # Note the space at the end! # #rule=: 529: NT AUTHORITY\\SYSTEM: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% #rule=: 529: S-1-5-18: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% #***************************************************************************** # Citrix #***************************************************************************** # 16:04:31 GMT server1 PPE-1 : AAA LOGIN_FAILED 71011157 : User bob - Client_ip 12.12.12.12 - Failure_reason "External authentication server denied access" rule=: %-:word% %-:word% %-:word% %-:word% : AAA LOGIN_FAILED %-:word% : User %username:word% - Client_ip %src-ip:ipv4% - Failure_reason %-:rest% # 16:23:29 GMT server1 PPE-0 : SSLVPN LOGIN 75181906 : Context bob@12.12.12.12 - SessionId: 11147- User bob - Client_ip 12.12.12.12 - Nat_ip "Mapped Ip" - Vserver 192.168.1.1:443 - Browser_type "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" - SSLVPN_client_type Clientless - Group(s) "N/A" rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGIN %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGOUT %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% # New normalization rules from Sam Castellango (2017/11/07) # This is for Microsoft Windows event 4624: rule=: %-:string-to:Account Name:%Account Name: %-:string-to:Account Name:%Account Name: %Username:word% %-:string-to:Network Address:%Network Address: %Src-IP:ipv4% %-:rest% # Palo Alto Firewall # 10.11.11.11|user|info|info|0e|2017-01-11|11:50:31|1,2017/01/28| 13:20:31,1009A101774,SYSTEM,general,0,2017/08/28 13:20:31,,general,,0,0,general,informational,User frank logged in via CLI from \ 10.1.9.3,891392,0x0,0,0,0,0,,XXXXXXXX-1 rule=: %-:string-to:User%User %username:word% %-:char-to:\\%\ %src-ip:char-to:\x2c%%-:rest% # HP switches # 10.1.11.1|syslog|info|info|2e|2017-01-28|01:19:00|01342| auth: User 'frank' logged in from 10.1.1.1 to SSH session rule=: %-:string-to:User%User %username:word% logged in from %src-ip:ipv4% %-:rest% # This is for Microsoft Windows event 4769: rule=: %-:string-to:Account Name:%Account Name: %username:char-to:\x40%%-:string-to:Client Address:%Client Address: ::ffff:%src-ip:ipv4% %-:rest% # Added 2017/02/06 # These for Microsoft Windows events 6272: and 6273: #6273: Network Policy Server denied access to a user. rule=: %-:string-to:Account Name:%Account Name: %username:word% %-:string-to:Called Station Identifier:%Called Station Identifier: %nasMAC:char-to :\ x3a%:%-:string-to:Calling Station Identifier:%Calling Station Identifier: %userMAC:char-to :\ x20% %-:string-to:NAS IPv4 Address:%NAS IPv4 Address: %nasIP:ipv4% %-:string-to:NAS Identifier:%NAS Identifier: %nasHost:word% %-:string-to:Reason Code:%Reason Code: %reasonCode:word% %-:rest% #6272: Network Policy Server granted access to a user rule=: %-:string-to:Account Name:%Account Name: %username:word% %-:string-to:Called Station Identifier:%Called Station Identifier: %nasMAC:char-to :\ x3a%:%-:string-to:Calling Station Identifier:%Calling Station Identifier: %userMAC:char-to :\ x20% %-:string-to:NAS IPv4 Address:%NAS IPv4 Address: %nasIP:ipv4% %-:string-to:NAS Identifier:%NAS Identifier: %nasHost:word% %-:string-to:Result:%Result: %reasonCode:word% %-:rest% # -- HERE # Zscaler rule update rule=: act=Blocked%-:string-to:dst=%dst=%dst-ip:ipv4% src=%src-ip:ipv4%%-:string-to:suser=%suser=%username:char-to:\x40%%-:rest% #Cylance rule update rule=: %-:string-to:Event Type:%Event Type: Threat%-:string-to:Device Name:%Device Name: %username:char-to:\x2D%%-:char-to:\x28%(%src-ip:char-to:\x29%%-:rest% #NPS IAS rule rule=: %-:string-to:IAS%%-:string-to:User-Name%%-:char-to:\x3E%>%username:char-to:\x3C%%src-ip:char-to:\x3C%%-:string-to:Calling-Station-Id%%-:char-to:\x3E%>%filename:char-to:\x3C%<%-:rest% # Windows Account Lockout: There are 2 rules for the first log. The idea is if there is a caller computer both rules will fire off and the 2nd rule will just not have a caller computer name. If there is not a caller computer, only rule 2 will fire and rule 1 will not work... in theory #4740: A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: XXXXX$ Account Domain: XXXXXX Logon ID: 0x3E7 Account That Was Locked Out: Security ID: S-1-5-21-2455855555-3858555555-3953555555-55555 Account Name: XXXXX Additional Information: Caller Computer Name: XXXXXX #Rule 1 rule=: 4740: A user account was locked out. %-:string-to:Locked Out%%-:string-to:Account Name:%Account Name: %username:word% %-:string-to:Computer Name:%Computer Name: %filename:word% #Rule 2 rule=: 4740: A user account was locked out. %-:string-to:Locked Out%%-:string-to:Account Name:%Account Name: %usernameser:word% %-:rest% #Kerberos ticket request #10.21.8.10.log:10.21.8.10|user|info|info|0e|2017-08-30|10:16:31|Security| 4769: A Kerberos service ticket was requested. Account Information: Account Name: XXX@XXXXX Account Domain: XXXXXX Logon GUID: {B7666966-6666-6666-6666-666666666666} Service Information: Service Name: XXXXXX$ Service ID: S-1-5-21-1716666666-1105666666-319566666-1166666 Network Information: Client Address: ::ffff:172.27.1.1 Client Port: 49350 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. rule=: %-:string-to:Account Name:%Account Name: %username:char-to:\x40%%-:string-to:Client Address:%Client Address: ::ffff:%src-ip:ipv4% %-:rest% # SSH login #10.144.11.8|syslog|info|info|2e|2017-08-28|09:49:19|03362| auth: User 'XXXXXX' logged in from 10.10.10.10 to SSH session rule=: %-:string-to:User%User %username:word% logged in from %src-ip:ipv4% %-:rest% #10.78.11.51|user|info|info|0e|2017-08-28|13:20:31|1,2017/08/28| 13:20:31,0008C101111,SYSTEM,general,0,2017/08/28 13:20:31,,general,,0,0,general,informational,User XXXXXX logged in via CLI from \ j10.10.10.10,809792,0x0,0,0,0,0,,XXXXXX rule=: %-:string-to:User%User %username:word% %-:char-to:\\%\ %src-ip:char-to:\x2c%%-:rest% # Account logged on - Windows event id 4624 #10.41.43.253|user|info|info|0e|2017-08-28|13:02:55|Security| 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2466666666-3858666666-3953666666-130966 Account Name: xxxx Account Domain: XXXXXX Logon ID: 0x5A31095D Logon GUID: {55555555-5555-5553-6666-966666666666} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.10.10.10 Source Port: 52526 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. rule=: %-:string-to:Account Name:%Account Name: %-:string-to:Account Name:%Account Name: %username:word% %-:string-to:Network Address:%Network Address: %src-ip:ipv4% %-:rest% # AS/400 rules (as400.rules) rule=: iSecurity/Audit: %-:word% %-:word% *AUTFAIL An incorrect password was entered. User %username:word% %-:rest% rule=: iSecurity/Audit: %-:word% %-:word% *AUTFAIL User %username:word% %-:rest% rule=: iSecurity/Audit: %-:word% %-:word% *SECURITY User %username:word% %-:rest% sagan-1.2.0/rules/windows-applocker.rules0000644000175000017500000001155613310533411017425 0ustar champchamp# Sagan windows-applocker.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows Applocker rules. # # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ # # Rules converted from https://github.com/tcw3bb/ISC_Posts/blob/master/OSSEC_AppLocker_Local_Rule.xml # Champ Clark (08/19/2014) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Allowed program to execute"; content: " 8003|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002090; sid:5002090; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Application blocked"; content: " 8004|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002091; sid:5002091; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Allowed an MSI or script to execute"; content: " 8005|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002092; sid:5002092; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Allowed MSI/Script, but would have blocked"; content: " 8006|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002093; sid:5002093; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Prevent MSI/Script to execute"; content: " 8007|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002094; sid:5002094; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application allowed"; content: " 8020|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002095; sid:5002095; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application audited"; content: " 8021|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002096; sid:5002096; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application disabled"; content: " 8022|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002097; sid:5002097; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application installation allowed"; content: " 8023|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002098; sid:5002098; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application installation audited"; content: " 8024|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002099; sid:5002099; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application installation disabled"; content: " 8025|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002100; sid:5002100; rev:2;) sagan-1.2.0/rules/postgresql.rules0000644000175000017500000001007113310533411016147 0ustar champchamp# Sagan postgresql.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Log message"; content: "LOG"; default_proto: tcp; default_dst_port: 5432; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000229; sid: 5000229; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Informational message"; pcre: "/NOTICE|INFO/"; default_proto: tcp; default_dst_port: 5432; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000373; sid: 5000373; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Error message"; content: "ERROR"; default_proto: tcp; default_dst_port: 5432; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000230; sid: 5000230; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Fatal error message"; content: "FATAL"; default_proto: tcp; default_dst_port: 5432; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000231; sid: 5000231; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Debug message"; content: "DEBUG"; default_proto: tcp; default_dst_port: 5432; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000232; sid: 5000232; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Database authentication success"; content: "connection authorized"; default_proto: tcp; default_dst_port: 5432; classtype: successful-user; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000233; sid: 5000233; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Database authentication failure"; content: "authentication failed"; default_proto: tcp; default_dst_port: 5432; classtype: unsuccessful-user; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000234; sid: 5000234; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[POSTGRESQL] Database shutdown message"; pcre: "/terminating connection due|aborting any active transactions|shutting down/i"; default_proto: tcp; default_dst_port: 5432; classtype: not-suspicious; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000235; sid: 5000235; rev:2;) sagan-1.2.0/rules/snort-geoip.rules0000644000175000017500000000752113310533411016220 0ustar champchamp# Sagan snort-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # These detect where certain types of files are accessed from outside your HOME_COUNTRY. # They require that: # # 1. Snort logs to syslog: # output alert_syslog: LOG_AUTH LOG_ALERT # Example SNORT config # 2. Snort "file-identify.rules" rules are enabled # # Concept by Robert Nunley (rnunley@quadrantsec.com) - 02/21/2014 # THIS RULES ARE HIGHLY EXPERIMENTAL! alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Executable Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Exe"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001979; sid: 5001979; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Java Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Java"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001980; sid: 5001980; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Jar/Zip Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Jar"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001981; sid: 5001981; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] PDF Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "PDF"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001982; sid: 5001982; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Flash Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Flash"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001983; sid: 5001983; rev:3;) sagan-1.2.0/rules/proftpd-geoip.rules0000644000175000017500000000415113310533411016525 0ustar champchamp# Sagan proftpd-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD-GEOIP] Authentication success from outside HOME_COUNTRY"; content: "Login successful"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 3; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001870; sid: 5001870; rev:5;) sagan-1.2.0/rules/courier-correlated.rules0000644000175000017500000001363113310533411017543 0ustar champchamp# Sagan courier-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Logout/disconnect after recon activity"; pcre: "/LOGOUT|DISCONNECTED/"; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5003245; sid:5003245; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Logout/disconnect after honeypot activity"; pcre: "/LOGOUT|DISCONNECTED/"; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5003246; sid:5003246; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Logout/disconnect after exploit attempt"; pcre: "/LOGOUT|DISCONNECTED/"; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,exploit_attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5003247; sid:5003247; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Logout/disconnect after brute force activity"; pcre: "/LOGOUT|DISCONNECTED/"; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,brute_force; reference: url,wiki.quadrantsec.com/bin/view/Main/5003248; sid:5003248; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] User login after recon activity"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5003249; sid:5003249; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] User login after honeypot activity"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5003250; sid:5003250; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] User login after exploit attempt"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,exploit_attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5003251; sid:5003251; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] User login after brute force activity"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,brute_force; reference: url,wiki.quadrantsec.com/bin/view/Main/5003252; sid:5003252; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Timeout after recon activity"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5003253; sid:5003253; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Timeout after honeypot activity"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5003254; sid:5003254; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Timeout after exploit attempt"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,exploit_attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5003255; sid:5003255; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Timeout after brute force activity"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; xbits: isset,by_src,brute_force; reference: url,wiki.quadrantsec.com/bin/view/Main/5003256; sid:5003256; rev:1;) sagan-1.2.0/rules/dovecot.rules0000644000175000017500000000604613310533411015416 0ustar champchamp# Sagan dovecot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Authentication success"; content: "login"; content: "Login"; default_proto: tcp; classtype: successful-user; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000264; sid:5000264; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Failed login"; content: "Password mismatch"; default_proto: tcp; classtype: unsuccessful-user; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000265; sid:5000265; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Starting up"; content: "starting up"; default_proto: tcp; classtype: system-event; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000266; sid:5000266; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Fatal error"; content: "Fatal"; default_proto: tcp; classtype: program-error; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000267; sid:5000267; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Invalid username"; pcre: "/user not found|User not known|unknown user/i"; default_proto: tcp; classtype: unsuccessful-user; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000268; sid:5000268; rev:2;) sagan-1.2.0/rules/kismet.rules0000644000175000017500000002267613310533411015256 0ustar champchamp# Sagan kismet.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # This rule set requires a modified version of Kismet. To get the patch # to modify Kismet for syslog output, please see: # # http://sagan.quadrantsec.com/patches # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new managed network"; program: kismet_server; content: "Detected new managed"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001014; sid: 5001014; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new ad-hoc network"; program: kismet_server; content: "Detected new ad-hoc"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001015; sid: 5001015; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new probe network"; program: kismet_server; content: "Detected new probe"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001016; sid: 5001016; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new turbocell network"; program: kismet_server; content: "Detected new turbocell"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001017; sid: 5001017; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new data network"; program: kismet_server; content: "Detected new data"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001018; sid: 5001018; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Found IP address range"; program: kismet_server; content: "Found IP range"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001019; sid: 5001019; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Kismet starting to gather packets [Startup]"; program: kismet_server; content: "Found IP range"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001020; sid: 5001020; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Kismet shutting down"; program: kismet_server; content: "Stopped source"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001040; sid: 5001040; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older AirJack tool in use"; program: kismet_server; content: "AIRJACKSSID"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001021; sid: 5001021; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Possible spoof/broken AP"; program: kismet_server; content: "APSPOOF"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001022; sid: 5001022; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Out-of-sequence BSS timestamp. Possible AP spoof"; program: kismet_server; content: "BSSTIMESTAMP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001023; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001023; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] AP change channels. Possibel AP spoof"; program: kismet_server; content: "CHANCHANGE"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001024; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001024; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] AP spoof with less-secure encryption"; program: kismet_server; content: "CRYPTODROP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001025; sid: 5001025; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenitcate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001026; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; reference: url, http://www.wve.org/entries/show/WVE-2005-0045; reference: url, http://www.wve.org/entries/show/WVE-2005-046; reference: url, http://www.wve.org/entries/show/WVE-2005-0061; sid: 5001026; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] DHCP DISCOVER send with Client-ID not matching MAC"; program: kismet_server; content: "DHCPCLIENTID"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001027; sid: 5001027; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Misconfigured or spoofed client [ignoring DHCP]"; program: kismet_server; content: "DHCPCONFLICT"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001028; sid: 5001028; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed client [incorrectly] injecting data"; program: kismet_server; content: "DISASSOCTRAFFIC"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001029; sid: 5001029; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Invalid disconnect/deauthenticate"; program: kismet_server; pcre: "/DISCONCODEINVALID|DEAUTHCODEINVALID/"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001030; sid: 5001030; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Possible client spoof/MAC cloning attack"; program: kismet_server; pcre: "/DHCPNAMECHANGE|DHCPOSCHANGE/"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001031; sid: 5001031; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Over-size SSID. Possible exploit attempt"; program: kismet_server; content: "LONGSSID"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001032; sid: 5001032; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older Lucent/Orinico card scanning the network"; program: kismet_server; content: "LUCENTTEST"; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5001033; sid: 5001033; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Broadcom wireless improper SSID handling"; program: kismet_server; content: "MSFBCOMSSID"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001034; reference: url, http://www.wve.org/entries/show/WVE-2006-0071; sid: 5001034; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Windows D-Link improper SSID handling "; program: kismet_server; content: "MSFDLINKRATE"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001035; reference: url, http://www.wve.org/entries/show/WVE-2006-0072; sid: 5001035; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Windows Netgear over-size beacon frame"; program: kismet_server; content: "MSFNETGEARBEACON"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001036; sid: 5001036; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older version of Netsumbler detected"; program: kismet_server; content: "NETSTUMBLER"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001037; sid: 5001037; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Zero length probe/response packet"; program: kismet_server; content: "NULLPROBERESP"; classtype: attempted-dos; reference: url, wiki.quadrantsec.com/bin/view/Main/5001038; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001038; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Active scanning tool deteceted [probe]"; program: kismet_server; content: "PROBENOJOIN"; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5001039; sid: 5001039; rev:3;) sagan-1.2.0/rules/sendmail.rules0000644000175000017500000002051713310533411015546 0ustar champchamp# Sagan sendmail.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] VRFY or EXPN root attempt"; content: " root"; nocase; pcre: "/vrfy|expn/i"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000034; fwsam: src, 1 day; parse_src_ip: 1; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000034; rev:8;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] EXPN command - rejected"; content:"expn "; nocase; content:"[rejected]"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000035; parse_src_ip: 1; fwsam: src, 1 day; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000035; rev:8;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] VRFY command - rejected"; content:"vrfy "; nocase; content:"[rejected]"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000036; parse_src_ip: 1; fwsam: src, 1 day; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000036; rev:8;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] EXPN command - [not rejected]"; content:"expn "; content:!"rejected"; nocase; fwsam: src, 1 day; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000035; parse_src_ip: 1; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000223; rev:9;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] VRFY command - [not rejected]"; content:"vrfy "; content:!"rejected"; nocase; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000036; parse_src_ip:1; fwsam: src, 1 day; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000224; rev:9;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Relaying denied"; pcre: "/Relaying denied|reject=550 5.7.1/"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000037; sid: 5000037; rev:9;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Relaying denied [reject=550 5.7.1]"; content: "reject=550 5.7.1"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000144; sid: 5000144; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Domain of sender does not resolve"; content:"reject=451 4.1.8"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: suspicious-traffic; program: sm-mta|sendmail; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000136; sid: 5000136; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Rejected by access list"; pcre: "/reject=550 5.0.0|reject=553 5.3.0/"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000137; sid: 5000137; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Sender address does not have domain"; content:"reject=553 5.5.4 "; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000138; sid: 5000138; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Rejecting due to pre-greet"; content: "rejecting commands from"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: spam; program: sm-mta|sendmail; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000139; sid: 5000139; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Save mail panic"; content: "savemail panic"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: program-error; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000140; sid: 5000140; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Sendmail Spamassassin X-Spam-Score"; content: "X-Spam-Score"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: spam; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000141; sid: 5000141; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Possible SMTP RCPT flood, throttling"; content: "Possible SMTP RCPT flood, throttling"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: spam; program: sm-mta|sendmail; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000142; sid: 5000142; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Username with pipe symbol"; content: "|7c|"; content: "to=<"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: exploit-attempt; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000357; sid: 5000357; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SENDMAIL] SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; parse_src_ip: 1; program: sm-mta|sendmail; content: "/bin/"; content: "sh "; content: "|7c|"; content: "+"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5000881; reference: url,http://www.securityfocus.com/bid/38578; sid: 5000881; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SENDMAIL] Possible open proxy"; program: sm-mta|sendmail; content: "probable open proxy:"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: suspicious-traffic; xbits: set,recon, 86400; reference: url, wiki.quadrantsec.com/bin/view/Main/5001013; sid: 5001013; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SENDMAIL] Insufficient system resources [Remote] [0/5]"; program: sm-mta|sendmail; content: "Insufficient system resources"; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: program-error; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001094; sid: 5001094; rev:5;) sagan-1.2.0/rules/ChangeLog0000644000175000017500000002674713310533411014463 0ustar champchamp2017/07/25 - Sagan rule release. * New Proxy/Zscaler rules https://github.com/beave/sagan-rules/commit/fb0b90e23479a791adfa0cf685464aaec2776375 * Changed "file system full" windows event to "system-error". https://github.com/beave/sagan-rules/commit/6eeaccc37f38115919176ac3258da7419591cdd3 * New & modifications to nxlog rules. To better detect failures with nxlog https://github.com/beave/sagan-rules/commit/15b8c63d025d543195496916ff85bf7dd75d5605 * Removed port number from 5001695 (Windows domain administrator rule) https://github.com/beave/sagan-rules/commit/989bb56e280c10c4b6f144b1c994edc6caca9d8e * Removed redundant IOC from Petya rule https://github.com/beave/sagan-rules/commit/492bb3d8a726d9c53faef23fcb8915dfc9af31ca * Modifications and new hashes add to Petya rules https://github.com/beave/sagan-rules/commit/18c6a8cebcafc1ba88da9608b19da44e39c7f213 * Set xbit windows.reboot / 900 seconds https://github.com/beave/sagan-rules/commit/37b1eef4977af3fa991b402f981fe9937c81f1a5 * New Bluedot md5/sha1/sha256 generic rule lookup. https://github.com/beave/sagan-rules/commit/5425e268fd7e491af9c85dafbfa0db76c098d0d6 2017/05/31 - Sagan rule release * Threshold of sid 5000096 and 5000100 (attack.rules - "possible biffer overflow attempt") https://github.com/beave/sagan-rules/commit/b39ce84bbafc365c07fb9212bcc4dbb0164ad427 * Modification of 5003052 (cisco-meraki) to prevent false positives. https://github.com/beave/sagan-rules/commit/b647b31e3c3cf2761260cf536b3e9fc052675d40 * New 5003101 & 5003102 "broken domain trust" rules added to "windows-auth.rules". Modified 5001763 to only identify brute force attacks. https://github.com/beave/sagan-rules/commit/bf9286858a7cb880906726d277f91b4480233fc3 * New sid 5003104 "User added to schema group" (windows-auth.rules). https://github.com/beave/sagan-rules/commit/3923d1d2184acda8d5e4cc68ed03db0dd358215f * Incorrect normalization for Snort fix (normalization.rulebase) https://github.com/beave/sagan-rules/commit/bdd1e83664138a81121df0011a50650127f5f3b0 * Change to more traditional rule format. Sagan now mimics Snort/Suricata. "bit9.rules" are now "carbonblack.rules". https://github.com/beave/sagan-rules/commit/6b3130d9bb9ea19b2e81ae1e43a22a91e06e60ee * Disable many program-error and hardware-event classtype rules. For example, by older EOL Cisco hardware errors are no longer enabled. https://github.com/beave/sagan-rules/commit/5bf0638d0d2a57b32941c6b7bfa81edf4977e492 * Added more clear description of sid 5002955 (windows-misc.rules) - "Logging has been stopped on this device" rather than "subscription callback error recieved". https://github.com/beave/sagan-rules/commit/55b3cdfc16da0f36b3052054f826a260f00a5f4e * Theshold of sid 5000068 (openssh.rules - bad protocol - network scan). https://github.com/beave/sagan-rules/commit/d68d69766cbc07a18de8f2c8afbfa47f2362504a * New linux-kernel.rules 5003115 (disabled by default) - "Bad UDP checksum". https://github.com/beave/sagan-rules/commit/c8e0d6bd573766c665e439dcf49c0151f9ae9389 * New Adykuzz rules (windows-malware.ruels) - 5003116, 5003117. https://github.com/beave/sagan-rules/commit/1c17149f17654c13a3e8368cb8e7f685da41ef32 * Disable Cisco "LAND" attack rules. Because, well, it's not 1998 anymore. https://github.com/beave/sagan-rules/commit/552ab5295427c12437f99210a555162e3bbf2fd9 * Various other minor fixes..... 2017/03/16 - Sagan rule release * Excluded of NTP traffic on cisco-bluedot.rules sid 5002869. https://github.com/beave/sagan-rules/commit/123600f5060b7741a9755d4af10a7b064b755052 * New watchguard.rules and watchguard-geoip.rules added! https://github.com/beave/sagan-rules/commit/32e7d4493c6be69648692d82e24611b120198e5b * New "cisco-meraki.rules" added! https://github.com/beave/sagan-rules/commit/51df9273d9972d0175afdd51dd429b2fb0cab678 * Added program "System" to sid 5002015 (System shutdown with xbit set). https://github.com/beave/sagan-rules/commit/603748ee69c311b84bc7c19bcf075dc9dd76a0a3 * New Windows "Fan failure" rule added to windows-misc.rules https://github.com/beave/sagan-rules/commit/d67ad74096528018c6870c35fb2318f334923a83 2016/12/30 - Sagan rule release * New rule to detect MS Windows "administrator" logins (disabled by default): https://github.com/beave/sagan-rules/commit/6f7f610504b4cc6fc4f9054c75be68dc4d9ac866 * New Bluedot "Proxy" category added to "categories.conf" https://github.com/beave/sagan-rules/commit/e9cc591f3578afb21dad53013b4e419a0b2b6b31 * Modification to "fortinet-malware.rules", quote: "Remove ip-reputation detection type (too many false positives) - waysidekt @ Github. Merged. https://github.com/beave/sagan-rules/commit/faa146e76f0cd681d78d9402b8e520af01ca05cc https://github.com/beave/sagan-rules/commit/60d67e3ef9241984e97cd63ddafd9603acf1d557 * New "zimbra.rules" & "zimbra-geoip.rules.rules" https://github.com/beave/sagan-rules/commit/4cbe174e239620d217a69acf7cd072b169e61e84 * Removed unneeded "dynamic" classification. https://github.com/beave/sagan-rules/commit/21e351a2aa2649e48fc9ccec5b184e9bd5c457ff * Fixed typo in "dynamic.rules" https://github.com/beave/sagan-rules/commit/4142ff22b0c7d2bce147a3720a89bbbea5a0dcde * New "cisco-meraki.rules" rules, thanks to waysidekt @ Github. https://github.com/beave/sagan-rules/commit/ccd78559dc18ded5a677f88b19d5907352daacd2 2016/11/07 - Sagan rule release * Fixed "[WINDOWS-MALWARE] Lower case drive letter used in process" with meta_content. https://github.com/beave/sagan-rules/commit/bf830056ab68aa090d680e2540926e4bb0fa3e18 * Disabled two noisy iptables rules by default (sid 5001104 & 5001105( https://github.com/beave/sagan-rules/commit/889c5cc894e3cdca9545d5771e0c3a97ab800f47 * Fixed PCRE error in sid 5002011 ("[WINDOWS-MALWARE] System protection disabled"). https://github.com/beave/sagan-rules/commit/af62f8d6b2163934160c8499fcebcac9f65ca31d * Disabled Snort "not suspicious" rules sid 5000976 & 5000386. https://github.com/beave/sagan-rules/commit/f033c7b856d1a861c4d96310193cbe047a5107a0 * Disabled generic rsync connection rules 5001052 & 5001053. https://github.com/beave/sagan-rules/commit/a4050c989a678d1db55af49d2eb333acfb56ff9d * Added content:!"access denied by ACL" to generic/catchall sid 5000119. https://github.com/beave/sagan-rules/commit/e6a6da892bc4b8ef7ace13aeb05ef4ee185b2221 * Fixed bad PCRE in sid 5002956 ("Suspicious Service Control Manager Call") https://github.com/beave/sagan-rules/commit/7ce9197c811ed0203e73195910db0501daec75c9 * Added sid 5003024 "Alcatraz ransomware" detection. https://github.com/beave/sagan-rules/commit/c879a1900dda19ad1cfd96e92e6d0dc33fa1eb5b * Removed program "(squid)" for various "squid.rules". * New rule set "dynamic.rules". These rules detect "new" logs and automatically load other rulesets. * Added program "Application" to windows-mssql.rules https://github.com/beave/sagan-rules/commit/39233a9841fe1e572dafc54b6d5db08eea2e8459 * Disabled noisy sid 5000677 ("ICMPv6 Denied"). https://github.com/beave/sagan-rules/commit/a0637cb189b2f86a43de0a3742ab89ea8b7ffa7c * Added "exploit_attempt" flowbit for correlated rules. https://github.com/beave/sagan-rules/commit/89a19da7c803be97ee7e83929fd406138c8a20db * New "Suspicious Service Control Manager Call" signatures as @jackcr Derbycon talk. https://github.com/beave/sagan-rules/commit/8b3655c41499404972649cbf2f7614655cc12d90 2016/09/23 - Sagan rule release * Disabled many nfcapd.rules. These are low value rules https://github.com/beave/sagan-rules/commit/00df337cefc41f84d53ab1e17a9a05c7c2f2e433 * Rules 500295[0123] fixed "any -> any" typo https://github.com/beave/sagan-rules/commit/2aad0351efaf92b09a222f8afca7ea4a49c1ded2 * Removed "Tor" nfcapd-malware.rules. These are low value rules (better ways to catch Tor traffic) https://github.com/beave/sagan-rules/commit/2a41f85b7b58b7c85c85fdfcb6dcee31dd1eb668 * Flowbit fix in sid 5002941 ([WINDOWS-MISC] Suspicious event logging service shut down) https://github.com/beave/sagan-rules/commit/a6042fccbf8e74c13f36ae6ddcd0640399da69c1 * Modification of sid web-attack.rules 5001843 to ignore the word "Vegas" https://github.com/beave/sagan-rules/commit/056d588034c4d029abdc825cece4cb9b46773c0b * Two new rules targetting Evtsys errors. Sid 5001185 changed to address evtsys issue. https://github.com/beave/sagan-rules/commit/079e19f9f9dc300a879de51b1e2991b846f79e19 2016/08/30 - Sagan rule release * vsftp, proftp, pureftp and generic ftp rules for "ftpchk3". See https://blog.ftptoday.com/ftp-password-stealing-malware https://github.com/beave/sagan-rules/commit/9f04bf22570801f4fa4f4f96ef561d95010d717e https://github.com/beave/sagan-rules/commit/2a227378143ed10fb4db3696092ead39841a54d2 * Added "FTP|FTPD" to program field in ftpd.rules https://github.com/beave/sagan-rules/commit/27e2d99ccdc69a99ce7b6b1899ce4e01ef27ab39 * Updated all Cisco ASA rules to take into account when Cisco "Emblem" is enabled https://github.com/beave/sagan-rules/commit/83d4c122a25114fc716cac8dc9d2ed81ce2b61cb https://github.com/beave/sagan-rules/commit/7e12112fa1abfffaffb94d45a17a068e5c1da128 * bit9.rules update to take into account "customer" program field. https://github.com/beave/sagan-rules/commit/83d4c122a25114fc716cac8dc9d2ed81ce2b61cb * cisco-prime "recon" flowbit added to sid 5002175 https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 * ngix.rules new brute force rule & "brute_force" flowbit added - 5002948 https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 * oracle.rules new brute force rule & "brute_force" flowbit added - sid 5002949 https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 * cisco-prime.rules clean up of invalid references. https://github.com/beave/sagan-rules/commit/ead9c3399fed3ba920f7760abe0bc7c009b59081 * ipop3d.rules new "brute_force" flowbit added - sid 5000032 https://github.com/beave/sagan-rules/commit/8058562a727e9fa4dcad8639b062ae5555ec95c8 * New Big IP F5 rules (f5-big-ip.rules) https://github.com/beave/sagan-rules/commit/6aa0e58eb1249cae31c2ea60a61bedd00e1cc390 * bash.rules changes to better detect certain command line options https://github.com/beave/sagan-rules/commit/7e12112fa1abfffaffb94d45a17a068e5c1da128 * apache.rules new "brute_force" & "recon" flowbits added. https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 * artillery.rules new "honeypot" & "flowbits" added. https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 * barracuda.rules new brute force rules and flowbits https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 * asterisk.rules new brute force & "brute_force" flowbits https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 * Correaction in su.rules that could lead to false positives. https://github.com/beave/sagan-rules/commit/22173a81ede60f166403b124a62cef4a82fb9616 * bro-ids.rules "brute_force" flowbit added. https://github.com/beave/sagan-rules/commit/32373afab6cc557c95f7c2f18fdf61336fc54b72 * Changes to widnows-geoip.rule to work around https://support.microsoft.com/en-us/kb/3097467 https://github.com/beave/sagan-rules/commit/22173a81ede60f166403b124a62cef4a82fb9616 * windows-misc.rules added event 1100 detection. https://github.com/beave/sagan-rules/commit/1458068d33082fe937c934130ef9d730199fe834 sagan-1.2.0/rules/cisco-brointel.rules0000644000175000017500000001143113310533411016661 0ustar champchamp# Sagan cisco-blacklist.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # For log examples, see cisco-geoip.rules. alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] VPN Login from Bro Intel IP"; program: %ASA*-6-716038; bro-intel: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002250; sid: 5002250; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] Console login from Bro Intel IP"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002251; sid: 5002251; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] Login permitted from Bro Intel IP"; program: %ASA*-6-605005; bro-intel: by_src; default_proto: tcp; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002252; sid: 5002252; rev: 2;) alert any $HOME_NET any -> any (msg: "[CISCO-BROINTEL] WebVPN login from Bro Intel IP"; program: %ASA*-6-716001; bro-intel: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002253; sid: 5002253; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] VPN disconnect from Bro Intel IP"; program: %ASA*-4-113019; bro-intel: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002254; sid: 5002254; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP"; program: %ASA*-6-734001; bro-intel: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002255; sid: 5002255; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] ACS Login success from Bro Intel IP"; program: CisACS_01_PassedAuth; bro-intel: by_src; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002256; sid: 5002256; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP [2]"; program: %ASA*-6-722022|%ASA*-6-722023; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002257; sid: 5002257; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA*-6-303002; bro-intel: by_src; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002258; sid: 5002258; rev: 2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA*-6-303002; bro-intel: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002259; sid: 5002259; rev: 2;) sagan-1.2.0/rules/weblabrinth.rules0000644000175000017500000000512613310533411016252 0ustar champchamp# Sagan weblabrinth.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Detect Weblabrinth traffic. See Ben Jackson's https://code.google.com/p/weblabyrinth/ # alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WEBLABYRINTH] New host logged!"; default_proto:tcp; default_dst_port: $HTTP_PORT; xbits: set, recon, 86400; classtype: misc-activity; program: weblabyrinth; content: "New host logged!"; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001093; sid: 5001093; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WEBLABYRINTH] Weblabyrinth - Crawler Ensnared!"; default_proto:tcp; default_dst_port: $HTTP_PORT; xbits: set, recon, 86400; classtype: misc-activity; program: weblabyrinth; content: "Crawler Ensnared!"; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001095; sid: 5001095; rev:4;) sagan-1.2.0/rules/mysql.rules0000644000175000017500000000720613310533411015117 0ustar champchamp# Sagan mysql.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # see: http://dev.mysql.com/doc/refman/5.1/en/error-log.html # # program: mysqld|MySQL handles *nix and Windows MySQL systems alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MYSQL] Access denied for user"; content: "Access denied for user"; default_proto: tcp; default_dst_port: $MYSQL_PORT; classtype: unsuccessful-user; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000149; sid: 5000149; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MYSQL] Access denied for user"; pcre: "/\d+ \S+ \d+ Connect/i"; default_proto: tcp; default_dst_port: $MYSQL_PORT; classtype: unsuccessful-user; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000150; sid: 5000150; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MYSQL] User disconnected from database"; pcre: "/\d+ \S+ \d+ Quit/i"; default_proto: tcp; default_dst_port: $MYSQL_PORT; classtype: not-suspicious; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000151; sid: 5000151; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MYSQL] Database startup or restart"; pcre: "/mysqld started|mysqld restarted/i"; default_proto: tcp; default_dst_port: $MYSQL_PORT; classtype: system-event; program: mysqld|MySQL; reference:quadrantsec,5000152; sid:5000152; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MYSQL] Database error"; pcre: "/\d+ \S+ \d+ [ERROR]/"; default_proto: tcp; default_dst_port: $MYSQL_PORT; classtype: program-error; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000153; sid: 5000153; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MYSQL] Database fatal error"; content: "Fatal error"; default_proto: tcp; default_dst_port: $MYSQL_PORT; classtype: program-error; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000154; sid: 5000154; rev:4;) sagan-1.2.0/rules/vsftpd-bluedot.rules0000644000175000017500000000504613310533411016714 0ustar champchamp# Sagan vsftpd-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-BLUEDOT] Authentication successful from a suspicious IP"; content: "OK LOGIN"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: vsftpd; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002919; sid:5002919; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-BLUEDOT] File uploaded from a suspicious IP"; content: "OK UPLOAD"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002920; sid:5002920; rev:4;) sagan-1.2.0/rules/windows-owa-blacklist.rules0000644000175000017500000000415513310533411020176 0ustar champchamp# Sagan windows-owa-blacklist.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-BLACKLIST] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; blacklist: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002267; sid: 5002267; rev:2;) sagan-1.2.0/rules/windows-sysmon.rules0000644000175000017500000004221613310533411016772 0ustar champchamp# Sagan windows-sysmon.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Sysmon| 1: Process Create: UtcTime: 2016-04-08 03:54:58.330 ProcessGuid: {E67F94C7-2B92-5707-0000-001050880400} ProcessId: 2004 Image: C:\Windows\System32\audiodg.exe CommandLine: C:\Windows\system32\AUDIODG.EXE 0x74c CurrentDirectory: C:\Windows User: NT AUTHORITY\LOCAL SERVICE LogonGuid: {E67F94C7-2A7B-5707-0000-0020E5030000} LogonId: 0x3e5 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA1=F033FD30AACD0183BFC30861891A92B56AC2468B,MD5=D5CCA1453B98A5801E6D5FF0FF89DC6C,SHA256=85F2C2480AAC31B6092187B431A562D79D4CFB1324F925C85055ABAB2483264B ParentProcessGuid: {E67F94C7-2A7B-5707-0000-00102A9E0000} ParentProcessId: 772 ParentImage: C:\Windows\System32\svchost.exe ParentCommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted # Created by Champ Clark 04/08/2016. You'll need PSEXEC_MD5 defined in your sagan.conf! alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] PSExec execution detected"; content: " 1: "; meta_content: "MD5=%sagan%,",$PSEXEC_MD5; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002799; sid:5002799; rev:3;) # Locky Ransomware # Champ Clark 04/08/2016 # Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:29:03.829 ProcessGuid: {E67F94C7-419F-5707-0000-00103FB11D00} ProcessId: 2920 Image: C:\Windows\System32\notepad.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\frankw\Desktop\_HELP_instructions.txt CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=7EB0139D2175739B3CCB0D1110067820BE6ABD29,MD5=F2C7BB8ACC97F92E987A2D4087D021B1,SHA256=142E1D688EF0568370C37187FD9F2351D7DDEDA574F8BFA9B0FA4EF42DB85AA2 ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Locky/CrypoMix ransomware instructions detected!"; content: " 1: "; content: "notepad.exe"; nocase; content: "_HELP_instructions.txt "; classtype: trojan-activity; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002802; sid:5002802; rev:4;) # vssadmin.exe is sometimes used by malware to delete shadow volume copied. Below is Locky: # Champ Clark 04/08/2016 # 1: Process Create: UtcTime: 2016-04-08 05:28:44.314 ProcessGuid: {E67F94C7-418C-5707-0000-00103EB31C00} ProcessId: 2404 Image: C:\Windows\System32\vssadmin.exe CommandLine: vssadmin.exe Delete Shadows /All /Quiet CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=09FAFEB1B8404124B33C44440BE7E3FDB6105F8A,MD5=E23DD973E1444684EB36365DEFF1FC74,SHA256=4DE7FA20E3224382D8C4A81017E5BDD4673AFBEF9C0F017E203D7B78977FBF8C ParentProcessGuid: {E67F94C7-414A-5707-0000-001049CA1900} ParentProcessId: 1704 ParentImage: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] vssadmin.exe execution. Possible ransomware"; content: " 1: "; content: "vssadmin.exe"; nocase; content: "Delete Shadows"; nocase; classtype: trojan-activity; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002803; sid:5002803; rev:3;) # daemon|notice|notice|1d|2016-04-08|05:52:28|Sysmon| 1: Process Create: UtcTime: 2016-04-08 05:52:28.315 ProcessGuid: {E67F94C7-471C-5707-0000-0010FB0B1A00} ProcessId: 688 Image: C:\Windows\System32\wbem\WMIC.exe CommandLine: "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=071A645A88E4236281E58B90A5D50A2AC80E26E5,MD5=FD902835DEAEF4091799287736F3A028,SHA256=DA3AD32583644BD20116F0479C178F7C7C0B730728F4C02A438C0D19378C83D9 ParentProcessGuid: {E67F94C7-471A-5707-0000-0010DAF41900} ParentProcessId: 2796 ParentImage: C:\Windows\jacjfunqpvji.exe ParentCommandLine: C:\Windows\jacjfunqpvji.exe alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete"; content: " 1: "; content: "wmic"; nocase; content: "shadowcopy delete"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002810; sid:5002810; rev:3;) # daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.199 ProcessGuid: {E67F94C7-7D82-5708-0000-001042E21B00} ProcessId: 2628 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get UUID /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF4 1A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get UUID"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002811; sid:5002811; rev:3;) # daemon|notice|notice|1d|2016-04-09|03:56:50|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:50.870 ProcessGuid: {E67F94C7-7D82-5708-0000-0010C8731C00} ProcessId: 768 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002812; sid:5002812; rev:3;) # daemon|notice|notice|1d|2016-04-09|03:56:51|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:56:51.432 ProcessGuid: {E67F94C7-7D83-5708-0000-001007D91C00} ProcessId: 2256 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get Version /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nshD809.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32CC-5707-0000-0020F4440100} LogonId: 0x144f4 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D80-5708-0000-00101DF41A00} ParentProcessId: 3004 ParentImage: C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\b0fdb231b2d3740553c13c7762a9304e.exe" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version"; content: " 1: "; content: "wmic"; nocase; content: "bios Get Version"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002813; sid:5002813; rev:3;) # daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.213 ProcessGuid: {E67F94C7-7DBD-5708-0000-001099CD0600} ProcessId: 1420 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC bios Get SerialNumber /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsh1DDF.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020CFB40100} LogonId: 0x1b4cf TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB4-5708-0000-00100B100600} ParentProcessId: 2628 ParentImage: C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\39e67671f65fae38e065f5db614f679c.exe" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber"; content: " 1: "; content: "wmic"; nocase; content: "bios Get SerialNumber"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002814; sid:5002814; rev:3;) # daemon|notice|notice|1d|2016-04-09|03:57:49|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:57:49.068 ProcessGuid: {E67F94C7-7DBD-5708-0000-0010AF1D0700} ProcessId: 668 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: WMIC csproduct Get Name /FORMAT:textvaluelist.xsl CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\nsj3A92.tmp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-333C-5707-0000-0020DCBC0100} LogonId: 0x1bcdc TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7DB3-5708-0000-0010143A0600} ParentProcessId: 592 ParentImage: C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe ParentCommandLine: "C:\Users\frankw\AppData\Local\Temp\3f6811d8687a30b68fa02d6eb5536493.exe" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name"; content: " 1: "; content: "wmic"; nocase; content: "csproduct Get Name"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002815; sid:5002815; rev:3;) # daemon|notice|notice|1d|2016-04-09|03:55:09|Sysmon| 1: Process Create: UtcTime: 2016-04-09 03:55:09.240 ProcessGuid: {E67F94C7-7D1D-5708-0000-001041E40700} ProcessId: 1556 Image: C:\Windows\SysWOW64\wbem\WMIC.exe CommandLine: wmic computersystem get model /format:list CurrentDirectory: C:\Users\frankw\AppData\Local\Temp\ User: frankw-PC\frankw LogonGuid: {E67F94C7-32FD-5707-0000-00203DB30100} LogonId: 0x1b33d TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81 ParentProcessGuid: {E67F94C7-7D1C-5708-0000-0010CDC80700} ParentProcessId: 2936 ParentImage: C:\Windows\SysWOW64\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model"; content: " 1: "; content: "wmic"; nocase; content: "computersystem get model"; nocase; classtype: suspicious-command; program: *Sysmon*; reference: url,wiki.quadrantsec.com/bin/view/Main/sid:5002816; sid:5002816; rev:3;) # 2017-02-22 - Rule create by Champ Clark III based off Jack Crook's work. See: # From Jack Crook via https://www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/ alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] IP detect in command line"; content: " 1|3a| "; pcre: "/CommandLine: (.*)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/"; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003378; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003378; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Command line $\\ type request"; content: " 1|3a| "; pcre: "/CommandLine: (.*)\$\\\\(.*)/"; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003379; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan sid:5003379; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Powershell execution"; content: " 1|3a| "; pcre: "/CommandLine: (.*):\/\/(.*)/"; pcre: "/Image: (.*)powershell\.exe(.*)/i"; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003380; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003380; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd(.*)/i"; classtype: suspicious-command; program: *Sysmon*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible credential dumper execution"; content: " 1|3a| "; pcre: "/ImageLoad: (.*)(wdigest\.dll|kerberos\.dll|tspkg\.dll|sspicli\.dll|samsrv\.dll|secur32\.dll|samlib\.dll|wlanapi\.dll|vaultcli\.dll|cypt32\.dll|cryptdll\.dll|netapi\.dll|netlogon\.dll|msv1_0\.dll)(.*)/i"; program: *Sysmon*; xbits: isset,by_src,creddump; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003390; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype: suspicious-command; sid:5003390; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] Possible credential dumper execution"; content: " 1|3a| "; pcre: "/ImageLoad: (.*)(wdigest\.dll|kerberos\.dll|tspkg\.dll|sspicli\.dll|samsrv\.dll|secur32\.dll|samlib\.dll|wlanapi\.dll|vaultcli\.dll|cypt32\.dll|cryptdll\.dll|netapi\.dll|netlogon\.dll|msv1_0\.dll)(.*)/i"; program: *Sysmon*; xbits: set,creddump,1; xbit: nounified2; xbits:noeve; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003391; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype: suspicious-command; sid:5003391; rev:2;) sagan-1.2.0/rules/telnet.rules0000644000175000017500000000645413310533411015251 0ustar champchamp# Sagan telnet.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Connection refused by TCP Wrappers"; content: "refused connect from"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: tcp-connection; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000243; sid: 5000243; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Remote host established a telnet connection"; content: "connection from"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: not-suspicious; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000244; sid: 5000244; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Remote host invalid connection"; content: "ttloop"; pcre: "/peer died|read/i"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: network-event; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000245; sid: 5000245; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Reverse lookup error"; content: "can't verify hostname"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: network-event; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000246; sid: 5000246; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Attempt to login with an option"; content: "Attempt to login with an option"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: exploit-attempt; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000392; sid: 5000392; rev:3;) sagan-1.2.0/rules/zscaler-bluedot.rules0000644000175000017500000000440213310533411017044 0ustar champchamp# Sagan zscaler-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious IP detected via Bluedo "; threshold: type limit, track by_dst, count 2, seconds 3600; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; default_dst_port: $HTTP_PORT; default_proto: tcp; classtype:trojan-activity; sid:5003199; rev:2;) sagan-1.2.0/rules/syslog.rules0000644000175000017500000003223113310533411015266 0ustar champchamp# Sagan syslog.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Rules outside the scope of application specific rules. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Redirect from"; classtype: bad-unknown; program: Redirect;facility: kern;reference: url,wiki.quadrantsec.com/bin/view/Main/5000056; sid: 5000056; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Advised path"; classtype: bad-unknown; program: Advised; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000057; sid: 5000057; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] init respawning to fast"; content: "respawning too fast"; classtype: program-error; program: init; threshold: type limit, track by_src, count 5, seconds 60; reference: url,wiki.quadrantsec.com/bin/view/Main/5000058; sid: 5000058; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Martian source packet"; content: "martian source"; parse_src_ip: 2; parse_dst_ip: 1; classtype: bad-unknown; program: martian; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000059; sid: 5000059; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible unknown problem on a system"; pcre: "/core_dump|core dump| fatal |segmentation fault| corrupt /i"; threshold: type limit, track by_src, count 1, seconds 300; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000114; meta_content:!"%sagan%",abcnews,cnn,cbsnews,foxnews,msnbc; meta_nocase; sid: 5000114; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] /etc/securetty missing, root access unrestricted"; content: "couldn't open /etc/securetty"; nocase; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000115; sid: 5000115; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of disk space"; pcre: "/file system full|No space left on device/i"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000116; sid:5000116; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount NFS share"; content: "mount failure"; classtype: program-error; program: nfs; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000117; sid: 5000117; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount the NFS directory"; content: "refused mount request from"; classtype: program-error; program: rpc.mountd; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000118; sid: 5000118; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; content: !"|24| Session ID|3a|"; content:!"access denied by ACL"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000119; sid: 5000119; rev:14;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [10 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001621; sid: 5001621; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [20 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001622; sid: 5001622; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [50 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001623; sid: 5001623; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [100 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001624; sid: 5001624; rev:3;) # # Catch all for all Authentication failures. # #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001528; sid: 5001528; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Illegal root login"; pcre: "/ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED/"; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000120; sid: 5000120; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Connection blocked by TCP Wrappers"; pcre: "/refused connect from|libwrap refused connection|connection from \S+ denied/i"; parse_src_ip: 1; classtype: tcp-connection; reference: url,wiki.quadrantsec.com/bin/view/Main/5000121; sid: 5000121; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Physical root login"; content: "ROOT LOGIN on"; nocase; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000122; sid: 5000122; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Oversized packet - ping of death?"; content: "Oversized packet received from"; classtype: attempted-dos; reference: url,wiki.quadrantsec.com/bin/view/Main/5000123; sid: 5000123; facility: kern; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Interface entered promiscuous mode"; pcre: "/Promiscuous mode enabled|device \S+ entered promiscuous mode/i"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000124; sid: 5000124; facility: kern; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of memory!"; content: "out of memory"; nocase; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000125; sid: 5000125; facility: kern; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel log daemon terminating"; content: "kernel log daemon terminating"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000126; sid: 5000126; facility: kern; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is up"; content: "ADSL line is up"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000127; sid: 5000127; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is down"; content: "ADSL line is down"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000128; sid: 5000128; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New group added to the system"; content: "new group"; nocase; program: useradd|adduser; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000130; sid: 5000130; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New user added to the system"; pcre: "/new user|new account added/i"; program: useradd|adduser; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000131; sid: 5000131; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] User or group was deleted from the system"; pcre: "/delete user|account deleted|remove group/i"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000376; sid: 5000376; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Information for a user was changed"; content: "changed user"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000377; sid: 5000377; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] automount - Couldn't stat filesystem"; program: automount; content: "could not stat fs of"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000395; sid: 5000395; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Nagios npre - Host not allowed"; program: npre; content: "is not allowed to talk to us"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000410; sid: 5000410; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng I/O error"; program: syslog-ng; content: "I/O error occurred while writing"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001011; sid: 5001011; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng suspend write"; program: syslog-ng; content: "Suspending write operation"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001012; sid: 5001012; rev:1;) # Linux system "password changed" rules. Created by Brian Echeverry (becheverry@quadrantsec.com) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] password changed for user"; content: "passwd"; content: "changed"; classtype: successful-user; program: passwd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001704; sid:5001704; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] password changed for user root"; content: "passwd"; content: "changed"; content: "root"; classtype: successful-admin; program: passwd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001705; sid:5001705; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Redhat Linux not updating"; content: "your system is up-to-date"; classtype: program-error; program: rhsmd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001961; sid:5001961; rev:1;) # Added by Robert Nunley 02/20/2014 (rnunley@quadantsec.com) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYSLOG] SCSI task abort"; content: "scsi"; content: "task abort"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001972; program: kernel; sid: 5001972; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYSLOG] Remounting filesystem read-only"; content: "Remounting filesystem read-only"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001973; program: kernel; sid: 5001973; rev:1;) sagan-1.2.0/rules/arp.rules0000644000175000017500000001400313310533411014525 0ustar champchamp# Sagan arp.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # "arpalert" rules - http://www.arpalert.org alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARP] arpalert - Detected new machine on the network"; content: "type=new"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000060; sid: 5000060; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected ip change"; content: "type=ip_change"; classtype: suspicious-traffic; program: arpalert; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000061; sid: 5000061; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected new machine on the network [mac-new]"; content: "type=new_mac"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001079; sid: 5001079; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address flood"; content: "type=flood"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001080; sid: 5001080; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address blacklisted"; content: "type=black_listed"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001081; sid: 5001081; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address changed"; content: "type=mac_changed"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001082; sid: 5001082; rev:3;) # "arpwatch" rules - http://en.wikipedia.org/wiki/Arpwatch alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Detected new machine on the network"; content: "new station"; classtype: suspicious-traffic; program: arpwatch; parse_src_ip: 1; peference: url,wiki.quadrantsec.com/bin/view/Main/5000062; sid: 5000062; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - 'flip flop' message."; content: "flip flop "; classtype: suspicious-traffic; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000063; sid: 5000063; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Exiting"; content: "reaper|3a| pid"; classtype: program-error; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000064; sid: 5000064; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Changed network interface for IP address"; content: "changed ethernet address"; classtype: suspicious-traffic; program: arpwatch; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000065; sid: 5000065; rev:5; ) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Startup/Exiting message"; pcre: "/exiting|Running as/"; classtype: not-suspicious; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000066; sid: 5000066; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Detected bad address len - ignored"; content: "sent bad addr len"; classtype: network-event; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000067; sid: 5000067; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - New activity [new machine]"; content: "new activity"; classtype: network-event; program: arpwatch; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001061; sid: 5001061; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Broadcast address detected"; content: "ethernet broadcast"; classtype: network-event; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5001062; sid: 5001062; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Bogus IP address detected"; content: " bogon "; classtype: network-event; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5001063; sid: 5001063; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Ethernet mismatch [MAC != ARP]"; content: " ethernet mismatch "; classtype: network-event; program: arpwatch; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001064; sid: 5001064; rev:3;) sagan-1.2.0/rules/ossec-mi.rules0000644000175000017500000060256013310533411015475 0ustar champchamp## ## OSSEC SAGAN RULES (autogenerated) ## ## Sagan is: ## Copyright (c) 2009-2017, Quadrant Information Security ## All rights reserved. ## ## Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list ## ##************************************************************* ## Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ## following conditions are met: ## ## * Redistributions of source code must retain the above copyright notice, this list of conditions and the following ## disclaimer. ## * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ## following disclaimer in the documentation and/or other materials provided with the distribution. ## * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived ## from this software without specific prior written permission. ## ## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, ## INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ## DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ## SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE ## USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## ##************************************************************* ## These rules were autogenerated from ossec rules using the ossec-sagan.pl script. ## OSSEC and its supplied rules are: ## ## Copyright (C) 2009 Trend Micro Inc. ## All rights reserved. ## ## This program is a free software; you can redistribute it ## and/or modify it under the terms of the GNU General Public ## License (version 2) as published by the FSF - Free Software ## Foundation. ## ## License details: http://www.ossec.net/en/licensing.html ## ## Rule group: attack_rules.xml:syslog,attacks ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple authentication failures. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40111 "; classtype: exploit-attempt; program: ossec; sid: 6040111; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Buffer overflow attack on rpc.statd (attack_rules.xml:syslog,attacks)"; content: "Rule: 40102 "; classtype: exploit-attempt; program: ossec; sid: 6040102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - System user successfully logged to the system. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40101 "; classtype: exploit-attempt; program: ossec; sid: 6040101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple viruses detected - Possible outbreak. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40113 "; classtype: exploit-attempt; program: ossec; sid: 6040113; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Stack overflow attempt or program exiting with SEGV (Solaris). (attack_rules.xml:syslog,attacks)"; content: "Rule: 40109 "; classtype: exploit-attempt; program: ossec; sid: 6040109; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - Possible buffer overflow attempt. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40104 "; classtype: exploit-attempt; program: ossec; sid: 6040104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple authentication failures followed by a success. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40112 "; classtype: exploit-attempt; program: ossec; sid: 6040112; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - "Null" user changed some information. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40105 "; classtype: exploit-attempt; program: ossec; sid: 6040105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Buffer overflow on WU-FTPD versions prior to 2.6 (attack_rules.xml:syslog,attacks)"; content: "Rule: 40103 "; classtype: exploit-attempt; program: ossec; sid: 6040103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Buffer overflow attempt (probably on yppasswd). (attack_rules.xml:syslog,attacks)"; content: "Rule: 40106 "; classtype: exploit-attempt; program: ossec; sid: 6040106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Heap overflow in the Solaris cachefsd service. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40107 "; classtype: exploit-attempt; program: ossec; sid: 6040107; rev:1;) ## Rule group: apache_rules.xml:apache ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache)"; content: "Rule: 30110 "; classtype: system-event; program: ossec; sid: 6030110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Modsecurity alert. (apache_rules.xml:apache)"; content: "Rule: 30200 "; classtype: system-event; program: ossec; sid: 6030200; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Attempt to login using a non-existent user. (apache_rules.xml:apache)"; content: "Rule: 30109 "; classtype: system-event; program: ossec; sid: 6030109; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30100 "; classtype: tcp-connection; program: ossec; sid: 6030100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30202 "; classtype: exploit-attempt; program: ossec; sid: 6030202; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache warn messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30102 "; classtype: tcp-connection; program: ossec; sid: 6030102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Invalid URI (bad client request). (apache_rules.xml:apache)"; content: "Rule: 30115 "; classtype: system-event; program: ossec; sid: 6030115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Apache without resources to run. (apache_rules.xml:apache)"; content: "Rule: 30120 "; classtype: exploit-attempt; program: ossec; sid: 6030120; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Access attempt blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30118 "; classtype: system-event; program: ossec; sid: 6030118; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Apache segmentation fault. (apache_rules.xml:apache)"; content: "Rule: 30104 "; classtype: exploit-attempt; program: ossec; sid: 6030104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache)"; content: "Rule: 30108 "; classtype: system-event; program: ossec; sid: 6030108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30119 "; classtype: exploit-attempt; program: ossec; sid: 6030119; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access forbidden file or directory. (apache_rules.xml:apache)"; content: "Rule: 30105 "; classtype: system-event; program: ossec; sid: 6030105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access forbidden directory index. (apache_rules.xml:apache)"; content: "Rule: 30106 "; classtype: system-event; program: ossec; sid: 6030106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Modsecurity access denied. (apache_rules.xml:apache)"; content: "Rule: 30201 "; classtype: system-event; program: ossec; sid: 6030201; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache notice messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30103 "; classtype: tcp-connection; program: ossec; sid: 6030103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Attempt to access an non-existent file (those are reported on the access.log). (apache_rules.xml:apache)"; content: "Rule: 30112 "; classtype: tcp-connection; program: ossec; sid: 6030112; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Invalid URI requests from same source. (apache_rules.xml:apache)"; content: "Rule: 30116 "; classtype: exploit-attempt; program: ossec; sid: 6030116; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Code Red attack. (apache_rules.xml:apache)"; content: "Rule: 30107 "; classtype: system-event; program: ossec; sid: 6030107; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache error messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30101 "; classtype: tcp-connection; program: ossec; sid: 6030101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Invalid URI, file name too long. (apache_rules.xml:apache)"; content: "Rule: 30117 "; classtype: exploit-attempt; program: ossec; sid: 6030117; rev:1;) ## Rule group: rules_config.xml:squid ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all web proxy rules. (rules_config.xml:squid)"; content: "Rule: 05 "; classtype: tcp-connection; program: ossec; sid: 6000005; rev:1;) ## Rule group: web_rules.xml:web,accesslog ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SQL injection attempts from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31152 "; classtype: exploit-attempt; program: ossec; sid: 6031152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog)"; content: "Rule: 31161 "; classtype: exploit-attempt; program: ossec; sid: 6031161; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SQL injection attempt. (web_rules.xml:web,accesslog)"; content: "Rule: 31103 "; classtype: system-event; program: ossec; sid: 6031103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 500 error code (server error). (web_rules.xml:web,accesslog)"; content: "Rule: 31120 "; classtype: system-event; program: ossec; sid: 6031120; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored URLs for the web attacks (web_rules.xml:web,accesslog)"; content: "Rule: 31107 "; classtype: tcp-connection; program: ossec; sid: 6031107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - A web attack returned code 200 (success). (web_rules.xml:web,accesslog)"; content: "Rule: 31106 "; classtype: system-event; program: ossec; sid: 6031106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Mutiple web server 400 error codes from same source ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31151 "; classtype: exploit-attempt; program: ossec; sid: 6031151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 500 error code (Internal Error). (web_rules.xml:web,accesslog)"; content: "Rule: 31122 "; classtype: system-event; program: ossec; sid: 6031122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - URL too long. Higher than allowed on most browsers. Possible attack. (web_rules.xml:web,accesslog)"; content: "Rule: 31115 "; classtype: exploit-attempt; program: ossec; sid: 6031115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 500 error code (Internal Error). (web_rules.xml:web,accesslog)"; content: "Rule: 31162 "; classtype: exploit-attempt; program: ossec; sid: 6031162; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 400 error code. (web_rules.xml:web,accesslog)"; content: "Rule: 31101 "; classtype: system-event; program: ossec; sid: 6031101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple common web attacks from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31153 "; classtype: exploit-attempt; program: ossec; sid: 6031153; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored URLs (simple queries). (web_rules.xml:web,accesslog)"; content: "Rule: 31108 "; classtype: tcp-connection; program: ossec; sid: 6031108; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog)"; content: "Rule: 31123 "; classtype: not-suspicious; program: ossec; sid: 6031123; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - XSS (Cross Site Scripting) attempt. (web_rules.xml:web,accesslog)"; content: "Rule: 31105 "; classtype: system-event; program: ossec; sid: 6031105; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Access log messages grouped. (web_rules.xml:web,accesslog)"; content: "Rule: 31100 "; classtype: tcp-connection; program: ossec; sid: 6031100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple XSS (Cross Site Scripting) attempts from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31154 "; classtype: exploit-attempt; program: ossec; sid: 6031154; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Common web attack. (web_rules.xml:web,accesslog)"; content: "Rule: 31104 "; classtype: system-event; program: ossec; sid: 6031104; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog)"; content: "Rule: 31121 "; classtype: not-suspicious; program: ossec; sid: 6031121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog)"; content: "Rule: 31163 "; classtype: exploit-attempt; program: ossec; sid: 6031163; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring google/msn/yahoo bots. (web_rules.xml:web,accesslog)"; content: "Rule: 31140 "; classtype: tcp-connection; program: ossec; sid: 6031140; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored extensions on 400 error codes. (web_rules.xml:web,accesslog)"; content: "Rule: 31102 "; classtype: tcp-connection; program: ossec; sid: 6031102; rev:1;) ## Rule group: named_rules.xml:syslog,named ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Serial number from master is lower than stored. (named_rules.xml:syslog,named)"; content: "Rule: 12110 "; classtype: system-event; program: ossec; sid: 6012110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Invalid DNS packet. Possibility of attack. (named_rules.xml:syslog,named)"; content: "Rule: 12101 "; classtype: exploit-attempt; program: ossec; sid: 6012101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the named rules (named_rules.xml:syslog,named)"; content: "Rule: 12100 "; classtype: tcp-connection; program: ossec; sid: 6012100; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - DNS update denied. Generally mis-configuration. (named_rules.xml:syslog,named)"; content: "Rule: 12103 "; classtype: not-suspicious; program: ossec; sid: 6012103; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Log permission misconfiguration in Named. (named_rules.xml:syslog,named)"; content: "Rule: 12104 "; classtype: not-suspicious; program: ossec; sid: 6012104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Unable to perform zone transfer. (named_rules.xml:syslog,named)"; content: "Rule: 12111 "; classtype: system-event; program: ossec; sid: 6012111; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Named fatal error. DNS service going down. (named_rules.xml:syslog,named)"; content: "Rule: 12109 "; classtype: exploit-attempt; program: ossec; sid: 6012109; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Query cache denied (maybe config error). (named_rules.xml:syslog,named)"; content: "Rule: 12108 "; classtype: not-suspicious; program: ossec; sid: 6012108; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unexpected error while resolving domain. (named_rules.xml:syslog,named)"; content: "Rule: 12105 "; classtype: not-suspicious; program: ossec; sid: 6012105; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Zone transfer error. (named_rules.xml:syslog,named)"; content: "Rule: 12112 "; classtype: not-suspicious; program: ossec; sid: 6012112; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update using RFC2136 Dynamic protocol. (named_rules.xml:syslog,named)"; content: "Rule: 12107 "; classtype: tcp-connection; program: ossec; sid: 6012107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed attempt to perform a zone transfer. (named_rules.xml:syslog,named)"; content: "Rule: 12102 "; classtype: system-event; program: ossec; sid: 6012102; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - DNS configuration error. (named_rules.xml:syslog,named)"; content: "Rule: 12106 "; classtype: not-suspicious; program: ossec; sid: 6012106; rev:1;) ## Rule group: mailscanner_rules.xml:syslog,mailscanner ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of mailscanner rules. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3700 "; classtype: tcp-connection; program: ossec; sid: 6003700; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Non spam message. Ignored. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3701 "; classtype: tcp-connection; program: ossec; sid: 6003701; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts of spam. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3751 "; classtype: system-event; program: ossec; sid: 6003751; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Mail Scanner spam detected. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3702 "; classtype: system-event; program: ossec; sid: 6003702; rev:1;) ## Rule group: syslog_rules.xml:syslog,squid ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid debug message (syslog_rules.xml:syslog,squid)"; content: "Rule: 9201 "; classtype: tcp-connection; program: ossec; sid: 6009201; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid syslog messages grouped (syslog_rules.xml:syslog,squid)"; content: "Rule: 9200 "; classtype: tcp-connection; program: ossec; sid: 6009200; rev:1;) ## Rule group: solaris_bsm_rules.xml:syslog,solaris_bsm ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6104 "; classtype: system-event; program: ossec; sid: 6006104; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Auditing session succeeded. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6102 "; classtype: tcp-connection; program: ossec; sid: 6006102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Auditing session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6101 "; classtype: system-event; program: ossec; sid: 6006101; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6105 "; classtype: not-suspicious; program: ossec; sid: 6006105; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session succeeded. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6103 "; classtype: not-suspicious; program: ossec; sid: 6006103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User failed to change UID (user id). (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6106 "; classtype: system-event; program: ossec; sid: 6006106; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Solaris BSM Auditing messages grouped. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6100 "; classtype: tcp-connection; program: ossec; sid: 6006100; rev:1;) ## Rule group: syslog_rules.xml:syslog,adduser ## #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Group (or user) deleted from the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5903 "; classtype: not-suspicious; program: ossec; sid: 6005903; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - New group added to the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5901 "; classtype: system-event; program: ossec; sid: 6005901; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Information from the user was changed (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5904 "; classtype: system-event; program: ossec; sid: 6005904; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - New user added to the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5902 "; classtype: system-event; program: ossec; sid: 6005902; rev:1;) ## Rule group: nginx_rules.xml:apache ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Invalid URI, file name too long. (nginx_rules.xml:apache)"; content: "Rule: 31320 "; classtype: exploit-attempt; program: ossec; sid: 6031320; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial 401 authentication request. (nginx_rules.xml:apache)"; content: "Rule: 31312 "; classtype: tcp-connection; program: ossec; sid: 6031312; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Nginx error message. (nginx_rules.xml:apache)"; content: "Rule: 31301 "; classtype: not-suspicious; program: ossec; sid: 6031301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web authentication failures. (nginx_rules.xml:apache)"; content: "Rule: 31316 "; classtype: exploit-attempt; program: ossec; sid: 6031316; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Nginx messages grouped. (nginx_rules.xml:apache)"; content: "Rule: 31300 "; classtype: tcp-connection; program: ossec; sid: 6031300; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Incomplete client request. (nginx_rules.xml:apache)"; content: "Rule: 31311 "; classtype: tcp-connection; program: ossec; sid: 6031311; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Nginx critical message. (nginx_rules.xml:apache)"; content: "Rule: 31303 "; classtype: system-event; program: ossec; sid: 6031303; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Server returned 404 (reported in the access.log). (nginx_rules.xml:apache)"; content: "Rule: 31310 "; classtype: tcp-connection; program: ossec; sid: 6031310; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Nginx warning message. (nginx_rules.xml:apache)"; content: "Rule: 31302 "; classtype: not-suspicious; program: ossec; sid: 6031302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web authentication failed. (nginx_rules.xml:apache)"; content: "Rule: 31315 "; classtype: system-event; program: ossec; sid: 6031315; rev:1;) ## Rule group: postgresql_rules.xml:postgresql_log ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50521 "; classtype: exploit-attempt; program: ossec; sid: 6050521; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL informational message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50502 "; classtype: tcp-connection; program: ossec; sid: 6050502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Database authentication failure. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50512 "; classtype: system-event; program: ossec; sid: 6050512; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL debug message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50505 "; classtype: tcp-connection; program: ossec; sid: 6050505; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50520 "; classtype: exploit-attempt; program: ossec; sid: 6050520; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL log message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50501 "; classtype: tcp-connection; program: ossec; sid: 6050501; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL messages grouped. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50500 "; classtype: tcp-connection; program: ossec; sid: 6050500; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50503 "; classtype: not-suspicious; program: ossec; sid: 6050503; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50581 "; classtype: exploit-attempt; program: ossec; sid: 6050581; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database authentication success. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50511 "; classtype: not-suspicious; program: ossec; sid: 6050511; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50504 "; classtype: system-event; program: ossec; sid: 6050504; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Database query. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50510 "; classtype: tcp-connection; program: ossec; sid: 6050510; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50580 "; classtype: exploit-attempt; program: ossec; sid: 6050580; rev:1;) ## Rule group: rules_config.xml:windows ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all windows rules. (rules_config.xml:windows)"; content: "Rule: 06 "; classtype: tcp-connection; program: ossec; sid: 6000006; rev:1;) ## Rule group: symantec-av_rules.xml:symantec ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virus scan updated,started or stopped. (symantec-av_rules.xml:symantec)"; content: "Rule: 7320 "; classtype: not-suspicious; program: ossec; sid: 6007320; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec AV rules from eventlog. (symantec-av_rules.xml:symantec)"; content: "Rule: 7301 "; classtype: tcp-connection; program: ossec; sid: 6007301; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec AV rules. (symantec-av_rules.xml:symantec)"; content: "Rule: 7300 "; classtype: tcp-connection; program: ossec; sid: 6007300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Virus detected. (symantec-av_rules.xml:symantec)"; content: "Rule: 7310 "; classtype: system-event; program: ossec; sid: 6007310; rev:1;) ## Rule group: syslog_rules.xml:syslog, su ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - User missed the password to change UID to root. (syslog_rules.xml:syslog, su)"; content: "Rule: 5302 "; classtype: system-event; program: ossec; sid: 6005302; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID to root. (syslog_rules.xml:syslog, su)"; content: "Rule: 5303 "; classtype: not-suspicious; program: ossec; sid: 6005303; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time (su) is executed by user. (syslog_rules.xml:syslog, su)"; content: "Rule: 5305 "; classtype: not-suspicious; program: ossec; sid: 6005305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial grouping for su messages. (syslog_rules.xml:syslog, su)"; content: "Rule: 5300 "; classtype: tcp-connection; program: ossec; sid: 6005300; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID. (syslog_rules.xml:syslog, su)"; content: "Rule: 5304 "; classtype: not-suspicious; program: ossec; sid: 6005304; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User missed the password to change UID (user id). (syslog_rules.xml:syslog, su)"; content: "Rule: 5301 "; classtype: system-event; program: ossec; sid: 6005301; rev:1;) ## Rule group: syslog_rules.xml:syslog,smartd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Device configured but not available to Smartd (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2803 "; classtype: tcp-connection; program: ossec; sid: 6002803; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Smartd Started but not configured (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2801 "; classtype: tcp-connection; program: ossec; sid: 6002801; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Pre-match rule for smartd. (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2800 "; classtype: tcp-connection; program: ossec; sid: 6002800; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Smartd configuration problem (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2802 "; classtype: tcp-connection; program: ossec; sid: 6002802; rev:1;) ## Rule group: msauth_rules.xml:windows ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Changed (msauth_rules.xml:windows)"; content: "Rule: 18114 "; classtype: system-event; program: ossec; sid: 6018114; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Print Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18238 "; classtype: system-event; program: ossec; sid: 6018238; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Event Log Readers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18255 "; classtype: exploit-attempt; program: ossec; sid: 6018255; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18106 "; classtype: system-event; program: ossec; sid: 6018106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Read-only Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18250 "; classtype: exploit-attempt; program: ossec; sid: 6018250; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows Authorization Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18247 "; classtype: system-event; program: ossec; sid: 6018247; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18233 "; classtype: system-event; program: ossec; sid: 6018233; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Group account added/changed/deleted. (msauth_rules.xml:windows)"; content: "Rule: 18128 "; classtype: system-event; program: ossec; sid: 6018128; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Denied RODC Password Replication Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18254 "; classtype: exploit-attempt; program: ossec; sid: 6018254; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Group of windows rules. (msauth_rules.xml:windows)"; content: "Rule: 18100 "; classtype: tcp-connection; program: ossec; sid: 6018100; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows User Logoff. (msauth_rules.xml:windows)"; content: "Rule: 18149 "; classtype: not-suspicious; program: ossec; sid: 6018149; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18219 "; classtype: exploit-attempt; program: ossec; sid: 6018219; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - MS SQL Server Logon Success. (msauth_rules.xml:windows)"; content: "Rule: 18181 "; classtype: not-suspicious; program: ossec; sid: 6018181; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Guests Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18225 "; classtype: exploit-attempt; program: ossec; sid: 6018225; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Domain Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18223 "; classtype: system-event; program: ossec; sid: 6018223; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18204 "; classtype: system-event; program: ossec; sid: 6018204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - RAS and IAS Servers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18232 "; classtype: exploit-attempt; program: ossec; sid: 6018232; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Incoming Forest Trust Builders Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18244 "; classtype: exploit-attempt; program: ossec; sid: 6018244; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows error event. (msauth_rules.xml:windows)"; content: "Rule: 18103 "; classtype: system-event; program: ossec; sid: 6018103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account's password expired. (msauth_rules.xml:windows)"; content: "Rule: 18136 "; classtype: system-event; program: ossec; sid: 6018136; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Group Policy Creator Owners Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18231 "; classtype: exploit-attempt; program: ossec; sid: 6018231; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18203 "; classtype: system-event; program: ossec; sid: 6018203; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Windows DC - Clock skew too great. (msauth_rules.xml:windows)"; content: "Rule: 18172 "; classtype: system-event; program: ossec; sid: 6018172; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Computer account changed/deleted. (msauth_rules.xml:windows)"; content: "Rule: 18127 "; classtype: system-event; program: ossec; sid: 6018127; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Administrators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18217 "; classtype: exploit-attempt; program: ossec; sid: 6018217; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18210 "; classtype: system-event; program: ossec; sid: 6018210; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Application Uninstalled. (msauth_rules.xml:windows)"; content: "Rule: 18146 "; classtype: system-event; program: ossec; sid: 6018146; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - General account database changed. (msauth_rules.xml:windows)"; content: "Rule: 18115 "; classtype: system-event; program: ossec; sid: 6018115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Distributed COM Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18249 "; classtype: system-event; program: ossec; sid: 6018249; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows audit success event. (msauth_rules.xml:windows)"; content: "Rule: 18104 "; classtype: tcp-connection; program: ossec; sid: 6018104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - User not granted logon type. (msauth_rules.xml:windows)"; content: "Rule: 18135 "; classtype: system-event; program: ossec; sid: 6018135; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account enabled or created. (msauth_rules.xml:windows)"; content: "Rule: 18110 "; classtype: system-event; program: ossec; sid: 6018110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Read-only Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18251 "; classtype: exploit-attempt; program: ossec; sid: 6018251; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - User account locked out (multiple login errors). (msauth_rules.xml:windows)"; content: "Rule: 18116 "; classtype: system-event; program: ossec; sid: 6018116; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Performance Monitor Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18245 "; classtype: system-event; program: ossec; sid: 6018245; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Remote access login failure. (msauth_rules.xml:windows)"; content: "Rule: 18125 "; classtype: system-event; program: ossec; sid: 6018125; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Remote Desktop Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18242 "; classtype: exploit-attempt; program: ossec; sid: 6018242; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Windows audit failure event. (msauth_rules.xml:windows)"; content: "Rule: 18105 "; classtype: not-suspicious; program: ossec; sid: 6018105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows DC Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18139 "; classtype: system-event; program: ossec; sid: 6018139; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows Logon Success. (msauth_rules.xml:windows)"; content: "Rule: 18107 "; classtype: not-suspicious; program: ossec; sid: 6018107; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Service startup type was changed. (msauth_rules.xml:windows)"; content: "Rule: 18145 "; classtype: not-suspicious; program: ossec; sid: 6018145; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Domain Computers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18226 "; classtype: system-event; program: ossec; sid: 6018226; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote access login success. (msauth_rules.xml:windows)"; content: "Rule: 18126 "; classtype: not-suspicious; program: ossec; sid: 6018126; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Pre-Windows 2000 Compatible Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18241 "; classtype: system-event; program: ossec; sid: 6018241; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Logon Failure - Account locked out. (msauth_rules.xml:windows)"; content: "Rule: 18138 "; classtype: system-event; program: ossec; sid: 6018138; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Network Configuration Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18243 "; classtype: exploit-attempt; program: ossec; sid: 6018243; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Replicators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18240 "; classtype: exploit-attempt; program: ossec; sid: 6018240; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Logon Failure - User not allowed to login at this computer. (msauth_rules.xml:windows)"; content: "Rule: 18134 "; classtype: system-event; program: ossec; sid: 6018134; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Power Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18235 "; classtype: exploit-attempt; program: ossec; sid: 6018235; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18222 "; classtype: exploit-attempt; program: ossec; sid: 6018222; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows file system full. (msauth_rules.xml:windows)"; content: "Rule: 18129 "; classtype: system-event; program: ossec; sid: 6018129; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - First time this user logged in this system. (msauth_rules.xml:windows)"; content: "Rule: 18119 "; classtype: not-suspicious; program: ossec; sid: 6018119; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows warning event. (msauth_rules.xml:windows)"; content: "Rule: 18102 "; classtype: tcp-connection; program: ossec; sid: 6018102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Backup Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18239 "; classtype: exploit-attempt; program: ossec; sid: 6018239; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows is starting up. (msauth_rules.xml:windows)"; content: "Rule: 18148 "; classtype: not-suspicious; program: ossec; sid: 6018148; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Windows is shutting down. (msauth_rules.xml:windows)"; content: "Rule: 18117 "; classtype: system-event; program: ossec; sid: 6018117; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Windows DC - Possible replay attack. (msauth_rules.xml:windows)"; content: "Rule: 18171 "; classtype: exploit-attempt; program: ossec; sid: 6018171; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Terminal Server Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18221 "; classtype: system-event; program: ossec; sid: 6018221; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Created (msauth_rules.xml:windows)"; content: "Rule: 18206 "; classtype: system-event; program: ossec; sid: 6018206; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Failed attempt to perform a privileged operation. (msauth_rules.xml:windows)"; content: "Rule: 18108 "; classtype: not-suspicious; program: ossec; sid: 6018108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows audit failure events. (msauth_rules.xml:windows)"; content: "Rule: 18153 "; classtype: exploit-attempt; program: ossec; sid: 6018153; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Security enabled group deleted. (msauth_rules.xml:windows)"; content: "Rule: 18144 "; classtype: system-event; program: ossec; sid: 6018144; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Cryptographic Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18252 "; classtype: exploit-attempt; program: ossec; sid: 6018252; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Terminal Server License Servers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18248 "; classtype: system-event; program: ossec; sid: 6018248; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User account unlocked. (msauth_rules.xml:windows)"; content: "Rule: 18142 "; classtype: system-event; program: ossec; sid: 6018142; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Schema Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18229 "; classtype: exploit-attempt; program: ossec; sid: 6018229; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows Audit Policy changed. (msauth_rules.xml:windows)"; content: "Rule: 18113 "; classtype: system-event; program: ossec; sid: 6018113; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18216 "; classtype: system-event; program: ossec; sid: 6018216; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - MS SQL Server Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18180 "; classtype: system-event; program: ossec; sid: 6018180; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Deleted (msauth_rules.xml:windows)"; content: "Rule: 18201 "; classtype: system-event; program: ossec; sid: 6018201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows Logon Failures. (msauth_rules.xml:windows)"; content: "Rule: 18152 "; classtype: exploit-attempt; program: ossec; sid: 6018152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows audit log was cleared. (msauth_rules.xml:windows)"; content: "Rule: 18118 "; classtype: system-event; program: ossec; sid: 6018118; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Guests Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18234 "; classtype: exploit-attempt; program: ossec; sid: 6018234; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Specified account expired. (msauth_rules.xml:windows)"; content: "Rule: 18133 "; classtype: system-event; program: ossec; sid: 6018133; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18211 "; classtype: system-event; program: ossec; sid: 6018211; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account disabled or deleted. (msauth_rules.xml:windows)"; content: "Rule: 18112 "; classtype: system-event; program: ossec; sid: 6018112; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Authenticated Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18220 "; classtype: system-event; program: ossec; sid: 6018220; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Certificate Service DCOM Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18256 "; classtype: exploit-attempt; program: ossec; sid: 6018256; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Allowed RODC Password Replication Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18253 "; classtype: exploit-attempt; program: ossec; sid: 6018253; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account changed. (msauth_rules.xml:windows)"; content: "Rule: 18111 "; classtype: system-event; program: ossec; sid: 6018111; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Session reconnected/disconnected to winstation. (msauth_rules.xml:windows)"; content: "Rule: 18109 "; classtype: not-suspicious; program: ossec; sid: 6018109; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18208 "; classtype: system-event; program: ossec; sid: 6018208; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed attempts to perform a privileged operation by the same user. (msauth_rules.xml:windows)"; content: "Rule: 18151 "; classtype: exploit-attempt; program: ossec; sid: 6018151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - System time changed. (msauth_rules.xml:windows)"; content: "Rule: 18140 "; classtype: system-event; program: ossec; sid: 6018140; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18215 "; classtype: system-event; program: ossec; sid: 6018215; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows error events. (msauth_rules.xml:windows)"; content: "Rule: 18154 "; classtype: exploit-attempt; program: ossec; sid: 6018154; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18227 "; classtype: exploit-attempt; program: ossec; sid: 6018227; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Created (msauth_rules.xml:windows)"; content: "Rule: 18212 "; classtype: system-event; program: ossec; sid: 6018212; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18207 "; classtype: system-event; program: ossec; sid: 6018207; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows informational event. (msauth_rules.xml:windows)"; content: "Rule: 18101 "; classtype: tcp-connection; program: ossec; sid: 6018101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Internal error. (msauth_rules.xml:windows)"; content: "Rule: 18137 "; classtype: system-event; program: ossec; sid: 6018137; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Performance Log Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18246 "; classtype: system-event; program: ossec; sid: 6018246; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows warning events. (msauth_rules.xml:windows)"; content: "Rule: 18155 "; classtype: exploit-attempt; program: ossec; sid: 6018155; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Created (msauth_rules.xml:windows)"; content: "Rule: 18200 "; classtype: system-event; program: ossec; sid: 6018200; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18209 "; classtype: system-event; program: ossec; sid: 6018209; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Windows DC integrity check on decrypted field failed. (msauth_rules.xml:windows)"; content: "Rule: 18170 "; classtype: exploit-attempt; program: ossec; sid: 6018170; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account currently disabled. (msauth_rules.xml:windows)"; content: "Rule: 18132 "; classtype: system-event; program: ossec; sid: 6018132; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18230 "; classtype: exploit-attempt; program: ossec; sid: 6018230; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Account Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18236 "; classtype: exploit-attempt; program: ossec; sid: 6018236; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Security enabled group created. (msauth_rules.xml:windows)"; content: "Rule: 18143 "; classtype: system-event; program: ossec; sid: 6018143; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows login attempt (ignored). Duplicated. (msauth_rules.xml:windows)"; content: "Rule: 18120 "; classtype: tcp-connection; program: ossec; sid: 6018120; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Everyone Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18218 "; classtype: system-event; program: ossec; sid: 6018218; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Application Installed. (msauth_rules.xml:windows)"; content: "Rule: 18147 "; classtype: system-event; program: ossec; sid: 6018147; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account logon time restriction violation. (msauth_rules.xml:windows)"; content: "Rule: 18131 "; classtype: system-event; program: ossec; sid: 6018131; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Created (msauth_rules.xml:windows)"; content: "Rule: 18202 "; classtype: system-event; program: ossec; sid: 6018202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18205 "; classtype: system-event; program: ossec; sid: 6018205; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18214 "; classtype: system-event; program: ossec; sid: 6018214; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple remote access login failures. (msauth_rules.xml:windows)"; content: "Rule: 18156 "; classtype: exploit-attempt; program: ossec; sid: 6018156; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Cert Publishers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18228 "; classtype: exploit-attempt; program: ossec; sid: 6018228; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Unexpected Windows shutdown. (msauth_rules.xml:windows)"; content: "Rule: 18141 "; classtype: system-event; program: ossec; sid: 6018141; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Server Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18237 "; classtype: exploit-attempt; program: ossec; sid: 6018237; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Unknown user or bad password. (msauth_rules.xml:windows)"; content: "Rule: 18130 "; classtype: system-event; program: ossec; sid: 6018130; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18213 "; classtype: system-event; program: ossec; sid: 6018213; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Local User Group NONE (msauth_rules.xml:windows)"; content: "Rule: 18224 "; classtype: tcp-connection; program: ossec; sid: 6018224; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows Logon Success (ignored). (msauth_rules.xml:windows)"; content: "Rule: 18121 "; classtype: tcp-connection; program: ossec; sid: 6018121; rev:1;) ## Rule group: rules_config.xml:ids ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all ids rules. (rules_config.xml:ids)"; content: "Rule: 03 "; classtype: tcp-connection; program: ossec; sid: 6000003; rev:1;) ## Rule group: vpn_concentrator_rules.xml:syslog,cisco_vpn ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Cisco VPN concentrator rules (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14200 "; classtype: tcp-connection; program: ossec; sid: 6014200; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - VPN Admin authentication successful. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14203 "; classtype: not-suspicious; program: ossec; sid: 6014203; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VPN authentication failures. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14251 "; classtype: exploit-attempt; program: ossec; sid: 6014251; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VPN authentication successful. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14201 "; classtype: not-suspicious; program: ossec; sid: 6014201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VPN authentication failed. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14202 "; classtype: system-event; program: ossec; sid: 6014202; rev:1;) ## Rule group: spamd_rules.xml:syslog,spamd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Spamd debug event (reading message). (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3502 "; classtype: tcp-connection; program: ossec; sid: 6003502; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SPAMD result message (not very usefull here). (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3501 "; classtype: tcp-connection; program: ossec; sid: 6003501; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the spamd rules (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3500 "; classtype: tcp-connection; program: ossec; sid: 6003500; rev:1;) ## Rule group: proftpd_rules.xml:syslog,proftpd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection refused by TCP Wrappers. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11207 "; classtype: system-event; program: ossec; sid: 6011207; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11252 "; classtype: exploit-attempt; program: ossec; sid: 6011252; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to bind to adress. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11220 "; classtype: not-suspicious; program: ossec; sid: 6011220; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP session closed. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11202 "; classtype: tcp-connection; program: ossec; sid: 6011202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple timed out logins from same source. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11253 "; classtype: exploit-attempt; program: ossec; sid: 6011253; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host connected to FTP server. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11213 "; classtype: not-suspicious; program: ossec; sid: 6011213; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Mismatch in server's hostname. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11211 "; classtype: not-suspicious; program: ossec; sid: 6011211; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - FTP process crashed. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11218 "; classtype: exploit-attempt; program: ossec; sid: 6011218; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Data transfer stalled. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11217 "; classtype: not-suspicious; program: ossec; sid: 6011217; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to inactivity. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11214 "; classtype: not-suspicious; program: ossec; sid: 6011214; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11209 "; classtype: exploit-attempt; program: ossec; sid: 6011209; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP config). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11212 "; classtype: system-event; program: ossec; sid: 6011212; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Small PassivePorts range in config file. Server misconfiguration. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11208 "; classtype: not-suspicious; program: ossec; sid: 6011208; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed login attempts. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11210 "; classtype: exploit-attempt; program: ossec; sid: 6011210; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - FTP server Buffer overflow attempt. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11219 "; classtype: exploit-attempt; program: ossec; sid: 6011219; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection denied by ProFTPD configuration. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11206 "; classtype: system-event; program: ossec; sid: 6011206; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP session opened. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11201 "; classtype: not-suspicious; program: ossec; sid: 6011201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a non-existent user. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11203 "; classtype: system-event; program: ossec; sid: 6011203; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - IPv6 error and mod-delay info (ignored). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11221 "; classtype: tcp-connection; program: ossec; sid: 6011221; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11251 "; classtype: exploit-attempt; program: ossec; sid: 6011251; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the FTP server (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11204 "; classtype: system-event; program: ossec; sid: 6011204; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the proftpd rules. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11200 "; classtype: tcp-connection; program: ossec; sid: 6011200; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11205 "; classtype: not-suspicious; program: ossec; sid: 6011205; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to login time out. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11215 "; classtype: not-suspicious; program: ossec; sid: 6011215; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to time out. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11216 "; classtype: not-suspicious; program: ossec; sid: 6011216; rev:1;) ## Rule group: courier_rules.xml:syslog,courier ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Courier brute force (multiple failed logins). (courier_rules.xml:syslog,courier)"; content: "Rule: 3910 "; classtype: exploit-attempt; program: ossec; sid: 6003910; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Courier (imap/pop3) authentication success. (courier_rules.xml:syslog,courier)"; content: "Rule: 3904 "; classtype: not-suspicious; program: ossec; sid: 6003904; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Courier (imap/pop3) authentication failed. (courier_rules.xml:syslog,courier)"; content: "Rule: 3902 "; classtype: system-event; program: ossec; sid: 6003902; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Courier logout/timeout. (courier_rules.xml:syslog,courier)"; content: "Rule: 3903 "; classtype: tcp-connection; program: ossec; sid: 6003903; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (courier_rules.xml:syslog,courier)"; content: "Rule: 3911 "; classtype: exploit-attempt; program: ossec; sid: 6003911; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New courier (imap/pop3) connection. (courier_rules.xml:syslog,courier)"; content: "Rule: 3901 "; classtype: not-suspicious; program: ossec; sid: 6003901; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the courier rules. (courier_rules.xml:syslog,courier)"; content: "Rule: 3900 "; classtype: tcp-connection; program: ossec; sid: 6003900; rev:1;) ## Rule group: mysql_rules.xml:mysql_log ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Database authentication failure. (mysql_rules.xml:mysql_log)"; content: "Rule: 50106 "; classtype: system-event; program: ossec; sid: 6050106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Database error. (mysql_rules.xml:mysql_log)"; content: "Rule: 50125 "; classtype: system-event; program: ossec; sid: 6050125; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Database query. (mysql_rules.xml:mysql_log)"; content: "Rule: 50107 "; classtype: tcp-connection; program: ossec; sid: 6050107; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database startup message. (mysql_rules.xml:mysql_log)"; content: "Rule: 50121 "; classtype: not-suspicious; program: ossec; sid: 6050121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (mysql_rules.xml:mysql_log)"; content: "Rule: 50180 "; classtype: exploit-attempt; program: ossec; sid: 6050180; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database fatal error. (mysql_rules.xml:mysql_log)"; content: "Rule: 50126 "; classtype: exploit-attempt; program: ossec; sid: 6050126; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - MySQL messages grouped. (mysql_rules.xml:mysql_log)"; content: "Rule: 50100 "; classtype: tcp-connection; program: ossec; sid: 6050100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (mysql_rules.xml:mysql_log)"; content: "Rule: 50120 "; classtype: exploit-attempt; program: ossec; sid: 6050120; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database authentication success. (mysql_rules.xml:mysql_log)"; content: "Rule: 50105 "; classtype: not-suspicious; program: ossec; sid: 6050105; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User disconnected from database. (mysql_rules.xml:mysql_log)"; content: "Rule: 50108 "; classtype: not-suspicious; program: ossec; sid: 6050108; rev:1;) ## Rule group: ossec_rules.xml:ossec ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - System Audit event. (ossec_rules.xml:ossec)"; content: "Rule: 516 "; classtype: not-suspicious; program: ossec; sid: 6000516; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec agent started. (ossec_rules.xml:ossec)"; content: "Rule: 503 "; classtype: not-suspicious; program: ossec; sid: 6000503; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File added to the system. (ossec_rules.xml:ossec)"; content: "Rule: 554 "; classtype: tcp-connection; program: ossec; sid: 6000554; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Microsoft Event log cleared. (ossec_rules.xml:ossec)"; content: "Rule: 593 "; classtype: system-event; program: ossec; sid: 6000593; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec server started. (ossec_rules.xml:ossec)"; content: "Rule: 502 "; classtype: not-suspicious; program: ossec; sid: 6000502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed again (3rd time). (ossec_rules.xml:ossec)"; content: "Rule: 552 "; classtype: system-event; program: ossec; sid: 6000552; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored common NTFS ADS entries. (ossec_rules.xml:ossec)"; content: "Rule: 511 "; classtype: tcp-connection; program: ossec; sid: 6000511; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Windows application monitor event. (ossec_rules.xml:ossec)"; content: "Rule: 514 "; classtype: not-suspicious; program: ossec; sid: 6000514; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Host information changed. (ossec_rules.xml:ossec)"; content: "Rule: 580 "; classtype: system-event; program: ossec; sid: 6000580; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring external medias. (ossec_rules.xml:ossec)"; content: "Rule: 532 "; classtype: tcp-connection; program: ossec; sid: 6000532; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of ossec rules. (ossec_rules.xml:ossec)"; content: "Rule: 500 "; classtype: tcp-connection; program: ossec; sid: 6000500; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring rootcheck/syscheck scan messages. (ossec_rules.xml:ossec)"; content: "Rule: 515 "; classtype: tcp-connection; program: ossec; sid: 6000515; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec)"; content: "Rule: 513 "; classtype: system-event; program: ossec; sid: 6000513; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Log file size reduced. (ossec_rules.xml:ossec)"; content: "Rule: 592 "; classtype: system-event; program: ossec; sid: 6000592; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - File deleted. Unable to retrieve checksum. (ossec_rules.xml:ossec)"; content: "Rule: 553 "; classtype: system-event; program: ossec; sid: 6000553; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows Audit event. (ossec_rules.xml:ossec)"; content: "Rule: 512 "; classtype: not-suspicious; program: ossec; sid: 6000512; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec)"; content: "Rule: 518 "; classtype: system-event; program: ossec; sid: 6000518; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Rootcheck event. (ossec_rules.xml:ossec)"; content: "Rule: 509 "; classtype: tcp-connection; program: ossec; sid: 6000509; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum for agentless device changed. (ossec_rules.xml:ossec)"; content: "Rule: 555 "; classtype: system-event; program: ossec; sid: 6000555; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Partition usage reached 100% (disk space monitor). (ossec_rules.xml:ossec)"; content: "Rule: 531 "; classtype: system-event; program: ossec; sid: 6000531; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Host information added. (ossec_rules.xml:ossec)"; content: "Rule: 581 "; classtype: system-event; program: ossec; sid: 6000581; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Log file rotated. (ossec_rules.xml:ossec)"; content: "Rule: 591 "; classtype: not-suspicious; program: ossec; sid: 6000591; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New ossec agent connected. (ossec_rules.xml:ossec)"; content: "Rule: 501 "; classtype: not-suspicious; program: ossec; sid: 6000501; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec)"; content: "Rule: 510 "; classtype: system-event; program: ossec; sid: 6000510; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed again (2nd time). (ossec_rules.xml:ossec)"; content: "Rule: 551 "; classtype: system-event; program: ossec; sid: 6000551; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - OSSEC process monitoring rules. (ossec_rules.xml:ossec)"; content: "Rule: 530 "; classtype: tcp-connection; program: ossec; sid: 6000530; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed. (ossec_rules.xml:ossec)"; content: "Rule: 550 "; classtype: system-event; program: ossec; sid: 6000550; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec agent disconnected. (ossec_rules.xml:ossec)"; content: "Rule: 504 "; classtype: not-suspicious; program: ossec; sid: 6000504; rev:1;) ## Rule group: racoon_rules.xml:syslog,racoon ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roadwarrior configuration (ignored error). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14121 "; classtype: tcp-connection; program: ossec; sid: 6014121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VPN authentication failed. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14101 "; classtype: system-event; program: ossec; sid: 6014101; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Racoon error message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14111 "; classtype: not-suspicious; program: ossec; sid: 6014111; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Racoon informational message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14110 "; classtype: tcp-connection; program: ossec; sid: 6014110; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of racoon rules. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14100 "; classtype: tcp-connection; program: ossec; sid: 6014100; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Racoon warning message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14112 "; classtype: not-suspicious; program: ossec; sid: 6014112; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Invalid configuration settings (ignored error). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14123 "; classtype: tcp-connection; program: ossec; sid: 6014123; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VPN established. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14120 "; classtype: not-suspicious; program: ossec; sid: 6014120; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roadwarrior configuration (ignored warning). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14122 "; classtype: tcp-connection; program: ossec; sid: 6014122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple failed VPN logins. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14151 "; classtype: system-event; program: ossec; sid: 6014151; rev:1;) ## Rule group: arpwatch_rules.xml:syslog,arpwatch ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Arpwatch exiting. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7203 "; classtype: not-suspicious; program: ossec; sid: 6007203; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the arpwatch rules. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7200 "; classtype: tcp-connection; program: ossec; sid: 6007200; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Arpwatch detected bad address len (ignored). (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7206 "; classtype: tcp-connection; program: ossec; sid: 6007206; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Arpwatch startup/exiting messages. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7205 "; classtype: tcp-connection; program: ossec; sid: 6007205; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Arpwatch new host detected. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7201 "; classtype: not-suspicious; program: ossec; sid: 6007201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Changed network interface for ip address. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7204 "; classtype: system-event; program: ossec; sid: 6007204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Arpwatch "flip flop" message. IP address/MAC relation changing too often. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7202 "; classtype: system-event; program: ossec; sid: 6007202; rev:1;) ## Rule group: ftpd_rules.xml:syslog,ftpd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File created via FTP (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11102 "; classtype: tcp-connection; program: ossec; sid: 6011102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Attempt to login with disabled account. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11111 "; classtype: system-event; program: ossec; sid: 6011111; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - User uploaded a file to server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11104 "; classtype: tcp-connection; program: ossec; sid: 6011104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11113 "; classtype: system-event; program: ossec; sid: 6011113; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP config). (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11108 "; classtype: system-event; program: ossec; sid: 6011108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection blocked by Tcp Wrappers. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11107 "; classtype: system-event; program: ossec; sid: 6011107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP connection refused. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11101 "; classtype: system-event; program: ossec; sid: 6011101; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host connected to FTP server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11106 "; classtype: not-suspicious; program: ossec; sid: 6011106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP failed login attempts. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11109 "; classtype: exploit-attempt; program: ossec; sid: 6011109; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the ftpd rules. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11100 "; classtype: tcp-connection; program: ossec; sid: 6011100; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - User downloaded a file to server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11105 "; classtype: tcp-connection; program: ossec; sid: 6011105; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User disconnected due to time out. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11110 "; classtype: not-suspicious; program: ossec; sid: 6011110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11112 "; classtype: system-event; program: ossec; sid: 6011112; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File deleted via FTP (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11103 "; classtype: tcp-connection; program: ossec; sid: 6011103; rev:1;) ## Rule group: cisco-ios_rules.xml:syslog,cisco_ios ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS debug message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4717 "; classtype: tcp-connection; program: ossec; sid: 6004717; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Cisco IOS critical message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4712 "; classtype: system-event; program: ossec; sid: 6004712; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Cisco IOS router configuration changed. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4721 "; classtype: not-suspicious; program: ossec; sid: 6004721; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Cisco IOS emergency message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4710 "; classtype: system-event; program: ossec; sid: 6004710; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Cisco IOS warning message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4714 "; classtype: not-suspicious; program: ossec; sid: 6004714; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Cisco IOS alert message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4711 "; classtype: system-event; program: ossec; sid: 6004711; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful login to the router. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4722 "; classtype: not-suspicious; program: ossec; sid: 6004722; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS notification message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4715 "; classtype: tcp-connection; program: ossec; sid: 6004715; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Cisco IOS rules. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4700 "; classtype: tcp-connection; program: ossec; sid: 6004700; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Cisco IOS error message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4713 "; classtype: not-suspicious; program: ossec; sid: 6004713; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS informational message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4716 "; classtype: tcp-connection; program: ossec; sid: 6004716; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed login to the router. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4724 "; classtype: system-event; program: ossec; sid: 6004724; rev:1;) ## Rule group: asterisk_rules.xml:syslog,asterisk ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Extension enumeration. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6252 "; classtype: exploit-attempt; program: ossec; sid: 6006252; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Asterisk warning message. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6202 "; classtype: not-suspicious; program: ossec; sid: 6006202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6210 "; classtype: system-event; program: ossec; sid: 6006210; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Asterisk notice messages grouped. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6201 "; classtype: tcp-connection; program: ossec; sid: 6006201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed (invalid extension). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6212 "; classtype: system-event; program: ossec; sid: 6006212; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Asterisk messages grouped. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6200 "; classtype: tcp-connection; program: ossec; sid: 6006200; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6251 "; classtype: exploit-attempt; program: ossec; sid: 6006251; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed (invalid user). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6211 "; classtype: system-event; program: ossec; sid: 6006211; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Asterisk error message. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6203 "; classtype: not-suspicious; program: ossec; sid: 6006203; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins (user enumeration in process). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6250 "; classtype: exploit-attempt; program: ossec; sid: 6006250; rev:1;) ## Rule group: syslog_rules.xml:syslog,yum ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - New Yum package installed. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2932 "; classtype: system-event; program: ossec; sid: 6002932; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Yum package deleted. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2934 "; classtype: system-event; program: ossec; sid: 6002934; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Yum logs. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2931 "; classtype: tcp-connection; program: ossec; sid: 6002931; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Yum logs. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2930 "; classtype: tcp-connection; program: ossec; sid: 6002930; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Yum package updated. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2933 "; classtype: system-event; program: ossec; sid: 6002933; rev:1;) ## Rule group: local_rules.xml:local,syslog ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Example of rule that will ignore sshd failed logins for user XYZABC. (local_rules.xml:local,syslog)"; content: "Rule: 100020 "; classtype: tcp-connection; program: ossec; sid: 6100020; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Example of rule that will ignore sshd failed logins from IP 1.1.1.1. (local_rules.xml:local,syslog)"; content: "Rule: 100001 "; classtype: tcp-connection; program: ossec; sid: 6100001; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - List of rules to be ignored. (local_rules.xml:local,syslog)"; content: "Rule: 100030 "; classtype: tcp-connection; program: ossec; sid: 6100030; rev:1;) ## Rule group: trend-osce_rules.xml:trend_micro,ocse ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virus detected and cleaned/quarantined/remved (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7610 "; classtype: system-event; program: ossec; sid: 6007610; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Trend OSCE rules. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7600 "; classtype: tcp-connection; program: ossec; sid: 6007600; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Virus detected and unable to clean up. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7611 "; classtype: system-event; program: ossec; sid: 6007611; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virus scan completed with no errors detected. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7612 "; classtype: not-suspicious; program: ossec; sid: 6007612; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virus scan passed by found potential security risk. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7613 "; classtype: system-event; program: ossec; sid: 6007613; rev:1;) ## Rule group: telnetd_rules.xml:syslog,telnetd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Remote host invalid connection. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5603 "; classtype: system-event; program: ossec; sid: 6005603; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the telnetd rules (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5600 "; classtype: tcp-connection; program: ossec; sid: 6005600; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host established a telnet connection. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5602 "; classtype: not-suspicious; program: ossec; sid: 6005602; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source (possible scan). (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5631 "; classtype: exploit-attempt; program: ossec; sid: 6005631; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection refused by TCP Wrappers. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5601 "; classtype: system-event; program: ossec; sid: 6005601; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad hostname config). (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5604 "; classtype: system-event; program: ossec; sid: 6005604; rev:1;) ## Rule group: syslog_rules.xml:syslog,nfs ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS directory. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2103 "; classtype: not-suspicious; program: ossec; sid: 6002103; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS share. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2101 "; classtype: not-suspicious; program: ossec; sid: 6002101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS rules grouped. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2100 "; classtype: tcp-connection; program: ossec; sid: 6002100; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Automount informative message (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2104 "; classtype: not-suspicious; program: ossec; sid: 6002104; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS directory. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2102 "; classtype: not-suspicious; program: ossec; sid: 6002102; rev:1;) ## Rule group: syslog_rules.xml:syslog,pptp ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD messages grouped (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9100 "; classtype: tcp-connection; program: ossec; sid: 6009100; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD communication error (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9102 "; classtype: tcp-connection; program: ossec; sid: 6009102; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD failed message (communication error) (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9101 "; classtype: tcp-connection; program: ossec; sid: 6009101; rev:1;) ## Rule group: attack_rules.xml:syslog,elevation_of_privilege ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 15 - Attacks followed by the addition of an user. (attack_rules.xml:syslog,elevation_of_privilege)"; content: "Rule: 40501 "; classtype: exploit-attempt; program: ossec; sid: 6040501; rev:1;) ## Rule group: ms-exchange_rules.xml:ms,exchange ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Exchange rules. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3800 "; classtype: tcp-connection; program: ossec; sid: 6003800; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple e-mail 500 error code (spam). (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3852 "; classtype: system-event; program: ossec; sid: 6003852; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - E-mail rcpt is not valid (invalid account). (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3801 "; classtype: not-suspicious; program: ossec; sid: 6003801; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple e-mail attempts to an invalid account. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3851 "; classtype: system-event; program: ossec; sid: 6003851; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - E-mail 500 error code. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3802 "; classtype: not-suspicious; program: ossec; sid: 6003802; rev:1;) ## Rule group: attack_rules.xml:syslog,recon ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Network scan from same source ip. (attack_rules.xml:syslog,recon)"; content: "Rule: 40601 "; classtype: exploit-attempt; program: ossec; sid: 6040601; rev:1;) ## Rule group: rules_config.xml:ossec ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all ossec rules. (rules_config.xml:ossec)"; content: "Rule: 07 "; classtype: tcp-connection; program: ossec; sid: 6000007; rev:1;) ## Rule group: syslog_rules.xml:syslog,linuxkernel ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Kernel usbhid probe error (ignored). (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5112 "; classtype: tcp-connection; program: ossec; sid: 6005112; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Monitor ADSL line is up. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5131 "; classtype: not-suspicious; program: ossec; sid: 6005131; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Kernel Input/Output error (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5109 "; classtype: not-suspicious; program: ossec; sid: 6005109; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - IRC misconfiguration (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5110 "; classtype: not-suspicious; program: ossec; sid: 6005110; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring hpiod for producing useless logs. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5200 "; classtype: tcp-connection; program: ossec; sid: 6005200; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Informative message from the kernel (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5102 "; classtype: tcp-connection; program: ossec; sid: 6005102; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS incompability between Linux and Solaris. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5107 "; classtype: tcp-connection; program: ossec; sid: 6005107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Interface entered in promiscuous(sniffing) mode. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5104 "; classtype: system-event; program: ossec; sid: 6005104; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Pre-match rule for kernel messages (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5100 "; classtype: tcp-connection; program: ossec; sid: 6005100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - System running out of memory. Availability of the system is in risk. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5108 "; classtype: exploit-attempt; program: ossec; sid: 6005108; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Kernel device error. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5111 "; classtype: tcp-connection; program: ossec; sid: 6005111; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Invalid request to /dev/fd0 (bug on the kernel). (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5105 "; classtype: tcp-connection; program: ossec; sid: 6005105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Error message from the kernel. Ping of death attack. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5103 "; classtype: system-event; program: ossec; sid: 6005103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS incompability between Linux and Solaris. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5106 "; classtype: tcp-connection; program: ossec; sid: 6005106; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Informative message from the kernel. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5101 "; classtype: tcp-connection; program: ossec; sid: 6005101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Monitor ADSL line is down. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5130 "; classtype: system-event; program: ossec; sid: 6005130; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - System is shutting down. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5113 "; classtype: system-event; program: ossec; sid: 6005113; rev:1;) ## Rule group: dovecot_rules.xml:dovecot ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Authentication Failed. (dovecot_rules.xml:dovecot)"; content: "Rule: 9702 "; classtype: system-event; program: ossec; sid: 6009702; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Dovecot Multiple Authentication Failures. (dovecot_rules.xml:dovecot)"; content: "Rule: 9750 "; classtype: exploit-attempt; program: ossec; sid: 6009750; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot is Starting Up. (dovecot_rules.xml:dovecot)"; content: "Rule: 9703 "; classtype: not-suspicious; program: ossec; sid: 6009703; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Dovecot Fatal Failure. (dovecot_rules.xml:dovecot)"; content: "Rule: 9704 "; classtype: not-suspicious; program: ossec; sid: 6009704; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Invalid User Login Attempt. (dovecot_rules.xml:dovecot)"; content: "Rule: 9705 "; classtype: system-event; program: ossec; sid: 6009705; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Aborted Login. (dovecot_rules.xml:dovecot)"; content: "Rule: 9707 "; classtype: system-event; program: ossec; sid: 6009707; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot Authentication Success. (dovecot_rules.xml:dovecot)"; content: "Rule: 9701 "; classtype: not-suspicious; program: ossec; sid: 6009701; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Dovecot Messages Grouped. (dovecot_rules.xml:dovecot)"; content: "Rule: 9700 "; classtype: tcp-connection; program: ossec; sid: 6009700; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot Session Disconnected. (dovecot_rules.xml:dovecot)"; content: "Rule: 9706 "; classtype: not-suspicious; program: ossec; sid: 6009706; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Dovecot brute force attack (multiple auth failures). (dovecot_rules.xml:dovecot)"; content: "Rule: 9751 "; classtype: exploit-attempt; program: ossec; sid: 6009751; rev:1;) ## Rule group: symantec-ws_rules.xml:symantec ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec Web Security rules. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7400 "; classtype: tcp-connection; program: ossec; sid: 6007400; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Web access message. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7425 "; classtype: not-suspicious; program: ossec; sid: 6007425; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Admin Login success to the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7420 "; classtype: not-suspicious; program: ossec; sid: 6007420; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login success accessing the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7415 "; classtype: not-suspicious; program: ossec; sid: 6007415; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7410 "; classtype: system-event; program: ossec; sid: 6007410; rev:1;) ## Rule group: php_rules.xml:apache ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31430 "; classtype: system-event; program: ossec; sid: 6031430; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31410 "; classtype: not-suspicious; program: ossec; sid: 6031410; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31404 "; classtype: tcp-connection; program: ossec; sid: 6031404; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP internal error (missing file or function). (php_rules.xml:apache)"; content: "Rule: 31421 "; classtype: system-event; program: ossec; sid: 6031421; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31403 "; classtype: tcp-connection; program: ossec; sid: 6031403; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - PHP web attack. (php_rules.xml:apache)"; content: "Rule: 31411 "; classtype: system-event; program: ossec; sid: 6031411; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP internal error (missing file). (php_rules.xml:apache)"; content: "Rule: 31412 "; classtype: system-event; program: ossec; sid: 6031412; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31420 "; classtype: system-event; program: ossec; sid: 6031420; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31405 "; classtype: tcp-connection; program: ossec; sid: 6031405; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31406 "; classtype: tcp-connection; program: ossec; sid: 6031406; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31401 "; classtype: tcp-connection; program: ossec; sid: 6031401; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31402 "; classtype: tcp-connection; program: ossec; sid: 6031402; rev:1;) ## Rule group: postfix_rules.xml:syslog,postfix ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple relaying attempts of spam. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3351 "; classtype: system-event; program: ossec; sid: 6003351; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple misuse of SMTP service (bad sequence of commands). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3354 "; classtype: exploit-attempt; program: ossec; sid: 6003354; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Postfix SASL authentication failure. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3332 "; classtype: system-event; program: ossec; sid: 6003332; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the postfix reject rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3300 "; classtype: tcp-connection; program: ossec; sid: 6003300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3353 "; classtype: exploit-attempt; program: ossec; sid: 6003353; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to use mail server as relay (client host rejected). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3301 "; classtype: system-event; program: ossec; sid: 6003301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail to invalid recipient or from unknown sender domain. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3355 "; classtype: exploit-attempt; program: ossec; sid: 6003355; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain is not found (450: Requested mail action not taken). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3303 "; classtype: system-event; program: ossec; sid: 6003303; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Postfix stopped. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3333 "; classtype: system-event; program: ossec; sid: 6003333; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Postfix started. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3334 "; classtype: not-suspicious; program: ossec; sid: 6003334; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Rejected by access list (Requested action not taken). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3302 "; classtype: system-event; program: ossec; sid: 6003302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts to send e-mail from a rejected sender IP (access). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3352 "; classtype: system-event; program: ossec; sid: 6003352; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Postfix insufficient disk space error. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3331 "; classtype: exploit-attempt; program: ossec; sid: 6003331; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Improper use of SMTP command pipelining (503: Bad sequence of commands). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3304 "; classtype: system-event; program: ossec; sid: 6003304; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Receipent address must contain FQDN (504: Command parameter not implemented). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3305 "; classtype: system-event; program: ossec; sid: 6003305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the clamsmtpd rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3390 "; classtype: tcp-connection; program: ossec; sid: 6003390; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SASL authentication failures. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3357 "; classtype: exploit-attempt; program: ossec; sid: 6003357; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the postfix rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3320 "; classtype: tcp-connection; program: ossec; sid: 6003320; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from black-listed IP address (blocked). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3356 "; classtype: exploit-attempt; program: ossec; sid: 6003356; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - IP Address black-listed by anti-spam (blocked). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3306 "; classtype: system-event; program: ossec; sid: 6003306; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Postfix process error. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3330 "; classtype: exploit-attempt; program: ossec; sid: 6003330; rev:1;) ## Rule group: ms_ftpd_rules.xml:syslog,msftp ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP errors from same source. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11512 "; classtype: exploit-attempt; program: ossec; sid: 6011512; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11510 "; classtype: exploit-attempt; program: ossec; sid: 6011510; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New FTP connection. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11501 "; classtype: not-suspicious; program: ossec; sid: 6011501; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11503 "; classtype: not-suspicious; program: ossec; sid: 6011503; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Microsoft ftp rules. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11500 "; classtype: tcp-connection; program: ossec; sid: 6011500; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11511 "; classtype: exploit-attempt; program: ossec; sid: 6011511; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP Authentication failed. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11502 "; classtype: system-event; program: ossec; sid: 6011502; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - FTP client request failed. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11504 "; classtype: not-suspicious; program: ossec; sid: 6011504; rev:1;) ## Rule group: imapd_rules.xml:syslog,imapd ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Imapd user login. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3602 "; classtype: not-suspicious; program: ossec; sid: 6003602; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Imapd user logout. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3603 "; classtype: tcp-connection; program: ossec; sid: 6003603; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins from same source ip. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3651 "; classtype: exploit-attempt; program: ossec; sid: 6003651; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Imapd user login failed. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3601 "; classtype: system-event; program: ossec; sid: 6003601; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the imapd rules. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3600 "; classtype: tcp-connection; program: ossec; sid: 6003600; rev:1;) ## Rule group: ids_rules.xml:ids ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored snort ids. (ids_rules.xml:ids)"; content: "Rule: 20103 "; classtype: tcp-connection; program: ossec; sid: 6020103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored snort ids. (ids_rules.xml:ids)"; content: "Rule: 20102 "; classtype: tcp-connection; program: ossec; sid: 6020102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple IDS events from same source ip. (ids_rules.xml:ids)"; content: "Rule: 20151 "; classtype: exploit-attempt; program: ossec; sid: 6020151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - First time this IDS alert is generated. (ids_rules.xml:ids)"; content: "Rule: 20100 "; classtype: system-event; program: ossec; sid: 6020100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Multiple IDS alerts for same id (ignoring now this id). (ids_rules.xml:ids)"; content: "Rule: 20162 "; classtype: exploit-attempt; program: ossec; sid: 6020162; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple IDS alerts for same id. (ids_rules.xml:ids)"; content: "Rule: 20152 "; classtype: exploit-attempt; program: ossec; sid: 6020152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Multiple IDS events from same source ip (ignoring now this srcip and id). (ids_rules.xml:ids)"; content: "Rule: 20161 "; classtype: exploit-attempt; program: ossec; sid: 6020161; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - IDS event. (ids_rules.xml:ids)"; content: "Rule: 20101 "; classtype: system-event; program: ossec; sid: 6020101; rev:1;) ## Rule group: policy_rules.xml:policy_violation ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Successful login during weekend. (policy_rules.xml:policy_violation)"; content: "Rule: 17102 "; classtype: system-event; program: ossec; sid: 6017102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Successful login during non-business hours. (policy_rules.xml:policy_violation)"; content: "Rule: 17101 "; classtype: system-event; program: ossec; sid: 6017101; rev:1;) ## Rule group: ms_dhcp_rules.xml:windows,dhcp ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Packet dropped due to NAP policy. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6323 "; classtype: exploit-attempt; program: ossec; sid: 6006323; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - The log was started. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6301 "; classtype: not-suspicious; program: ossec; sid: 6006301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Scope Full. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6360 "; classtype: exploit-attempt; program: ossec; sid: 6006360; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS record not deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6368 "; classtype: tcp-connection; program: ossec; sid: 6006368; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Audit log paused. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6363 "; classtype: exploit-attempt; program: ossec; sid: 6006363; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Service has not determined if it is authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6376 "; classtype: exploit-attempt; program: ossec; sid: 6006376; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A BOOTP IP address was deleted after checking to see it was not in use. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6315 "; classtype: tcp-connection; program: ossec; sid: 6006315; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A BOOTP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6312 "; classtype: tcp-connection; program: ossec; sid: 6006312; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DNS update failed. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6319 "; classtype: system-event; program: ossec; sid: 6006319; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Started. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6361 "; classtype: not-suspicious; program: ossec; sid: 6006361; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the MS-DHCP rules. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6350 "; classtype: tcp-connection; program: ossec; sid: 6006350; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Advertise. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6352 "; classtype: tcp-connection; program: ossec; sid: 6006352; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was renewed by a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6305 "; classtype: tcp-connection; program: ossec; sid: 6006305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A new IP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6304 "; classtype: tcp-connection; program: ossec; sid: 6006304; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was expired and DNS records were deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6322 "; classtype: tcp-connection; program: ossec; sid: 6006322; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Expired. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6369 "; classtype: tcp-connection; program: ossec; sid: 6006369; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - An IP address was found to be in use on the network. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6307 "; classtype: tcp-connection; program: ossec; sid: 6006307; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Renew. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6355 "; classtype: tcp-connection; program: ossec; sid: 6006355; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was expired and DNS records for an expired leases have not been deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6311 "; classtype: tcp-connection; program: ossec; sid: 6006311; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Solicit. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6351 "; classtype: tcp-connection; program: ossec; sid: 6006351; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - IP address cleanup operation has began. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6316 "; classtype: not-suspicious; program: ossec; sid: 6006316; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Client deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6367 "; classtype: tcp-connection; program: ossec; sid: 6006367; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Address is already in use. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6366 "; classtype: not-suspicious; program: ossec; sid: 6006366; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Database cleanup begin. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6371 "; classtype: not-suspicious; program: ossec; sid: 6006371; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - A lease request could not be satisfied because the scope's address pool was exhausted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6308 "; classtype: exploit-attempt; program: ossec; sid: 6006308; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - A lease was denied. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6309 "; classtype: system-event; program: ossec; sid: 6006309; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Confirm. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6354 "; classtype: tcp-connection; program: ossec; sid: 6006354; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - IP address cleanup statistics. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6317 "; classtype: not-suspicious; program: ossec; sid: 6006317; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update successful. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6320 "; classtype: tcp-connection; program: ossec; sid: 6006320; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Information Request. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6359 "; classtype: tcp-connection; program: ossec; sid: 6006359; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DHCP Log File. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6364 "; classtype: system-event; program: ossec; sid: 6006364; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was released by a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6306 "; classtype: tcp-connection; program: ossec; sid: 6006306; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - The log was stopped. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6302 "; classtype: not-suspicious; program: ossec; sid: 6006302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - The log was temporarily paused due to low disk space. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6303 "; classtype: exploit-attempt; program: ossec; sid: 6006303; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Database cleanup end. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6372 "; classtype: not-suspicious; program: ossec; sid: 6006372; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6310 "; classtype: tcp-connection; program: ossec; sid: 6006310; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Codes above 50 are used for Rogue Server Detection information. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6321 "; classtype: exploit-attempt; program: ossec; sid: 6006321; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update request to the named DNS server. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6318 "; classtype: tcp-connection; program: ossec; sid: 6006318; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A dynamic BOOTP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6313 "; classtype: tcp-connection; program: ossec; sid: 6006313; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Service authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6374 "; classtype: not-suspicious; program: ossec; sid: 6006374; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6314 "; classtype: exploit-attempt; program: ossec; sid: 6006314; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Service not authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6373 "; classtype: exploit-attempt; program: ossec; sid: 6006373; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Release. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6358 "; classtype: tcp-connection; program: ossec; sid: 6006358; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DHCP Decline. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6357 "; classtype: system-event; program: ossec; sid: 6006357; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Bad Address. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6365 "; classtype: system-event; program: ossec; sid: 6006365; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Stopped. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6362 "; classtype: system-event; program: ossec; sid: 6006362; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Rebind. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6356 "; classtype: tcp-connection; program: ossec; sid: 6006356; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Expired and Deleted count. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6370 "; classtype: tcp-connection; program: ossec; sid: 6006370; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the MS-DHCP rules. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6300 "; classtype: tcp-connection; program: ossec; sid: 6006300; rev:1;) ## Rule group: syslog_rules.xml:syslog,tripwire ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Problems with the tripwire checking (syslog_rules.xml:syslog,tripwire)"; content: "Rule: 7101 "; classtype: system-event; program: ossec; sid: 6007101; rev:1;) ## Rule group: roundcube_rules.xml:syslog,roundcube ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Roundcube authentication failed. (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9401 "; classtype: system-event; program: ossec; sid: 6009401; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roundcube messages groupe.d (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9400 "; classtype: tcp-connection; program: ossec; sid: 6009400; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Roundcube authentication succeeded. (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9402 "; classtype: not-suspicious; program: ossec; sid: 6009402; rev:1;) ## Rule group: vmware_rules.xml:vmware ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX authentication failures. (vmware_rules.xml:vmware)"; content: "Rule: 19152 "; classtype: exploit-attempt; program: ossec; sid: 6019152; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - VMware ESX error message. (vmware_rules.xml:vmware)"; content: "Rule: 19103 "; classtype: not-suspicious; program: ossec; sid: 6019103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX verbose message. (vmware_rules.xml:vmware)"; content: "Rule: 19107 "; classtype: tcp-connection; program: ossec; sid: 6019107; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virtual machine being turned ON. (vmware_rules.xml:vmware)"; content: "Rule: 19121 "; classtype: not-suspicious; program: ossec; sid: 6019121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - VMware ESX critical message. (vmware_rules.xml:vmware)"; content: "Rule: 19102 "; classtype: system-event; program: ossec; sid: 6019102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX warning messages. (vmware_rules.xml:vmware)"; content: "Rule: 19150 "; classtype: exploit-attempt; program: ossec; sid: 6019150; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMware ESX warning message. (vmware_rules.xml:vmware)"; content: "Rule: 19104 "; classtype: not-suspicious; program: ossec; sid: 6019104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VMWare ESX authentication failure. (vmware_rules.xml:vmware)"; content: "Rule: 19111 "; classtype: system-event; program: ossec; sid: 6019111; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virtual machine being reconfigured. (vmware_rules.xml:vmware)"; content: "Rule: 19123 "; classtype: system-event; program: ossec; sid: 6019123; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX notice message. (vmware_rules.xml:vmware)"; content: "Rule: 19105 "; classtype: tcp-connection; program: ossec; sid: 6019105; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMWare messages grouped. (vmware_rules.xml:vmware)"; content: "Rule: 19100 "; classtype: tcp-connection; program: ossec; sid: 6019100; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX authentication success. (vmware_rules.xml:vmware)"; content: "Rule: 19110 "; classtype: not-suspicious; program: ossec; sid: 6019110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX error messages. (vmware_rules.xml:vmware)"; content: "Rule: 19151 "; classtype: exploit-attempt; program: ossec; sid: 6019151; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX user authentication failure. (vmware_rules.xml:vmware)"; content: "Rule: 19113 "; classtype: not-suspicious; program: ossec; sid: 6019113; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX informational message. (vmware_rules.xml:vmware)"; content: "Rule: 19106 "; classtype: tcp-connection; program: ossec; sid: 6019106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX user authentication failures. (vmware_rules.xml:vmware)"; content: "Rule: 19153 "; classtype: exploit-attempt; program: ossec; sid: 6019153; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX user login. (vmware_rules.xml:vmware)"; content: "Rule: 19112 "; classtype: not-suspicious; program: ossec; sid: 6019112; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virtual machine state changed to ON. (vmware_rules.xml:vmware)"; content: "Rule: 19122 "; classtype: not-suspicious; program: ossec; sid: 6019122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Virtual machine state changed to OFF. (vmware_rules.xml:vmware)"; content: "Rule: 19120 "; classtype: system-event; program: ossec; sid: 6019120; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMWare ESX syslog messages grouped. (vmware_rules.xml:vmware)"; content: "Rule: 19101 "; classtype: tcp-connection; program: ossec; sid: 6019101; rev:1;) ## Rule group: rules_config.xml:web-log ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all web rules. (rules_config.xml:web-log)"; content: "Rule: 04 "; classtype: tcp-connection; program: ossec; sid: 6000004; rev:1;) ## Rule group: syslog_rules.xml:syslog,fts ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time user logged in. (syslog_rules.xml:syslog,fts)"; content: "Rule: 10100 "; classtype: not-suspicious; program: ossec; sid: 6010100; rev:1;) ## Rule group: rules_config.xml:firewall ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all firewall rules. (rules_config.xml:firewall)"; content: "Rule: 02 "; classtype: tcp-connection; program: ossec; sid: 6000002; rev:1;) ## Rule group: sshd_rules.xml:syslog,sshd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - SSHD brute force trying to get access to the system. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5712 "; classtype: exploit-attempt; program: ossec; sid: 6005712; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Possible breakin attempt (high number of reverse lookup errors). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5703 "; classtype: exploit-attempt; program: ossec; sid: 6005703; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP or attack). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5702 "; classtype: system-event; program: ossec; sid: 6005702; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Corrupted bytes on SSHD. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5713 "; classtype: system-event; program: ossec; sid: 6005713; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - SSHD authentication failed. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5716 "; classtype: system-event; program: ossec; sid: 6005716; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SSHD authentication failures. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5720 "; classtype: exploit-attempt; program: ossec; sid: 6005720; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a non-existent user (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5710 "; classtype: system-event; program: ossec; sid: 6005710; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - SSHD authentication success. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5715 "; classtype: not-suspicious; program: ossec; sid: 6005715; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Timeout while logging in (sshd). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5704 "; classtype: not-suspicious; program: ossec; sid: 6005704; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - OpenSSH challenge-response exploit. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5707 "; classtype: exploit-attempt; program: ossec; sid: 6005707; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple access attempts using a denied user. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5719 "; classtype: exploit-attempt; program: ossec; sid: 6005719; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SSH insecure connection attempt (scan). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5706 "; classtype: system-event; program: ossec; sid: 6005706; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Useless SSHD message without an user/ip and context. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5709 "; classtype: tcp-connection; program: ossec; sid: 6005709; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - SSH CRC-32 Compensation attack (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5714 "; classtype: exploit-attempt; program: ossec; sid: 6005714; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Possible attack on the ssh server (or version gathering). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5701 "; classtype: system-event; program: ossec; sid: 6005701; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - SSHD configuration error (moduli). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5717 "; classtype: not-suspicious; program: ossec; sid: 6005717; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Possible scan or breakin attempt (high number of login timeouts). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5705 "; classtype: exploit-attempt; program: ossec; sid: 6005705; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SSHD messages grouped. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5700 "; classtype: tcp-connection; program: ossec; sid: 6005700; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Useless/Duplicated SSHD message without a user/ip. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5711 "; classtype: tcp-connection; program: ossec; sid: 6005711; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a denied user. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5718 "; classtype: system-event; program: ossec; sid: 6005718; rev:1;) ## Rule group: netscreenfw_rules.xml:netscreenfw ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall policy changed. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4508 "; classtype: system-event; program: ossec; sid: 6004508; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Netscreen warning message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4502 "; classtype: not-suspicious; program: ossec; sid: 6004502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4513 "; classtype: system-event; program: ossec; sid: 6004513; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Netscreen Erase sequence started. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4505 "; classtype: exploit-attempt; program: ossec; sid: 6004505; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Netscreen Firewall rules (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4500 "; classtype: tcp-connection; program: ossec; sid: 6004500; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration changed. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4509 "; classtype: system-event; program: ossec; sid: 6004509; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen critical messages from same source IP. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4550 "; classtype: exploit-attempt; program: ossec; sid: 6004550; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4503 "; classtype: system-event; program: ossec; sid: 6004503; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen alert messages. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4553 "; classtype: exploit-attempt; program: ossec; sid: 6004553; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Netscreen notification message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4501 "; classtype: not-suspicious; program: ossec; sid: 6004501; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen informational message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4504 "; classtype: system-event; program: ossec; sid: 6004504; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen critical messages. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4551 "; classtype: exploit-attempt; program: ossec; sid: 6004551; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4506 "; classtype: system-event; program: ossec; sid: 6004506; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4507 "; classtype: system-event; program: ossec; sid: 6004507; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen alert messages from same source IP. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4552 "; classtype: exploit-attempt; program: ossec; sid: 6004552; rev:1;) ## Rule group: pix_rules.xml:syslog,pix ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4330 "; classtype: system-event; program: ossec; sid: 6004330; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed login attempt at the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4321 "; classtype: system-event; program: ossec; sid: 6004321; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User created or modified on the Firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4342 "; classtype: system-event; program: ossec; sid: 6004342; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - AAA (VPN) authentication successful. (pix_rules.xml:syslog,pix)"; content: "Rule: 4335 "; classtype: not-suspicious; program: ossec; sid: 6004335; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Firewall command executed (for accounting only). (pix_rules.xml:syslog,pix)"; content: "Rule: 4341 "; classtype: not-suspicious; program: ossec; sid: 6004341; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX critical messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4381 "; classtype: exploit-attempt; program: ossec; sid: 6004381; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PIX alert message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4310 "; classtype: system-event; program: ossec; sid: 6004310; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration changed. (pix_rules.xml:syslog,pix)"; content: "Rule: 4340 "; classtype: system-event; program: ossec; sid: 6004340; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX alert messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4380 "; classtype: exploit-attempt; program: ossec; sid: 6004380; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Connection limit exceeded. (pix_rules.xml:syslog,pix)"; content: "Rule: 4327 "; classtype: system-event; program: ossec; sid: 6004327; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PIX error message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4312 "; classtype: not-suspicious; program: ossec; sid: 6004312; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attack in progress messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4385 "; classtype: exploit-attempt; program: ossec; sid: 6004385; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX warning messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4383 "; classtype: exploit-attempt; program: ossec; sid: 6004383; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration deleted. (pix_rules.xml:syslog,pix)"; content: "Rule: 4339 "; classtype: system-event; program: ossec; sid: 6004339; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall failover pair communication problem. (pix_rules.xml:syslog,pix)"; content: "Rule: 4338 "; classtype: system-event; program: ossec; sid: 6004338; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - The PIX is disallowing new connections. (pix_rules.xml:syslog,pix)"; content: "Rule: 4337 "; classtype: system-event; program: ossec; sid: 6004337; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4332 "; classtype: system-event; program: ossec; sid: 6004332; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX error messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4382 "; classtype: exploit-attempt; program: ossec; sid: 6004382; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PIX debug message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4315 "; classtype: tcp-connection; program: ossec; sid: 6004315; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Password mismatch while running 'enable' on the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4324 "; classtype: system-event; program: ossec; sid: 6004324; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4331 "; classtype: system-event; program: ossec; sid: 6004331; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PIX notification/informational message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4314 "; classtype: tcp-connection; program: ossec; sid: 6004314; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attempt to connect from a blocked (shunned) IP. (pix_rules.xml:syslog,pix)"; content: "Rule: 4326 "; classtype: system-event; program: ossec; sid: 6004326; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - AAA (VPN) user locked out. (pix_rules.xml:syslog,pix)"; content: "Rule: 4336 "; classtype: system-event; program: ossec; sid: 6004336; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PIX warning message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4313 "; classtype: not-suspicious; program: ossec; sid: 6004313; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4333 "; classtype: system-event; program: ossec; sid: 6004333; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful login to the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4323 "; classtype: not-suspicious; program: ossec; sid: 6004323; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Nultiple AAA (VPN) authentication failures. (pix_rules.xml:syslog,pix)"; content: "Rule: 4386 "; classtype: exploit-attempt; program: ossec; sid: 6004386; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Privilege changed in the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4322 "; classtype: not-suspicious; program: ossec; sid: 6004322; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - AAA (VPN) authentication failed. (pix_rules.xml:syslog,pix)"; content: "Rule: 4334 "; classtype: system-event; program: ossec; sid: 6004334; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of PIX rules (pix_rules.xml:syslog,pix)"; content: "Rule: 4300 "; classtype: tcp-connection; program: ossec; sid: 6004300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - ARP collision detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4325 "; classtype: system-event; program: ossec; sid: 6004325; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PIX critical message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4311 "; classtype: system-event; program: ossec; sid: 6004311; rev:1;) ## Rule group: syslog_rules.xml:syslog,mail ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring procmail messages. (syslog_rules.xml:syslog,mail)"; content: "Rule: 2701 "; classtype: tcp-connection; program: ossec; sid: 6002701; rev:1;) ## Rule group: syslog_rules.xml:syslog,xinetd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Excessive number connections to a service. (syslog_rules.xml:syslog,xinetd)"; content: "Rule: 2301 "; classtype: exploit-attempt; program: ossec; sid: 6002301; rev:1;) ## Rule group: syslog_rules.xml:syslog,access_control ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Connection to rshd from unprivileged port. Possible network scan. (syslog_rules.xml:syslog,access_control)"; content: "Rule: 2551 "; classtype: exploit-attempt; program: ossec; sid: 6002551; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - rshd messages grouped. (syslog_rules.xml:syslog,access_control)"; content: "Rule: 2550 "; classtype: tcp-connection; program: ossec; sid: 6002550; rev:1;) ## Rule group: syslog_rules.xml:syslog,dpkg ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Dpkg (Debian Package) log. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2900 "; classtype: tcp-connection; program: ossec; sid: 6002900; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New dpkg (Debian Package) requested to install. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2901 "; classtype: not-suspicious; program: ossec; sid: 6002901; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Dpkg (Debian Package) removed. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2903 "; classtype: system-event; program: ossec; sid: 6002903; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - New dpkg (Debian Package) installed. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2902 "; classtype: system-event; program: ossec; sid: 6002902; rev:1;) ## Rule group: sonicwall_rules.xml:syslog,sonicwall ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple firewall error messages. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4851 "; classtype: exploit-attempt; program: ossec; sid: 6004851; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Firewall authentication failure. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4811 "; classtype: system-event; program: ossec; sid: 6004811; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall messages grouped. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4800 "; classtype: tcp-connection; program: ossec; sid: 6004800; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall notice message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4805 "; classtype: tcp-connection; program: ossec; sid: 6004805; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall informational message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4806 "; classtype: tcp-connection; program: ossec; sid: 6004806; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Firewall administrator login. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4810 "; classtype: not-suspicious; program: ossec; sid: 6004810; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4802 "; classtype: system-event; program: ossec; sid: 6004802; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple firewall warning messages. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4850 "; classtype: exploit-attempt; program: ossec; sid: 6004850; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - SonicWall error message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4803 "; classtype: not-suspicious; program: ossec; sid: 6004803; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - SonicWall warning message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4804 "; classtype: not-suspicious; program: ossec; sid: 6004804; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4801 "; classtype: system-event; program: ossec; sid: 6004801; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall debug message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4807 "; classtype: tcp-connection; program: ossec; sid: 6004807; rev:1;) ## Rule group: syslog_rules.xml:syslog,cron ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Crontab entry changed. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2832 "; classtype: system-event; program: ossec; sid: 6002832; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Root's crontab entry changed. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2833 "; classtype: system-event; program: ossec; sid: 6002833; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Crontab rule group. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2830 "; classtype: tcp-connection; program: ossec; sid: 6002830; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Crontab opened for editing. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2834 "; classtype: system-event; program: ossec; sid: 6002834; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Wrong crond configuration (syslog_rules.xml:syslog,cron)"; content: "Rule: 2831 "; classtype: tcp-connection; program: ossec; sid: 6002831; rev:1;) ## Rule group: squid_rules.xml:squid ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Squid generic error codes. (squid_rules.xml:squid)"; content: "Rule: 35002 "; classtype: not-suspicious; program: ossec; sid: 6035002; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to access a worm/trojan related site. (squid_rules.xml:squid)"; content: "Rule: 35022 "; classtype: system-event; program: ossec; sid: 6035022; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring multiple attempts from same source ip (alert only once). (squid_rules.xml:squid)"; content: "Rule: 35095 "; classtype: tcp-connection; program: ossec; sid: 6035095; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple unauthorized attempts to use proxy. (squid_rules.xml:squid)"; content: "Rule: 35052 "; classtype: exploit-attempt; program: ossec; sid: 6035052; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to access a Beagle worm (or variant) file. (squid_rules.xml:squid)"; content: "Rule: 35021 "; classtype: system-event; program: ossec; sid: 6035021; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Bad request/Invalid syntax. (squid_rules.xml:squid)"; content: "Rule: 35003 "; classtype: system-event; program: ossec; sid: 6035003; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Forbidden: Attempt to access forbidden file or directory. (squid_rules.xml:squid)"; content: "Rule: 35005 "; classtype: system-event; program: ossec; sid: 6035005; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Not Found: Attempt to access non-existent file or directory. (squid_rules.xml:squid)"; content: "Rule: 35006 "; classtype: system-event; program: ossec; sid: 6035006; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored files on a 40x error. (squid_rules.xml:squid)"; content: "Rule: 35023 "; classtype: tcp-connection; program: ossec; sid: 6035023; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Squid 503 error code (server unavailable). (squid_rules.xml:squid)"; content: "Rule: 35010 "; classtype: not-suspicious; program: ossec; sid: 6035010; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to access forbidden file or directory from same source ip. (squid_rules.xml:squid)"; content: "Rule: 35051 "; classtype: exploit-attempt; program: ossec; sid: 6035051; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Squid 500/600 error code (server error). (squid_rules.xml:squid)"; content: "Rule: 35009 "; classtype: system-event; program: ossec; sid: 6035009; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple 500/600 error codes (server error). (squid_rules.xml:squid)"; content: "Rule: 35058 "; classtype: exploit-attempt; program: ossec; sid: 6035058; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Squid 400 error code (request failed). (squid_rules.xml:squid)"; content: "Rule: 35008 "; classtype: system-event; program: ossec; sid: 6035008; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Bad requests/Invalid syntax. (squid_rules.xml:squid)"; content: "Rule: 35053 "; classtype: exploit-attempt; program: ossec; sid: 6035053; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid messages grouped. (squid_rules.xml:squid)"; content: "Rule: 35000 "; classtype: tcp-connection; program: ossec; sid: 6035000; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Proxy Authentication Required: User is not authorized to use proxy. (squid_rules.xml:squid)"; content: "Rule: 35007 "; classtype: system-event; program: ossec; sid: 6035007; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple attempts to access a worm/trojan/virus related web site. System probably infected. (squid_rules.xml:squid)"; content: "Rule: 35056 "; classtype: exploit-attempt; program: ossec; sid: 6035056; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple 400 error codes (requests failed). (squid_rules.xml:squid)"; content: "Rule: 35057 "; classtype: exploit-attempt; program: ossec; sid: 6035057; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Unauthorized: Failed attempt to access authorization-required file or directory. (squid_rules.xml:squid)"; content: "Rule: 35004 "; classtype: system-event; program: ossec; sid: 6035004; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Infected machine with W32.Beagle.DP. (squid_rules.xml:squid)"; content: "Rule: 35054 "; classtype: exploit-attempt; program: ossec; sid: 6035054; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to access a non-existent file. (squid_rules.xml:squid)"; content: "Rule: 35055 "; classtype: exploit-attempt; program: ossec; sid: 6035055; rev:1;) ## Rule group: vsftpd_rules.xml:syslog,vsftpd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11451 "; classtype: exploit-attempt; program: ossec; sid: 6011451; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP connection attempts from same source IP. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11452 "; classtype: exploit-attempt; program: ossec; sid: 6011452; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the FTP server. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11403 "; classtype: system-event; program: ossec; sid: 6011403; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP session opened. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11401 "; classtype: not-suspicious; program: ossec; sid: 6011401; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP server file upload. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11404 "; classtype: tcp-connection; program: ossec; sid: 6011404; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11402 "; classtype: not-suspicious; program: ossec; sid: 6011402; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vsftpd rules. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11400 "; classtype: tcp-connection; program: ossec; sid: 6011400; rev:1;) ## Rule group: vmpop3d_rules.xml:syslog,vm-pop3d ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - POP3 brute force (multiple failed logins). (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9820 "; classtype: exploit-attempt; program: ossec; sid: 6009820; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vm-pop3d rules. (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9800 "; classtype: tcp-connection; program: ossec; sid: 6009800; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the pop3 server. (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9801 "; classtype: system-event; program: ossec; sid: 6009801; rev:1;) ## Rule group: zeus_rules.xml:zeus ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Zeus fatal log. (zeus_rules.xml:zeus)"; content: "Rule: 31204 "; classtype: exploit-attempt; program: ossec; sid: 6031204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Zeus serious log. (zeus_rules.xml:zeus)"; content: "Rule: 31203 "; classtype: system-event; program: ossec; sid: 6031203; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Zeus rules. (zeus_rules.xml:zeus)"; content: "Rule: 31200 "; classtype: tcp-connection; program: ossec; sid: 6031200; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Zeus informational logs. (zeus_rules.xml:zeus)"; content: "Rule: 31201 "; classtype: tcp-connection; program: ossec; sid: 6031201; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Zeus warning log. (zeus_rules.xml:zeus)"; content: "Rule: 31202 "; classtype: not-suspicious; program: ossec; sid: 6031202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Zeus warnings. (zeus_rules.xml:zeus)"; content: "Rule: 31251 "; classtype: exploit-attempt; program: ossec; sid: 6031251; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Configuration warning (ignored). (zeus_rules.xml:zeus)"; content: "Rule: 31206 "; classtype: tcp-connection; program: ossec; sid: 6031206; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Admin authentication failed. (zeus_rules.xml:zeus)"; content: "Rule: 31205 "; classtype: system-event; program: ossec; sid: 6031205; rev:1;) ## Rule group: pure-ftpd_rules.xml:syslog,pure-ftpd ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11309 "; classtype: not-suspicious; program: ossec; sid: 6011309; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP user logout/timeout (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11303 "; classtype: tcp-connection; program: ossec; sid: 6011303; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the pure-ftpd rules. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11300 "; classtype: tcp-connection; program: ossec; sid: 6011300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access invalid directory (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11305 "; classtype: system-event; program: ossec; sid: 6011305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP notice messages (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11304 "; classtype: tcp-connection; program: ossec; sid: 6011304; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New FTP connection. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11301 "; classtype: not-suspicious; program: ossec; sid: 6011301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP Authentication failed. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11302 "; classtype: system-event; program: ossec; sid: 6011302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11306 "; classtype: exploit-attempt; program: ossec; sid: 6011306; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11307 "; classtype: exploit-attempt; program: ossec; sid: 6011307; rev:1;) ## Rule group: smbd_rules.xml:syslog,smbd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Samba network problems. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13101 "; classtype: tcp-connection; program: ossec; sid: 6013101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Samba network problems. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13103 "; classtype: tcp-connection; program: ossec; sid: 6013103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User action denied by configuration. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13104 "; classtype: system-event; program: ossec; sid: 6013104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Samba connection denied. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13102 "; classtype: system-event; program: ossec; sid: 6013102; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the smbd rules. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13100 "; classtype: tcp-connection; program: ossec; sid: 6013100; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Samba network problems (unable to connect). (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13105 "; classtype: not-suspicious; program: ossec; sid: 6013105; rev:1;) ## Rule group: syslog_rules.xml:syslog,errors ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - File system full. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1007 "; classtype: system-event; program: ossec; sid: 6001007; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Unknown problem somewhere in the system. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1002 "; classtype: not-suspicious; program: ossec; sid: 6001002; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - File missing. Root access unrestricted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1001 "; classtype: not-suspicious; program: ossec; sid: 6001001; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1005 "; classtype: system-event; program: ossec; sid: 6001005; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd exiting (logging stopped). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1004 "; classtype: system-event; program: ossec; sid: 6001004; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1006 "; classtype: system-event; program: ossec; sid: 6001006; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - Non standard syslog message (size too large). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1003 "; classtype: exploit-attempt; program: ossec; sid: 6001003; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Process exiting (killed). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1008 "; classtype: system-event; program: ossec; sid: 6001008; rev:1;) ## Rule group: syslog_rules.xml:syslog,sudo ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time user executed sudo. (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5403 "; classtype: not-suspicious; program: ossec; sid: 6005403; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial group for sudo messages (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5400 "; classtype: tcp-connection; program: ossec; sid: 6005400; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Three failed attempts to run sudo (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5401 "; classtype: exploit-attempt; program: ossec; sid: 6005401; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful sudo to ROOT executed (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5402 "; classtype: not-suspicious; program: ossec; sid: 6005402; rev:1;) ## Rule group: vpopmail_rules.xml:syslog,vpopmail ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Vpopmail brute force (multiple failed logins). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9951 "; classtype: exploit-attempt; program: ossec; sid: 6009951; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login to vpopmail with invalid username. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9902 "; classtype: system-event; program: ossec; sid: 6009902; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login to vpopmail with empty password. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9903 "; classtype: system-event; program: ossec; sid: 6009903; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vpopmail rules. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9900 "; classtype: tcp-connection; program: ossec; sid: 6009900; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - VPOPMAIL brute force (empty password). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9953 "; classtype: exploit-attempt; program: ossec; sid: 6009953; rev:1;) #(Level 1) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 1 - Vpopmail successful login. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9904 "; classtype: not-suspicious; program: ossec; sid: 6009904; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed for vpopmail. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9901 "; classtype: system-event; program: ossec; sid: 6009901; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Vpopmail brute force (email harvesting). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9952 "; classtype: exploit-attempt; program: ossec; sid: 6009952; rev:1;) ## Rule group: mcafee_av_rules.xml:mcafee ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update failed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 07512 "; classtype: system-event; program: ossec; sid: 6007512; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus detected and file will be deleted. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7506 "; classtype: system-event; program: ossec; sid: 6007506; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Scan completed with no viruses found. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7508 "; classtype: not-suspicious; program: ossec; sid: 6007508; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple McAfee AV warning events. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7550 "; classtype: exploit-attempt; program: ossec; sid: 6007550; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update cancelled. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7513 "; classtype: system-event; program: ossec; sid: 6007513; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - McAfee Windows AV informational event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7501 "; classtype: not-suspicious; program: ossec; sid: 6007501; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - McAfee Windows AV - Virus detected and not removed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7504 "; classtype: exploit-attempt; program: ossec; sid: 6007504; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV warning event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7502 "; classtype: not-suspicious; program: ossec; sid: 6007502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus scan cancelled. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7509 "; classtype: system-event; program: ossec; sid: 6007509; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - McAfee Windows AV - EICAR test file detected. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7514 "; classtype: system-event; program: ossec; sid: 6007514; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - McAfee Windows AV error event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7503 "; classtype: not-suspicious; program: ossec; sid: 6007503; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Scan started or stopped. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7507 "; classtype: not-suspicious; program: ossec; sid: 6007507; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of McAfee Windows AV rules. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7500 "; classtype: tcp-connection; program: ossec; sid: 6007500; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Virus program or DAT update succeeded. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7511 "; classtype: not-suspicious; program: ossec; sid: 6007511; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus detected and properly removed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7505 "; classtype: system-event; program: ossec; sid: 6007505; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - McAfee Windows AV - Virus scan cancelled due to shutdown. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7510 "; classtype: system-event; program: ossec; sid: 6007510; rev:1;) ## Rule group: firewall_rules.xml:firewall ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Firewall drop events from same source. (firewall_rules.xml:firewall)"; content: "Rule: 4151 "; classtype: exploit-attempt; program: ossec; sid: 6004151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Firewall drop event. (firewall_rules.xml:firewall)"; content: "Rule: 4101 "; classtype: system-event; program: ossec; sid: 6004101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Firewall rules grouped. (firewall_rules.xml:firewall)"; content: "Rule: 4100 "; classtype: tcp-connection; program: ossec; sid: 6004100; rev:1;) ## Rule group: hordeimp_rules.xml:syslog,hordeimp ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Horde emergency messages. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9352 "; classtype: exploit-attempt; program: ossec; sid: 6009352; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Horde IMP successful login. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9305 "; classtype: not-suspicious; program: ossec; sid: 6009305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Horde imp rules. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9300 "; classtype: tcp-connection; program: ossec; sid: 6009300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Horde IMP emergency message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9304 "; classtype: system-event; program: ossec; sid: 6009304; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Horde IMP informational message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9301 "; classtype: tcp-connection; program: ossec; sid: 6009301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Horde IMP Failed login. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9306 "; classtype: system-event; program: ossec; sid: 6009306; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Horde IMP notice message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9302 "; classtype: not-suspicious; program: ossec; sid: 6009302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Horde IMP error message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9303 "; classtype: system-event; program: ossec; sid: 6009303; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Horde brute force (multiple failed logins). (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9351 "; classtype: exploit-attempt; program: ossec; sid: 6009351; rev:1;) ## Rule group: rules_config.xml:syslog ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all syslog rules. (rules_config.xml:syslog)"; content: "Rule: 01 "; classtype: tcp-connection; program: ossec; sid: 6000001; rev:1;) ## Rule group: pam_rules.xml:pam,syslog ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the pam_unix rules. (pam_rules.xml:pam,syslog)"; content: "Rule: 5500 "; classtype: tcp-connection; program: ossec; sid: 6005500; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring Annoying Ubuntu/debian cron login events. (pam_rules.xml:pam,syslog)"; content: "Rule: 5521 "; classtype: tcp-connection; program: ossec; sid: 6005521; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User login failed. (pam_rules.xml:pam,syslog)"; content: "Rule: 5503 "; classtype: system-event; program: ossec; sid: 6005503; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring Annoying Ubuntu/debian cron login events. (pam_rules.xml:pam,syslog)"; content: "Rule: 5522 "; classtype: tcp-connection; program: ossec; sid: 6005522; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login with an invalid user. (pam_rules.xml:pam,syslog)"; content: "Rule: 5504 "; classtype: system-event; program: ossec; sid: 6005504; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins in a small period of time. (pam_rules.xml:pam,syslog)"; content: "Rule: 5551 "; classtype: exploit-attempt; program: ossec; sid: 6005551; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session opened. (pam_rules.xml:pam,syslog)"; content: "Rule: 5501 "; classtype: not-suspicious; program: ossec; sid: 6005501; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session closed. (pam_rules.xml:pam,syslog)"; content: "Rule: 5502 "; classtype: not-suspicious; program: ossec; sid: 6005502; rev:1;) ## Rule group: ms-se_rules.xml:windows,mse ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Microsoft Security Essentials - Virus detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7712 "; classtype: system-event; program: ossec; sid: 6007712; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Microsoft Security Essentials - Virus detected and properly removed. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7711 "; classtype: system-event; program: ossec; sid: 6007711; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Microsoft Security Essentials - Configuration changed. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7720 "; classtype: not-suspicious; program: ossec; sid: 6007720; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Microsoft Security Essentials - Virus detected, but unable to remove. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7710 "; classtype: exploit-attempt; program: ossec; sid: 6007710; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Microsoft Security Essentials rules. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7701 "; classtype: tcp-connection; program: ossec; sid: 6007701; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Microsoft Security Essentials - EICAR test file detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7731 "; classtype: system-event; program: ossec; sid: 6007731; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7750 "; classtype: exploit-attempt; program: ossec; sid: 6007750; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7751 "; classtype: exploit-attempt; program: ossec; sid: 6007751; rev:1;) ## Rule group: cimserver_rules.xml:syslog,cimserver ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Compaq Insight Manager stopped. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9611 "; classtype: exploit-attempt; program: ossec; sid: 6009611; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - cimserver messages grouped. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9600 "; classtype: tcp-connection; program: ossec; sid: 6009600; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Compaq Insight Manager authentication failure. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9610 "; classtype: system-event; program: ossec; sid: 6009610; rev:1;) ## Rule group: sendmail_rules.xml:syslog,sendmail ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attepmt to use mail server as relay (550: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3104 "; classtype: system-event; program: ossec; sid: 6003104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple relaying attempts of spam. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3153 "; classtype: system-event; program: ossec; sid: 6003153; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Rejected by access list (55x: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3103 "; classtype: system-event; program: ossec; sid: 6003103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain does not have any valid MX record (Requested action aborted). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3102 "; classtype: system-event; program: ossec; sid: 6003102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple pre-greetings rejects. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3158 "; classtype: exploit-attempt; program: ossec; sid: 6003158; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Sendmail save mail panic. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3109 "; classtype: system-event; program: ossec; sid: 6003109; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts to send e-mail from a previously rejected sender (access). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3152 "; classtype: system-event; program: ossec; sid: 6003152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain is not found (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3105 "; classtype: system-event; program: ossec; sid: 6003105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Sender domain has bogus MX record. It should not be sending e-mail. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3151 "; classtype: exploit-attempt; program: ossec; sid: 6003151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Sendmail rejected due to pre-greeting. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3108 "; classtype: system-event; program: ossec; sid: 6003108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender address does not have domain (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3106 "; classtype: system-event; program: ossec; sid: 6003106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3154 "; classtype: exploit-attempt; program: ossec; sid: 6003154; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the smf-sav sendmail milter rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3190 "; classtype: tcp-connection; program: ossec; sid: 6003190; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SMF-SAV sendmail milter unable to verify address (REJECTED). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3191 "; classtype: system-event; program: ossec; sid: 6003191; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3155 "; classtype: exploit-attempt; program: ossec; sid: 6003155; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Sendmail rejected message. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3107 "; classtype: not-suspicious; program: ossec; sid: 6003107; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the sendmail reject rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3101 "; classtype: tcp-connection; program: ossec; sid: 6003101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the sendmail rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3100 "; classtype: tcp-connection; program: ossec; sid: 6003100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple rejected e-mails from same source ip. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3156 "; classtype: exploit-attempt; program: ossec; sid: 6003156; rev:1;) ## Rule group: wordpress_rules.xml:syslog,wordpress ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Wordpress Comment Flood Attempt. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9505 "; classtype: system-event; program: ossec; sid: 6009505; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Wordpress authentication failed. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9501 "; classtype: system-event; program: ossec; sid: 6009501; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Wordpress messages grouped. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9500 "; classtype: tcp-connection; program: ossec; sid: 6009500; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Wordpress authentication succeeded. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9502 "; classtype: not-suspicious; program: ossec; sid: 6009502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Attack against Wordpress detected. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9510 "; classtype: system-event; program: ossec; sid: 6009510; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - WPsyslog was successfully initialized. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9503 "; classtype: not-suspicious; program: ossec; sid: 6009503; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple wordpress authentication failures. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9551 "; classtype: exploit-attempt; program: ossec; sid: 6009551; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Wordpress plugin deactivated. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9504 "; classtype: not-suspicious; program: ossec; sid: 6009504; rev:1;) sagan-1.2.0/rules/openssh-bluedot.rules0000644000175000017500000000661513310533411017070 0ustar champchamp# Sagan openssh-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. # 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-BLUEDOT] Authentication success via password from suspicious source"; content: "Accepted password"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002905; normalize; program: sshd; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; sid:5002905; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-BLUEDOT] Authentication success via publickey from suspicious source"; content: "Accepted publickey"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002906; normalize; program: sshd; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; sid:5002906; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-BLUEDOT] Authentication success via keyboard from suspicious source"; content: "Accepted keyboard-interactive"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002907; normalize; program: sshd; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; sid:5002907; rev:4;) sagan-1.2.0/rules/openssh-aetas.rules0000644000175000017500000000645313310533411016527 0ustar champchamp# Sagan openssh-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. # 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-AETAS] Authentication success via password at suspicious time"; content: "Accepted password"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002049; normalize; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002049; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-AETAS] Authentication success via publickey at suspicious time"; content: "Accepted publickey"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002050; normalize; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002050; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-AETAS] Authentication success via keyboard at suspicious time"; content: "Accepted keyboard-interactive"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002051; normalize; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002051; rev:4;) sagan-1.2.0/rules/fortinet-correlated.rules0000644000175000017500000001710213310533411017722 0ustar champchamp# Sagan fortinet-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted after recon activity"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; xbits: isset,by_src,recon; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003265; sid:5003265; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted after honeypot activity"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; xbits: isset,by_src,honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003266; sid:5003266; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted after exploit attempt"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003267; sid:5003267; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted brute force activity"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; xbits: isset,by_src,brute_force; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003268; sid:5003268; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after suspicious activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,by_src,recon|honeypot|exploit_attempt|brute_force; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002372; sid:5002372; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after recon activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,by_src,recon; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003269; sid:5003269; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after honeypot activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,by_src,honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003270; sid:5003270; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after exploit attempt"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003271; sid:5003271; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after brute force activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; xbits: isset,by_src,brute_force; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003272; sid:5003272; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after recon activity"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,by_src,recon; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003273; sid:5003273; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after honeypot activity"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,by_src,honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003274; sid:5003274; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after exploit attempt"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003275; sid:5003275; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after brute force"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; xbits: isset,by_src,brute_force; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003276; sid:5003276; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after recon activity"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,by_src,recon; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003277; sid:5003277; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after honeypot activity"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,by_src,honeypot; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003278; sid:5003278; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after exploit attempt"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,by_src,exploit_attempt; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003279; sid:5003279; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after brute force activity"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; xbits: isset,by_src,brute_force; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003280; sid:5003280; rev:1;) sagan-1.2.0/rules/windows-security.rules0000644000175000017500000045501213310533411017313 0ustar champchamp# Sagan windows-security.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These rules are to monitor event based on Microsoft "Events to monitor" guide at # github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md # # Steve Rawls (srawls@quadrantsec.com) - 2018/05/22 alert any any any -> any any (msg: "[WINDOWS-SECURITY] A monitored security event pattern has occurred"; content: " 4618|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003766; sid: 5003766; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A replay attack was detected"; content: " 4649|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003767; sid: 5003767; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] System audit policy was changed"; pcre: "/ 4719: | 612: /"; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003768; sid: 5003768; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] SID History was added to an account"; content: " 4765|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003769; sid: 5003769; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt to add SID History to an account failed"; content: " 4766|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003770; sid: 5003770; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to set the Directory Services Restore Mode Administrator Password"; content: " 4794|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003764; sid: 5003764; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Role separation enabled:"; pcre: "/ 4897: | 801: /"; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003761; sid: 5003761; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Special groups have been assigned to a new logon"; content: " 4964|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003765; sid: 5003765; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security setting was updated on the OCSP Responder Service"; content: " 5124|3a| "; classtype: suspicious-traffic; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003762; sid: 5003762; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Possible denial-of-service (DoS) attack"; content: " 550|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003763; sid: 5003763; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit log was cleared"; pcre: "/ 1102: | 517: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003392; sid: 5003392; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Administrator recovered system from CrashOnAuditFail"; content: " 4621|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003393; sid: 5003393; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] SIDs were filtered"; content: " 4675|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003394; sid: 5003394; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Backup of data protection master key was attempted"; content: " 4692|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003395; sid: 5003395; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Recovery of data protection master key was attempted"; content: " 4693|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003396; sid: 5003396; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A new trust was created to a domain"; pcre: "/ 4706: | 610: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003397; sid: 5003397; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Kerberos policy was changed"; pcre: "/ 4713: | 617: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003398; sid: 5003398; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encrypted data recovery policy was changed"; pcre: "/ 4714: | 618: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003399; sid: 5003399; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit policy (SACL) on an object was changed"; content: " 4715|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003400; sid: 5003400; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Trusted domain information was modified"; pcre: "/ 4716: | 620: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003401; sid: 5003401; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to reset an account's password"; pcre: "/ 4724: | 628: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003402; sid: 5003402; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was created"; pcre: "/ 4727: | 631: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003403; sid: 5003403; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled local group was changed"; pcre: "/ 4735: | 639: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003404; sid: 5003404; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was changed"; pcre: "/ 4737: | 641: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003405; sid: 5003405; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Domain Policy was changed"; pcre: "/ 4739: | 643: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003406; sid: 5003406; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was created"; pcre: "/ 4754: | 658: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003407; sid: 5003407; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was changed"; pcre: "/ 4755: | 659: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003408; sid: 5003408; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled group was deleted"; pcre: "/ 4764: | 667: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003409; sid: 5003409; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A group's type was changed"; pcre: "/ 4764: | 668: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003410; sid: 5003410; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The ACL was set on accounts which are members of administrators groups"; pcre: "/ 4780: | 684: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003411; sid: 5003411; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] RPC detected an integrity violation while decrypting an incoming message"; content: " 4816|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003412; sid: 5003412; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was added"; content: " 4865|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003413; sid: 5003413; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was removed"; content: " 4866|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003414; sid: 5003414; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted forest information entry was modified"; content: " 4867|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003415; sid: 5003415; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The certificate manager denied a pending certificate request"; pcre: "/ 4868: | 772: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003416; sid: 5003416; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services revoked a certificate"; pcre: "/ 4870: | 774: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003417; sid: 5003417; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The security permissions for Certificate Services changed"; pcre: "/ 4882: | 786: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003418; sid: 5003418; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The audit filter for Certificate Services changed"; pcre: "/ 4885: | 789: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003419; sid: 5003419; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The certificate manager settings for Certificate Services changed"; pcre: "/ 4890: | 794: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003420; sid: 5003420; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A property of Certificate Services changed"; pcre: "/ 4892: | 796: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003421; sid: 5003421; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] One or more rows have been deleted from the certificate database"; pcre: "/ 4896: | 800: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003422; sid: 5003422; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The CrashOnAuditFail value has changed"; content: " 4906|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003423; sid: 5003423; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Auditing settings on object were changed"; content: " 4907|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003424; sid: 5003424; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Special Groups Logon table modified"; content: " 4908|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003425; sid: 5003425; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Per User Audit Policy was changed"; pcre: "/ 4912: | 807: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003426; sid: 5003426; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed an integrity check"; content: " 4960|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003427; sid: 5003427; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check"; content: " 4961|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003428; sid: 5003428; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check"; content: " 4962|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003429; sid: 5003429; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec dropped an inbound clear text packet that should have been secured"; content: " 4963|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003430; sid: 5003430; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)"; content: " 4965|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003431; sid: 5003431; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] During Main Mode negotiation"; content: " 4976|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003432; sid: 5003432; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] During Quick Mode negotiation"; content: " 4977|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003433; sid: 5003433; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] During Extended Mode negotiation"; content: " 4978|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003434; sid: 5003434; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed"; content: " 4983|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003435; sid: 5003435; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed"; content: " 4984|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003436; sid: 5003436; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service was unable to retrieve the security policy from the local storage"; content: " 5027|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003437; sid: 5003437; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service was unable to parse the new security policy"; content: " 5028|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003438; sid: 5003438; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service failed to initialize the driver"; content: " 5029|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003439; sid: 5003439; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service failed to start"; content: " 5030|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003440; sid: 5003440; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver failed to start"; content: " 5035|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003441; sid: 5003441; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver detected critical runtime error"; content: " 5037|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003442; sid: 5003442; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Code integrity determined that the image hash of a file is not valid"; content: " 5038|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003443; sid: 5003443; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] OCSP Responder Service Started"; content: " 5120|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003444; sid: 5003444; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] OCSP Responder Service Stopped"; content: " 5121|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003445; sid: 5003445; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service"; content: " 5122|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003446; sid: 5003446; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service"; content: " 5123|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003447; sid: 5003447; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Credential Manager credentials were backed up"; content: " 5376|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003448; sid: 5003448; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Credential Manager credentials were restored from a backup"; content: " 5377|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003449; sid: 5003449; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started"; content: " 5453|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003450; sid: 5003450; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services failed to get the complete list of network interfaces on the computer"; content: " 5480|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003451; sid: 5003451; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services failed to initialize RPC server"; content: " 5483|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003452; sid: 5003452; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services has experienced a critical failure and has been shut down"; content: " 5484|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003453; sid: 5003453; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces"; content: " 5485|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003454; sid: 5003454; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] One or more errors occurred while processing security policy in the Group Policy objects"; content: " 6145|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003455; sid: 5003455; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server denied access to a user"; content: " 6273|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003456; sid: 5003456; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server discarded the request for a user"; content: " 6274|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003457; sid: 5003457; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server discarded the accounting request for a user"; content: " 6275|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003458; sid: 5003458; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server quarantined a user"; content: " 6276|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003459; sid: 5003459; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy"; content: " 6277|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003460; sid: 5003460; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted full access to a user because the host met the defined health policy"; content: " 6278|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003461; sid: 5003461; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server locked the user account due to repeated failed authentication attempts"; content: " 6279|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003462; sid: 5003462; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server unlocked the user account"; content: " 6280|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003463; sid: 5003463; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] General account database changed"; content: " 640|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003464; sid: 5003464; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Quality of Service Policy changed"; content: " 619|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003465; sid: 5003465; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An error was encountered converting volume"; content: " 24586|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003466; sid: 5003466; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt to automatically restart conversion on volume failed"; content: " 24592|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003467; sid: 5003467; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Metadata write: Volume returning errors while trying to modify metadata"; content: " 24593|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003468; sid: 5003468; rev: 1;) alert any any any -> any any (msg: "[WINDOWS-SECURITY] Metadata rebuild: An attempt to write a copy of metadata on volume failed and may appear as disk corruption"; content: " 24594|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003469; sid: 5003469; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows is starting up"; pcre: "/ 4608: | 512: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003470; sid: 5003470; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows is shutting down"; pcre: "/ 4609: | 513: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003471; sid: 5003471; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An authentication package has been loaded by the Local Security Authority"; pcre: "/ 4610: | 514: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003472; sid: 5003472; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trusted logon process has been registered with the Local Security Authority"; pcre: "/ 4611: | 515: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003473; sid: 5003473; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Internal resources allocated for the queuing of audit messages have been exhausted"; pcre: "/ 4612: | 516: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003474; sid: 5003474; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A notification package has been loaded by the Security Account Manager"; pcre: "/ 4614: | 518: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003475; sid: 5003475; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Invalid use of LPC port"; pcre: "/ 4615: | 519: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003476; sid: 5003476; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The system time was changed"; pcre: "/ 4616: | 520: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003477; sid: 5003477; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security package has been loaded by the Local Security Authority"; content: " 4622|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003478; sid: 5003478; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Low"; pcre: "/ 4624: | 528: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003479; sid: 5003479; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Low"; pcre: "/ 4625: | 529-537: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003480; sid: 5003480; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An account was logged off"; pcre: "/ 4634: | 538: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003481; sid: 5003481; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IKE DoS-prevention mode started"; content: " 4646|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003482; sid: 5003482; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] User initiated logoff"; pcre: "/ 4647: | 551: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003483; sid: 5003483; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A logon was attempted using explicit credentials"; pcre: "/ 4648: | 552: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003484; sid: 5003484; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association was established"; content: " 4650|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003485; sid: 5003485; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association was established"; content: " 4651|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003486; sid: 5003486; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode negotiation failed"; content: " 4652|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003487; sid: 5003487; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode negotiation failed"; content: " 4653|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003488; sid: 5003488; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode negotiation failed"; content: " 4654|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003489; sid: 5003489; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Main Mode security association ended"; content: " 4655|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003490; sid: 5003490; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; pcre: "/ 4656: | 560: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003491; sid: 5003491; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A registry value was modified"; pcre: "/ 4657: | 567: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003492; sid: 5003492; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The handle to an object was closed"; pcre: "/ 4658: | 562: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003493; sid: 5003493; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested with intent to delete"; content: " 4659|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003494; sid: 5003494; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object was deleted"; pcre: "/ 4660: | 564: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003495; sid: 5003495; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; pcre: "/ 4661: | 565: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003496; sid: 5003496; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An operation was performed on an object"; pcre: "/ 4662: | 566: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003497; sid: 5003497; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to access an object"; pcre: "/ 4663: | 567: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003498; sid: 5003498; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to create a hard link"; content: " 4664|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003499; sid: 5003499; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to create an application client context"; content: " 4665|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003500; sid: 5003500; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application attempted an operation:"; content: " 4666|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003501; sid: 5003501; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application client context was deleted"; content: " 4667|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003502; sid: 5003502; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application was initialized"; content: " 4668|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003503; sid: 5003503; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Permissions on an object were changed"; content: " 4670|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003504; sid: 5003504; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An application attempted to access a blocked ordinal through the TBS"; content: " 4671|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003505; sid: 5003505; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Special privileges assigned to new logon"; pcre: "/ 4672: | 576: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003506; sid: 5003506; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A privileged service was called"; pcre: "/ 4673: | 577: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003507; sid: 5003507; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An operation was attempted on a privileged object"; pcre: "/ 4674: | 578: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003508; sid: 5003508; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A new process has been created"; pcre: "/ 4688: | 592: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003509; sid: 5003509; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A process has exited"; pcre: "/ 4689: | 593: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003510; sid: 5003510; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to duplicate a handle to an object"; pcre: "/ 4690: | 594: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003511; sid: 5003511; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Indirect access to an object was requested"; pcre: "/ 4691: | 595: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003512; sid: 5003512; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Protection of auditable protected data was attempted"; content: " 4694|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003513; sid: 5003513; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Unprotection of auditable protected data was attempted"; content: " 4695|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003514; sid: 5003514; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A primary token was assigned to process"; pcre: "/ 4696: | 600: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003515; sid: 5003515; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Attempt to install a service"; pcre: "/ 4697: | 601: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003516; sid: 5003516; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was created"; pcre: "/ 4698: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003517; sid: 5003517; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was deleted"; pcre: "/ 4699: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003518; sid: 5003518; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was enabled"; pcre: "/ 4700: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003519; sid: 5003519; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was disabled"; pcre: "/ 4701: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003520; sid: 5003520; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A scheduled task was updated"; pcre: "/ 4702: | 602: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003521; sid: 5003521; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user right was assigned"; pcre: "/ 4704: | 608: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003522; sid: 5003522; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user right was removed"; pcre: "/ 4705: | 609: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003523; sid: 5003523; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A trust to a domain was removed"; pcre: "/ 4707: | 611: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003524; sid: 5003524; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services was started"; content: " 4709|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003525; sid: 5003525; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services was disabled"; content: " 4710|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003526; sid: 5003526; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine Activity Detected"; content: " 4711|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003527; sid: 5003527; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services encountered a potentially serious failure"; content: " 4712|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003528; sid: 5003528; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] System security access was granted to an account"; pcre: "/ 4717: | 621: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003529; sid: 5003529; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] System security access was removed from an account"; pcre: "/ 4718: | 622: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003530; sid: 5003530; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was created"; pcre: "/ 4720: | 624: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003531; sid: 5003531; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was enabled"; pcre: "/ 4722: | 626: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003532; sid: 5003532; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to change an account's password"; pcre: "/ 4723: | 627: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003533; sid: 5003533; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was disabled"; pcre: "/ 4725: | 629: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003534; sid: 5003534; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was deleted"; pcre: "/ 4726: | 630: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003535; sid: 5003535; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled global group"; pcre: "/ 4728: | 632: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003536; sid: 5003536; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled global group"; pcre: "/ 4729: | 633: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003537; sid: 5003537; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled global group was deleted"; pcre: "/ 4730: | 634: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003538; sid: 5003538; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled local group was created"; pcre: "/ 4731: | 635: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003539; sid: 5003539; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled local group"; pcre: "/ 4732: | 636: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003540; sid: 5003540; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled local group"; pcre: "/ 4733: | 637: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003541; sid: 5003541; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled local group was deleted"; pcre: "/ 4734: | 638: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003542; sid: 5003542; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was changed"; pcre: "/ 4738: | 642: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003543; sid: 5003543; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was locked out"; pcre: "/ 4740: | 644: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003544; sid: 5003544; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A computer account was changed"; pcre: "/ 4741: | 645: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003545; sid: 5003545; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A computer account was changed"; pcre: "/ 4742: | 646: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003546; sid: 5003546; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A computer account was deleted"; pcre: "/ 4743: | 647: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003547; sid: 5003547; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled local group was created"; pcre: "/ 4744: | 648: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003548; sid: 5003548; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled local group was changed"; pcre: "/ 4745: | 649: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003549; sid: 5003549; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled local group"; pcre: "/ 4746: | 650: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003550; sid: 5003550; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled local group"; pcre: "/ 4747: | 651: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003551; sid: 5003551; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled local group was deleted"; pcre: "/ 4748: | 652: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003552; sid: 5003552; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled global group was created"; pcre: "/ 4749: | 653: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003553; sid: 5003553; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled global group was changed"; pcre: "/ 4750: | 654: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003554; sid: 5003554; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled global group"; pcre: "/ 4751: | 655: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003555; sid: 5003555; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled global group"; pcre: "/ 4752: | 656: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003556; sid: 5003556; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled global group was deleted"; pcre: "/ 4753: | 657: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003557; sid: 5003557; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-enabled universal group"; pcre: "/ 4756: | 660: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003558; sid: 5003558; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-enabled universal group"; pcre: "/ 4757: | 661: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003559; sid: 5003559; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-enabled universal group was deleted"; pcre: "/ 4758: | 662: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003560; sid: 5003560; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled universal group was created"; pcre: "/ 4759: | 663: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003561; sid: 5003561; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A security-disabled universal group was changed"; pcre: "/ 4760: | 664: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003562; sid: 5003562; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a security-disabled universal group"; pcre: "/ 4761: | 665: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003563; sid: 5003563; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a security-disabled universal group"; pcre: "/ 4762: | 666: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003564; sid: 5003564; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A user account was unlocked"; pcre: "/ 4767: | 671: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003565; sid: 5003565; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Kerberos service ticket was requested"; pcre: "/ 4769: | 673: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003567; sid: 5003567; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Kerberos service ticket was renewed"; pcre: "/ 4770: | 674: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003568; sid: 5003568; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Kerberos pre-authentication failed"; pcre: "/ 4771: | 675: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003569; sid: 5003569; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Kerberos authentication ticket request failed"; pcre: "/ 4772: | 672: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003570; sid: 5003570; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An account was mapped for logon"; pcre: "/ 4774: | 678: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003571; sid: 5003571; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An account could not be mapped for logon"; pcre: "/ 4775: | 679: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003572; sid: 5003572; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The domain controller failed to validate the credentials for an account"; content: " 4777|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003574; sid: 5003574; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A session was reconnected to a Window Station"; pcre: "/ 4778: | 682: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003575; sid: 5003575; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A session was disconnected from a Window Station"; pcre: "/ 4779: | 683: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003576; sid: 5003576; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The name of an account was changed:"; pcre: "/ 4781: | 685: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003577; sid: 5003577; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The password hash an account was accessed"; content: " 4782|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003578; sid: 5003578; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A basic application group was created"; pcre: "/ 4783: | 667: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003579; sid: 5003579; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A basic application group was changed"; content: " 4784|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003580; sid: 5003580; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was added to a basic application group"; pcre: "/ 4785: | 689: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003581; sid: 5003581; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A member was removed from a basic application group"; pcre: "/ 4786: | 690: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003582; sid: 5003582; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A nonmember was added to a basic application group"; pcre: "/ 4787: | 691: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003583; sid: 5003583; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A nonmember was removed from a basic application group"; pcre: "/ 4788: | 692: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003584; sid: 5003584; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A basic application group was deleted"; pcre: "/ 4789: | 693: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003585; sid: 5003585; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An LDAP query group was created"; pcre: "/ 4790: | 694: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003586; sid: 5003586; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Password Policy Checking API was called"; content: " 4793|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003587; sid: 5003587; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The workstation was locked"; content: " 4800|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003588; sid: 5003588; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The workstation was unlocked"; content: " 4801|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003589; sid: 5003589; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The screen saver was invoked"; content: " 4802|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003590; sid: 5003590; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The screen saver was dismissed"; content: " 4803|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003591; sid: 5003591; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A namespace collision was detected"; content: " 4864|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003592; sid: 5003592; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a resubmitted certificate request"; pcre: "/ 4869: | 773: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003593; sid: 5003593; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a request to publish the certificate revocation list (CRL)"; pcre: "/ 4871: | 775: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003594; sid: 5003594; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services published the certificate revocation list (CRL)"; pcre: "/ 4872: | 776: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003595; sid: 5003595; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A certificate request extension changed"; pcre: "/ 4873: | 777: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003596; sid: 5003596; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] One or more certificate request attributes changed"; pcre: "/ 4874: | 778: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003597; sid: 5003597; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a request to shut down"; pcre: "/ 4875: | 779: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003598; sid: 5003598; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services backup started"; pcre: "/ 4876: | 780: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003599; sid: 5003599; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services backup completed"; pcre: "/ 4877: | 781: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003600; sid: 5003600; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services restore started"; pcre: "/ 4878: | 782: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003601; sid: 5003601; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services restore completed"; pcre: "/ 4879: | 783: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003602; sid: 5003602; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services started"; pcre: "/ 4880: | 784: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003603; sid: 5003603; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services stopped"; pcre: "/ 4881: | 785: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003604; sid: 5003604; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services retrieved an archived key"; pcre: "/ 4883: | 787: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003605; sid: 5003605; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services imported a certificate into its database"; pcre: "/ 4884: | 788: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003606; sid: 5003606; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services received a certificate request"; pcre: "/ 4886: | 790: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003607; sid: 5003607; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services approved a certificate request and issued a certificate"; pcre: "/ 4887: | 791: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003608; sid: 5003608; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services denied a certificate request"; pcre: "/ 4888: | 792: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003609; sid: 5003609; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services set the status of a certificate request to pending"; pcre: "/ 4889: | 793: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003610; sid: 5003610; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A configuration entry changed in Certificate Services"; pcre: "/ 4891: | 795: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003611; sid: 5003611; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services archived a key"; pcre: "/ 4893: | 797: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003612; sid: 5003612; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services imported and archived a key"; pcre: "/ 4894: | 798: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003613; sid: 5003613; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services published the CA certificate to Active Directory Domain Services"; pcre: "/ 4895: | 799: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003614; sid: 5003614; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Certificate Services loaded a template"; pcre: "/ 4898: | 802: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003615; sid: 5003615; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Per-user audit policy table was created"; content: " 4902|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003616; sid: 5003616; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to register a security event source"; content: " 4904|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003617; sid: 5003617; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt was made to unregister a security event source"; content: " 4905|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003618; sid: 5003618; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The local policy settings for the TBS were changed"; content: " 4909|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003619; sid: 5003619; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Group Policy settings for the TBS were changed"; content: " 4910|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003620; sid: 5003620; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was established"; content: " 4928|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003621; sid: 5003621; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was removed"; content: " 4929|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003622; sid: 5003622; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica source naming context was modified"; content: " 4930|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003623; sid: 5003623; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An Active Directory replica destination naming context was modified"; content: " 4931|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003624; sid: 5003624; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has begun"; content: " 4932|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003625; sid: 5003625; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has ended"; content: " 4933|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003626; sid: 5003626; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Attributes of an Active Directory object were replicated"; content: " 4934|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003627; sid: 5003627; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Replication failure begins"; content: " 4935|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003628; sid: 5003628; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Replication failure ends"; content: " 4936|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003629; sid: 5003629; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A lingering object was removed from a replica"; content: " 4937|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003630; sid: 5003630; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following policy was active when the Windows Firewall started"; content: " 4944|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003631; sid: 5003631; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A rule was listed when the Windows Firewall started"; content: " 4945|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003632; sid: 5003632; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; content: " 4946|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003633; sid: 5003633; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; content: " 4947|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003634; sid: 5003634; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to Windows Firewall exception list"; content: " 4948|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003635; sid: 5003635; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall settings were restored to the default values"; content: " 4949|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003636; sid: 5003636; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Firewall setting has changed"; content: " 4950|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003637; sid: 5003637; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A rule has been ignored because its major version number was not recognized by Windows Firewall"; content: " 4951|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003638; sid: 5003638; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall"; content: " 4952|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003639; sid: 5003639; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A rule has been ignored by Windows Firewall because it could not parse the rule"; content: " 4953|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003640; sid: 5003640; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall Group Policy settings have changed"; content: " 4954|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003641; sid: 5003641; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall has changed the active profile"; content: " 4956|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003642; sid: 5003642; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall did not apply the following rule:"; content: " 4957|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003643; sid: 5003643; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:"; content: " 4958|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003644; sid: 5003644; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4979|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003645; sid: 5003645; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4980|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003646; sid: 5003646; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4981|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003647; sid: 5003647; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established"; content: " 4982|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003648; sid: 5003648; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The state of a transaction has changed"; content: " 4985|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003649; sid: 5003649; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service has started successfully"; content: " 5024|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003650; sid: 5003650; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service has been stopped"; content: " 5025|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003651; sid: 5003651; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Service blocked an application from accepting incoming connections on the network"; content: " 5031|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003652; sid: 5003652; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network"; content: " 5032|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003653; sid: 5003653; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver has started successfully"; content: " 5033|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003654; sid: 5003654; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Firewall Driver has been stopped"; content: " 5034|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003655; sid: 5003655; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A registry key was virtualized"; content: " 5039|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003656; sid: 5003656; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5040|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003657; sid: 5003657; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5041|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003658; sid: 5003658; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5042|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003659; sid: 5003659; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5043|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003660; sid: 5003660; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5044|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003661; sid: 5003661; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5045|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003662; sid: 5003662; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5046|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003663; sid: 5003663; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5047|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003664; sid: 5003664; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A change has been made to IPsec settings"; content: " 5048|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003665; sid: 5003665; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile"; content: " 5050|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003666; sid: 5003666; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A file was virtualized"; content: " 5051|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003667; sid: 5003667; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic self test was performed"; content: " 5056|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003668; sid: 5003668; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic primitive operation failed"; content: " 5057|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003669; sid: 5003669; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Key file operation"; content: " 5058|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003670; sid: 5003670; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Key migration operation"; content: " 5059|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003671; sid: 5003671; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Verification operation failed"; content: " 5060|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003672; sid: 5003672; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Cryptographic operation"; content: " 5061|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003673; sid: 5003673; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A kernel-mode cryptographic self test was performed"; content: " 5062|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003674; sid: 5003674; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic provider operation was attempted"; content: " 5063|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003675; sid: 5003675; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic context operation was attempted"; content: " 5064|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003676; sid: 5003676; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic context modification was attempted"; content: " 5065|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003677; sid: 5003677; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function operation was attempted"; content: " 5066|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003678; sid: 5003678; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function modification was attempted"; content: " 5067|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003679; sid: 5003679; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function provider operation was attempted"; content: " 5068|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003680; sid: 5003680; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function property operation was attempted"; content: " 5069|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003681; sid: 5003681; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A cryptographic function property modification was attempted"; content: " 5070|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003682; sid: 5003682; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A request was submitted to the OCSP Responder Service"; content: " 5125|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003683; sid: 5003683; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Signing Certificate was automatically updated by the OCSP Responder Service"; content: " 5126|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003684; sid: 5003684; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The OCSP Revocation Provider successfully updated the revocation information"; content: " 5127|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003685; sid: 5003685; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was modified"; pcre: "/ 5136: | 566: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003686; sid: 5003686; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was created"; pcre: "/ 5137: | 566: /"; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003687; sid: 5003687; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was undeleted"; content: " 5138|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003688; sid: 5003688; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was moved"; content: " 5139|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003689; sid: 5003689; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A network share object was accessed"; content: " 5140|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003690; sid: 5003690; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A directory service object was deleted"; content: " 5141|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003691; sid: 5003691; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform blocked a packet"; content: " 5152|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003692; sid: 5003692; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A more restrictive Windows Filtering Platform filter has blocked a packet"; content: " 5153|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003693; sid: 5003693; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections"; content: " 5154|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003694; sid: 5003694; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections"; content: " 5155|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003695; sid: 5003695; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has allowed a connection"; content: " 5156|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003696; sid: 5003696; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked a connection"; content: " 5157|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003697; sid: 5003697; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has permitted a bind to a local port"; content: " 5158|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003698; sid: 5003698; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The Windows Filtering Platform has blocked a bind to a local port"; content: " 5159|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003699; sid: 5003699; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The requested credentials delegation was disallowed by policy"; content: " 5378|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003700; sid: 5003700; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following callout was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5440|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003701; sid: 5003701; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following filter was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5441|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003702; sid: 5003702; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following provider was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5442|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003703; sid: 5003703; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following provider context was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5443|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003704; sid: 5003704; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started"; content: " 5444|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003705; sid: 5003705; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform callout has been changed"; content: " 5446|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003706; sid: 5003706; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform filter has been changed"; content: " 5447|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003707; sid: 5003707; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform provider has been changed"; content: " 5448|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003708; sid: 5003708; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform provider context has been changed"; content: " 5449|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003709; sid: 5003709; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Windows Filtering Platform sublayer has been changed"; content: " 5450|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003710; sid: 5003710; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode security association was established"; content: " 5451|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003711; sid: 5003711; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Quick Mode security association ended"; content: " 5452|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003712; sid: 5003712; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine applied Active Directory storage IPsec policy on the computer"; content: " 5456|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003713; sid: 5003713; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply Active Directory storage IPsec policy on the computer"; content: " 5457|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003714; sid: 5003714; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer"; content: " 5458|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003715; sid: 5003715; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer"; content: " 5459|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003716; sid: 5003716; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine applied local registry storage IPsec policy on the computer"; content: " 5460|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003717; sid: 5003717; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply local registry storage IPsec policy on the computer"; content: " 5461|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003718; sid: 5003718; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to apply some rules of the active IPsec policy on the computer"; content: " 5462|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003719; sid: 5003719; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy and detected no changes"; content: " 5463|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003720; sid: 5003720; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy"; content: " 5464|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003721; sid: 5003721; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully"; content: " 5465|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003722; sid: 5003722; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; content: " 5466|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003723; sid: 5003723; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; content: " 5467|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003724; sid: 5003724; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy"; content: " 5468|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003725; sid: 5003725; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine loaded local storage IPsec policy on the computer"; content: " 5471|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003726; sid: 5003726; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to load local storage IPsec policy on the computer"; content: " 5472|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003727; sid: 5003727; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine loaded directory storage IPsec policy on the computer"; content: " 5473|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003728; sid: 5003728; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to load directory storage IPsec policy on the computer"; content: " 5474|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003729; sid: 5003729; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] PAStore Engine failed to add quick mode filter"; content: " 5477|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003730; sid: 5003730; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services has been shut down successfully"; content: " 5479|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003731; sid: 5003731; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A request was made to authenticate to a wireless network"; content: " 5632|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003732; sid: 5003732; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A request was made to authenticate to a wired network"; content: " 5633|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003733; sid: 5003733; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A Remote Procedure Call (RPC) was attempted"; content: " 5712|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003734; sid: 5003734; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object in the COM+ Catalog was modified"; content: " 5888|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003735; sid: 5003735; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object was deleted from the COM+ Catalog"; content: " 5889|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003736; sid: 5003736; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An object was added to the COM+ Catalog"; content: " 5890|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003737; sid: 5003737; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The previous system shutdown was unexpected"; content: " 6008|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003738; sid: 5003738; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Security policy in the Group Policy objects has been applied successfully"; content: " 6144|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003739; sid: 5003739; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Network Policy Server granted access to a user"; content: " 6272|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003740; sid: 5003740; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] A handle to an object was requested"; content: " 561|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003741; sid: 5003741; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Object open for delete"; content: " 563|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003742; sid: 5003742; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] User Account Type Changed"; content: " 625|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003743; sid: 5003743; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent started"; content: " 613|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003744; sid: 5003744; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent disabled"; content: " 614|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003745; sid: 5003745; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent"; content: " 615|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003746; sid: 5003746; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec policy agent encountered a potential serious failure"; content: " 616|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003747; sid: 5003747; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encryption of volume started"; content: " 24577|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003748; sid: 5003748; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encryption of volume stopped"; content: " 24578|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003749; sid: 5003749; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Encryption of volume completed"; content: " 24579|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003750; sid: 5003750; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Decryption of volume started"; content: " 24580|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003751; sid: 5003751; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Decryption of volume stopped"; content: " 24581|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003752; sid: 5003752; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Decryption of volume completed"; content: " 24582|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003753; sid: 5003753; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Conversion worker thread for volume started"; content: " 24583|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003754; sid: 5003754; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Conversion worker thread for volume temporarily stopped"; content: " 24584|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003755; sid: 5003755; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] The conversion operation on volume encountered a bad sector error"; content: " 24588|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003756; sid: 5003756; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Volume contains bad clusters"; content: " 24595|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003757; sid: 5003757; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] Initial state check: Rolling volume conversion transaction on"; content: " 24621|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003758; sid: 5003758; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] An IPsec Security Association was deleted"; content: " 5049|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003759; sid: 5003759; rev: 1;) #alert any any any -> any any (msg: "[WINDOWS-SECURITY] IPsec Services has started successfully"; content: " 5478|3a| "; classtype: system-event; program: *Security*; reference: url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md; reference: url,wiki.quadrantsec.com/bin/view/Main/5003760; sid: 5003760; rev: 1;) sagan-1.2.0/rules/windows-mssql.rules0000644000175000017500000001130213310533411016571 0ustar champchamp# Sagan windows-mssql.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows based rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ # MSSQL$SERVER| 18456: Login failed for user 'DOMAIN\user'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: ] # MSSQL$XXX| 18453: Login succeeded for user 'DOMAIN\user'. Connection: trusted. [CLIENT: ] # MSSQLSERVER| 18456: Login failed for user 'BOB'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.5.6] # |MSSQLSERVER| 19030: SQL Trace ID 2 was started by login "DOMAIN\user". # MSSQLSERVER| 19031: SQL Trace stopped. Trace ID = '2'. Login Name = 'DOMAIN\user'. # MSSQL$XXX| 833: SQL Server has encountered 1 occurrence(s) of I/O requests taking longer than 15 seconds to complete on file [E:\\Data\test.mdf] in database [] (17). The OS file handle is 0x0000000000000AF8. The offset of the latest long I/O is: 0x0000003a7a0000 # |MSSQLSERVER| 18451: Login failed for user 'DOMAIN\users'. Only administrators may connect at this time. [CLIENT: 10.1.6.1] # |MSSQLSERVER| 26022: Server is listening on # MSSQLSERVER| 18452: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 10.1.3.9] # MSSQLSERVER| 17147: SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required. # 17162: SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MSSQL] Login Failure"; content: " 18456|3a| "; default_proto: tcp; default_dst_port: $MSSQL_PORT; classtype: unsuccessful-user; program: MSSQL*|Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5001640; sid: 5001640; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MSSQL] Login Failure - Brute force [25/1]"; content: " 18456|3a| "; content:!"local machine"; content:!"named pipe"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $MSSQL_PORT; classtype: unsuccessful-user; program: MSSQL*|Application; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001641; sid: 5001641; rev:13;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MSSQL] Login Failure from non-trusted connection - Brute force [25/1]"; content: " 18452|3a| "; parse_src_ip: 1; default_proto: tcp; default_dst_port: $MSSQL_PORT; classtype: unsuccessful-user; program: MSSQL*|Application; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002402; sid:5002402; rev:4;) sagan-1.2.0/rules/zeus.rules0000644000175000017500000000623713310533411014743 0ustar champchamp# Sagan zeus.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000279; sid: 5000279; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Configuration warning [ignored]"; content: "Unknown directive; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000280; sid: 5000280; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Informational message"; pcre: "/^[\S+ \S+] INFO|^[\S+ \S+] SSL/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000281; sid: 5000281; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Warning message"; pcre: "/^[\S+ \S+] WARN/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000282; sid: 5000282; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Serious message"; pcre: "/^[\S+ \S+] SERIOUS/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000283; sid: 5000283; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Fatal message"; pcre: "/^[\S+ \S+] FATAL/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000284; sid: 5000284; rev:3;) sagan-1.2.0/rules/riverbed-aetas.rules0000644000175000017500000000462113310533411016645 0ustar champchamp# Sagan riverbed-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules # Champ Clark (04/15/2014) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED-AETAS] Administrator Login at suspicious time"; content: "logged in"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002053; program: webasd; sid: 5002053; rev:3;) sagan-1.2.0/rules/zimbra-geoip.rules0000644000175000017500000000716313310533411016341 0ustar champchamp# Sagan zimbra-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # See zimbra-geoip.rules for setup information. # For /var/log/zimbra.log # Dec 7 13:59:30 a postfix/smtps/smtpd[28325]: 755F86401D84: client=unknown[10.10.1.10], sasl_method=PLAIN, sasl_username=frank alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA-GEOIP] SASL Authentication from outside HOME_COUNTRY"; content: "sasl_method="; content: "sasl_username="; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003034; parse_src_ip: 1; program: zimbra; country_code: track by_src, isnot $HOME_COUNTRY; sid:5003034; rev:2;) # For /var/log/nginx.log # 10.10.1.10|local7|info|info|be|2016-12-07|15:06:10|nginx| 2016/12/07 10:28:47 [info] 28154#0: *4727323 client logged in, client: 91.131.2.231:57872, server: 0.0.0.0:993, login: "frank", upstream: 10.10.1.10:7993 (91.131.2.231:57872->10.7.1.73:993) <=> (10.10.1.10:35026->10.7.1.73:7993) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA-GEOIP] NGNIX Authentication from outside HOME_COUNTRY"; content: "client logged in"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003035; parse_src_ip: 1; program: ngnix; country_code: track by_src, isnot $HOME_COUNTRY; sid:5003035; rev:2;) # For /var/log/ews.log # 2016-12-07 00:05:42,514 INFO [qtp1684106402-2033718:https:https://webmail.example.com:8443/ews/Exchange.asmx] [name=frank@example.com;ip=73.15.217.31;port=51998;ua=MacOSX/(G)ExchangeWebServices/()AddressBookSourceSync/();] ews - The account: 9d89ec1f-19b1-4785-8f3a-c4e0427ce48b is on local server. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA-GEOIP] EWS Authentication from outside HOME_COUNTRY"; content: "is on local server"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003036; parse_src_ip: 1; program: ews; country_code: track by_src, isnot $HOME_COUNTRY; sid:5003036; rev:2;) sagan-1.2.0/rules/samba.rules0000644000175000017500000000606113310533411015033 0ustar champchamp# Sagan samba.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Startup network problem"; content: "getpeername failed. Error was Transport endpoint"; classtype: program-error; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000145; sid: 5000145; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection denied"; pcre: "/denied connection from|connection denied from/i"; nocase; classtype: unsuccessful-user; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000146; sid: 5000146; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection reset by peer"; content: "Connection reset by peer"; classtype: not-suspicious; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000147; sid: 5000147; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] User action denied by configuration"; content: "Permission denied"; classtype: unsuccessful-user; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000375; sid: 5000375; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Unable to connect to CUPS server"; content: "Unable to connect to CUPS server"; classtype: program-error; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000148; sid: 5000148; rev:2;) sagan-1.2.0/rules/vmware.rules0000644000175000017500000001335613310533411015256 0ustar champchamp# Sagan vmware.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; pcre: "/Accepted password for|login from/i"; default_proto:tcp; classtype: successful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000204; sid: 5000204; rev:2;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure - Brute force [5/5]"; content: "Rejected password for"; default_proto:tcp; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000206; sid: 5000206; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure"; content: "Rejected password for"; default_proto:tcp; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001529; sid: 5001529; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine state change to OFF"; content: "VM_STATE_OFF"; default_proto:tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000208; sid: 5000208; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine being turned ON"; content: "VM_STATE_POWERING_ON"; default_proto:tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000380; sid: 5000380; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine state change to ON"; content: "VM_STATE_ON"; default_proto:tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000209; sid: 5000209; rev:2; ) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine being reconfigured"; content: "VM_STATE_RECONFIGURING"; default_proto:tcp; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000210; sid: 5000210; rev:2;) # VMWare ESXi 4.1 (Champ Clark III 06/02/2011) # # Jun 3 01:23:12 10.10.10.10 Hostd: [2011-06-03 01:23:12.139 2351BB90 info 'ha-eventmgr' opID=58D44130-00000003] Event 285 : User root@10.10.10.1 logged in # Jun 3 01:23:20 10.10.10.10 Hostd: [2011-06-03 01:23:20.106 2351BB90 info 'ha-eventmgr' opID=58D44130-00000030] Event 286 : User root logged out #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; content: " logged in "; default_proto:tcp; classtype: successful-admin; parse_src_ip: 1; program: Hostd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001097; sid: 5001097; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User logoff successful"; content: " logged out "; default_proto:tcp; classtype: successful-admin; program: Hostd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001098; sid: 5001098; rev:3;) # vmware - 10/11/2011 - Champ Clark #2012-01-30T17:51:04.722Z [24C79B90 info 'ha-eventmgr'] Event 36 : User root logged out #2012-01-30T17:51:04.919Z [24C79B90 info 'Vimsvc'] [Auth]: User root #2012-01-30T17:51:04.920Z [24C79B90 info 'ha-eventmgr'] Event 37 : User root@192.168.1.1 logged in alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Lost access to volume"; content: "Event 37 : "; default_proto:tcp; classtype: hardware-event; program: Hostd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001098; sid: 5001099; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Possible HD/Datastore failure"; content: ": 1672: "; default_proto:tcp; classtype: hardware-event; program: vmkernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001100; sid: 5001100; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; content: "Accepted password"; default_proto:tcp; classtype: successful-admin; program: Hostd; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001101; sid: 5001101; rev:3;) sagan-1.2.0/rules/citrix.rules0000644000175000017500000022322613310533411015256 0ustar champchamp# Sagan citrix.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Netscaler rules - 07/30/2012 # Champ Clark III # Unfortunately, Netscalers populate the "program" field with the system date :( # We have to do a broad search for Netscaler event IDs. Lame. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action matched URL"; content: "ACTION_MATCH"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001200; sid: 5001200; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action didn't match URL"; content: "ACTION_MISMATCH"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001201; sid: 5001201; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Request error. Generated 400 Response"; content: "AF_400_RESP"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001202; sid: 5001202; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add a confidential field"; content: "AF_ADD_CFFIELD"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001203; sid: 5001203; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw Field Type"; content: "AF_ADD_FIELDTYPE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001204; sid: 5001204; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw profile"; content: "AF_ADD_PROFILE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001205; sid: 5001205; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to HTML profile"; content: "AF_BIND_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001206; sid: 5001206; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to XML profile"; content: "AF_BIND_XML_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001207; sid: 5001207; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory allocation request failed"; content: "AF_MEMORY_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001208; sid: 5001208; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove a confidential field"; content: "AF_RM_CFFIELD"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001209; sid: 5001209; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an Appfw Field Type"; content: "AF_RM_FIELDTYPE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001210; sid: 5001210; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an AppFw profile"; content: "AF_RM_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001211; sid: 5001211; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Appsecure uthread a stack error"; content: "AF_UTHREAD_STACK_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001212; sid: 5001212; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module stopped an alarm"; content: "ALERTENDED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001213; sid: 5001213; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module alarm"; content: "ALERTSTARTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001214; sid: 5001214; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in Cookie"; content: "APPFW_BUFFEROVERFLOW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001215; sid: 5001215; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in HTTP Headers"; content: "APPFW_BUFFEROVERFLOW_HDR"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001216; sid: 5001216; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in URL"; content: "APPFW_BUFFEROVERFLOW_URL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001217; sid: 5001217; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Cookie Consistency violation"; content: "APPFW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001218; sid: 5001218; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw CSRF tag violation"; content: "APPFW_CSRF_TAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001219; sid: 5001219; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw DenyURL violation"; content: "APPFW_DENYURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001220; sid: 5001220; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Consistency violation"; content: "APPFW_FIELDCONSISTENCY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001221; sid: 5001221; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Format violation"; content: "APPFW_FIELDFORMAT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001222; sid: 5001222; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw profile invoked"; content: "APPFW_POLICY_HIT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001223; sid: 5001223; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw built-in profile invoked"; content: "APPFW_POLICY_HIT_BUILTIN"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001224; sid: 5001224; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Referer header violation"; content: "APPFW_REFERER_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001225; sid: 5001225; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation"; content: "APPFW_SAFECOMMERCE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001226; sid: 5001226; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation detected and transformed"; content: "APPFW_SAFECOMMERCE_XFORM"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001227; sid: 5001227; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Object violation"; content: "APPFW_SAFEOBJECT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001228; sid: 5001228; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation"; content: "APPFW_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001229; sid: 5001229; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw StartURL violation"; content: "APPFW_STARTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001230; sid: 5001230; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Boundary mismatch in mime message"; content: "APPFW_XML_ATTACHMENT_ERR_BOUNDARY_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001231; sid: 5001231; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Attachment CallBack is NULL but HTTP message is MIME Attachment message"; content: "APPFW_XML_ATTACHMENT_ERR_CALLBACK_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001232; sid: 5001232; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with Illegal Content-Type"; content: "APPFW_XML_ATTACHMENT_ERR_CONTENT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001233; sid: 5001233; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - String is supposed to be MIME Header. But it is not according to the format of Mime Header HeaderName:HeaderValue"; content: "APPFW_XML_ATTACHMENT_ERR_INVALIDHEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001234; sid: 5001234; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HTTP Content type should be 'application/xop+xml' or '^(text|application)/([a-zA-Z]*+ xml|xml)'"; content: "APPFW_XML_ATTACHMENT_ERR_INVALID_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001235; sid: 5001235; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with size greater than the Configured Max Attachment Size"; content: "APPFW_XML_ATTACHMENT_ERR_MAX_SIZE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001236; sid: 5001236; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attachment Found in the XML Message"; content: "APPFW_XML_ATTACHMENT_FOUND"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001237; sid: 5001237; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Send Fail Error"; content: "APPFW_XML_DDOS_ERR_MSG_SEND_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001238; sid: 5001238; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max character data length"; content: "APPFW_XML_DOS_ERR_CHAR_DATA_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001239; sid: 5001239; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - DTD present in the XML message"; content: "APPFW_XML_DOS_ERR_DTD"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001240; sid: 5001240; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - External entities present in the XML message"; content: "APPFW_XML_DOS_ERR_EXT_ENTITY"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001241; sid: 5001241; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DoS Maximum Error"; content: "APPFW_XML_DOS_ERR_MAX"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001242; sid: 5001242; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum attributes per element"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123876; reference: url,wiki.quadrantsec.com/bin/view/Main/5001243; sid: 5001243; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element an attribute exceeds maximum name length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001244; sid: 5001244; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element attribute exceeds maximum attribute value length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_VALUE_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001245; sid: 5001245; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum elements per message"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENTS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001246; sid: 5001246; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Parent of element exceed maximum children"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_CHILDREN"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001247; sid: 5001247; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element depth"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001248; sid: 5001248; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element name length"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001249; sid: 5001249; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max number of entity expansions"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSIONS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001250; sid: 5001250; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max entity expansion depth"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSION_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001251; sid: 5001251; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size exceeds max size"; content: "APPFW_XML_DOS_ERR_MAX_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001252; sid: 5001252; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum active namespaces"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001253; sid: 5001253; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - In element a namespace exceeds maximum URI length"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACEURI_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001254; sid: 5001254; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Node exceeds maximum nodes per message"; content: "APPFW_XML_DOS_ERR_MAX_NODES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001255; sid: 5001255; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size less than min size"; content: "APPFW_XML_DOS_ERR_MIN_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001256; sid: 5001256; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Processing instructions present in the XML message"; content: "APPFW_XML_DOS_ERR_PI"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001257; sid: 5001257; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal error"; content: "APPFW_XML_ERR_CUSTOM"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001258; sid: 5001258; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Connect to Server Failed"; content: "APPFW_XML_ERR_DDOS_CONNECT_TO_SERVER_FAILED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001259; sid: 5001259; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Interaction socket open Failed"; content: "APPFW_XML_ERR_DDOS_INTERATION_SOCKET_OPEN_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001260; sid: 5001260; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Invalid Config File"; content: "APPFW_XML_ERR_DDOS_INVALID_CONFIG_FILE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001261; sid: 5001261; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS No Folder Installation Path"; content: "APPFW_XML_ERR_DDOS_NO_FOLDER_INSTALLATION_PATH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001262; sid: 5001262; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Failure to Open Config File"; content: "APPFW_XML_ERR_DDOS_OPEN_CONFIG_FILE_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001263; sid: 5001263; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Denial of Service Error"; content: "APPFW_XML_ERR_DOS_TRIGGERED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001264; sid: 5001264; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Environment variable QTHOME not set"; content: "APPFW_XML_ERR_ENV_NOT_SET"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001265; sid: 5001265; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems inserting a namespace into the hash table"; content: "APPFW_XML_ERR_HASH_INSERT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001266; sid: 5001266; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems getting the key of a namespace from the hash table"; content: "APPFW_XML_ERR_HASH_LOOKUP"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001267; sid: 5001267; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to initialize XML tokenizer"; content: "APPFW_XML_ERR_INITIALIZING_TOKENIZER"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001268; sid: 5001268; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to open the file"; content: "APPFW_XML_ERR_INVALID_FILE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001269; sid: 5001269; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal State Invalid"; content: "APPFW_XML_ERR_INVALID_STATE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001270; sid: 5001270; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid XPath"; content: "APPFW_XML_ERR_INVALID_XPATH"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001271; sid: 5001271; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Low memory"; content: "APPFW_XML_ERR_LOW_MEMORY"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001272; sid: 5001272; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Malformed address"; content: "APPFW_XML_ERR_MALFORMED_ADDRESS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001273; sid: 5001273; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message is not a well-formed XML"; content: "APPFW_XML_ERR_NOT_WELLFORMED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001274; sid: 5001274; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The message having content-type as 'Multipart/Related' and not having a boundary is invalid"; content: "APPFW_XML_ERR_NO_ATTACHMENT_BOUNDARY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001275; sid: 5001275; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - NS-XML APPFW supports SwA and MTOM SOAP attachments"; content: "APPFW_XML_ERR_NO_DIME"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001276; sid: 5001276; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems registering callbacks for operations"; content: "APPFW_XML_ERR_OPERATION_CALLBACK"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001277; sid: 5001277; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix length exceeded"; content: "APPFW_XML_ERR_PREFIX_LENGTH_EXCEEDED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001278; sid: 5001278; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Read Failure"; content: "APPFW_XML_ERR_READ_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001279; sid: 5001279; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message contains SOAP Fault"; content: "APPFW_XML_ERR_SOAP_FAULT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001280; sid: 5001280; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during pop of the node out of the XML stream"; content: "APPFW_XML_ERR_STREAM_POP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001281; sid: 5001281; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during push of the node into the XML stream"; content: "APPFW_XML_ERR_STREAM_PUSH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001282; sid: 5001282; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port in address is greater than 65535"; content: "APPFW_XML_ERR_UNSUPPORTED_PORT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001283; sid: 5001283; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unsupported protocol"; content: "APPFW_XML_ERR_UNSUPPORTED_PROTOCOL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001284; sid: 5001284; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Failed"; content: "APPFW_XML_ERR_VALIDATION_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001285; sid: 5001285; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Context is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001286; sid: 5001286; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Context user state is NULL - Internal error"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_STATE_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001287; sid: 5001287; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message config struct is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_MESSAGE_CONFIG_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001288; sid: 5001288; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Dumps the SOAP Fault contents to Audit log"; content: "APPFW_XML_SOAP_FAULT_CONTENTS"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001289; sid: 5001289; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation in XML"; content: "APPFW_XML_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001290; sid: 5001290; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract element"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001291; sid: 5001291; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract type"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001292; sid: 5001292; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Additional soap header present in soap message"; content: "APPFW_XML_VALIDATION_ERR_ADDHEADERS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001293; sid: 5001293; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute appears more than once in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MAX_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001294; sid: 5001294; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Required attribute missing in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MIN_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001295; sid: 5001295; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001296; sid: 5001296; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Content model of element not satisfied"; content: "APPFW_XML_VALIDATION_ERR_CONTENT_MODEL_VIOLATED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001297; sid: 5001297; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001298; sid: 5001298; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error compiling the schema"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_SCHEMA"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001299; sid: 5001299; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Initialization of the data type engine failed"; content: "APPFW_XML_VALIDATION_ERR_DATATYPE_ENGINE_INIT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001300; sid: 5001300; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Internal corruption of WSDL in-memory structure"; content: "APPFW_XML_VALIDATION_ERR_INTERNAL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001301; sid: 5001301; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001302; sid: 5001302; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid configuration for soap validation"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMBINATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001303; sid: 5001303; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open compiled WSDL"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001304; sid: 5001304; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element has invalid content model"; content: "APPFW_XML_VALIDATION_ERR_INVALID_CONTENT_MODEL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001305; sid: 5001305; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Data type is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001306; sid: 5001306; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001307; sid: 5001307; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open the file"; content: "APPFW_XML_VALIDATION_ERR_INVALID_FILE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001308; sid: 5001308; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Did not get expected type for element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_TYPE_SUBSTITUTION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001309; sid: 5001309; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to load validation engine"; content: "APPFW_XML_VALIDATION_ERR_LOADING"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001310; sid: 5001310; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Max Error"; content: "APPFW_XML_VALIDATION_ERR_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001311; sid: 5001311; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Service URL is not present or NULL"; content: "APPFW_XML_VALIDATION_ERR_NOSERVICEURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001312; sid: 5001312; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Feature not supported"; content: "APPFW_XML_VALIDATION_ERR_NOT_SUPPORTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001313; sid: 5001313; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Trying to pop from an empty stack"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001314; sid: 5001314; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Level of recursion more than maximum allowed depth"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_OVERFLOW"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001315; sid: 5001315; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Both SOAP Body and SOAP Header are empty in the SOAP request"; content: "APPFW_XML_VALIDATION_ERR_SOAPBODY_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001316; sid: 5001316; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Body structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_BODY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001317; sid: 5001317; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Envelope structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_ENVELOPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001318; sid: 5001318; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Header structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001319; sid: 5001319; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix is unbounded"; content: "APPFW_XML_VALIDATION_ERR_UNBOUNDED_PREFIX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001320; sid: 5001320; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot be nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_CONTENTS_CANNOT_BE_NIL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001321; sid: 5001321; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element is nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_NIL_WITH_CONTENTS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001322; sid: 5001322; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_DATATYPE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001323; sid: 5001323; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot appear at this location"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_LOCATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001324; sid: 5001324; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Facet mismatch"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FACET_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001325; sid: 5001325; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validator Load Failed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FAILED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001326; sid: 5001326; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute has invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_ATTRIBUTE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001327; sid: 5001327; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001328; sid: 5001328; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema node type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_SCHEMA_NODE_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001329; sid: 5001329; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Value does not match FIXED constraint"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_VALUE_FOR_FIXED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001330; sid: 5001330; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is greater than max allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_GT_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001331; sid: 5001331; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_INVALID"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001332; sid: 5001332; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is lesser than min allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_LT_MIN"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001333; sid: 5001333; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Maximum Load Error"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_MAX"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001334; sid: 5001334; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Missing require attribute in element"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_REQUIRED_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001335; sid: 5001335; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled Schema is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_SCHEMA_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001336; sid: 5001336; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled WSDL is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_WSDL_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001337; sid: 5001337; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI Internal Context NULL"; content: "APPFW_XML_WSI_ERR_CTXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001338; sid: 5001338; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI HTTP Error"; content: "APPFW_XML_WSI_ERR_HTTP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001339; sid: 5001339; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Resource id of deployment is NULL"; content: "APPFW_XML_WSI_ERR_NODEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001340; sid: 5001340; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port URL is NULL"; content: "APPFW_XML_WSI_ERR_NOPORTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001341; sid: 5001341; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Deployed resource is not WSDL"; content: "APPFW_XML_WSI_ERR_NOWSDLDEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001342; sid: 5001342; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI List Null"; content: "APPFW_XML_WSI_ERR_WSI_LIST_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001343; sid: 5001343; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during initialization"; content: "APPFW_XML_XSD_COMPILE_INIT_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001344; sid: 5001344; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML XSDLOAD Failed during Compile"; content: "APPFW_XML_XSD_COMPILE_LOADXSD_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001345; sid: 5001345; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - No XSModel to print"; content: "APPFW_XML_XSD_COMPILE_NOMODEL_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001346; sid: 5001346; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during parsing"; content: "APPFW_XML_XSD_COMPILE_PARSE_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001347; sid: 5001347; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unexpected exception during parsing"; content: "APPFW_XML_XSD_COMPILE_UNEXPECTED_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001348; sid: 5001348; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation in XML"; content: "APPFW_XML_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001349; sid: 5001349; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation"; content: "APPFW_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001350; sid: 5001350; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response body"; content: "BODY_FRAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001351; sid: 5001351; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush starts"; content: "CACHESTARTFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001352; sid: 5001352; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush is complete"; content: "CACHESTOPFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001353; sid: 5001353; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR - client security check for a SSLVPN session failed"; content: "CLISEC_CHECK"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001354; sid: 5001354; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR when client security expression evaluates to False"; content: "CLISEC_EXP_EVAL"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001355; sid: 5001355; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logs the NSCLI/GUI command executed in NetScaler"; content: "CMD_EXECUTED"; classtype: system-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001356; sid: 5001356; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Completed reading the configuration from ns.conf file"; content: "CONFIGEND"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001357; sid: 5001357; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Read the configuration from ns.conf file"; content: "CONFIGSTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001358; sid: 5001358; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "CONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001359; sid: 5001359; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - TCP connection terminated"; content: "CONN_TERMINATE"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001360; sid: 5001360; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The input URL before rewriting"; content: "CVPN_INPUT_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001361; sid: 5001361; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The matched URL"; content: "CVPN_MATCHED_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001362; sid: 5001362; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - PCRE Error"; content: "CVPN_PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001363; sid: 5001363; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The rewritten URL"; content: "CVPN_REWRITTEN_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001364; sid: 5001364; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is down"; content: "DEVICEDOWN"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001365; sid: 5001365; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is out of service"; content: "DEVICEOFS"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001366; sid: 5001366; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is up"; content: "DEVICEUP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001367; sid: 5001367; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - After a user logs in the group for the user has been extracted"; content: "EXTRACTED_GROUPS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001368; sid: 5001368; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation profile invoked"; content: "FILE_REQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001369; sid: 5001369; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Bad memory is freed (internal error)"; content: "FREEBADMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001370; sid: 5001370; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Duplicate memory free occurs (internal error)"; content: "FREEDUPMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001371; sid: 5001371; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory is freed from a wrong pool (internal error)"; content: "FREEEXTMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001372; sid: 5001372; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A SSLVPN session receives a HTTP request"; content: "HTTPREQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001373; sid: 5001373; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A http resource access is denied by policy engine"; content: "HTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001374; sid: 5001374; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application has terminated"; content: "ICAEND_CONNSTAT"; parse_src_ip: 1; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001375; sid: 5001375; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application launch has started"; content: "ICASTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001376; sid: 5001376; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN license limit reached"; content: "LICLMT_REACHED"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001377; sid: 5001377; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN login succeeds"; content: "LOGIN "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001378; sid: 5001378; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user"; content: "LOGIN_FAILED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001521; sid: 5001521; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5]"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; xbits: set,brute_force,21600; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001379; sid: 5001379; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN session logs out."; content: "LOGOUT "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001380; sid: 5001380; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is down"; content: "MONITORDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001381; sid: 5001381; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service has hit threshold limit"; content: "MONITORTH"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001382; sid: 5001382; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is up"; content: "MONITORUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001383; sid: 5001383; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is in hung state"; content: "NICHANG"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001384; sid: 5001384; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is less than the min required"; content: "NICLOW_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001385; sid: 5001385; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface is bound or unbound from a channel"; content: "NICMIGRATE"; classtype: network-event ; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001386; sid: 5001386; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is equal or greater than the min required"; content: "NICNORMAL_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001387; sid: 5001387; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is reset"; content: "NICRESET"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001388; sid: 5001388; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is started"; content: "NICSTART"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001389; sid: 5001389; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is stopped"; content: "NICSTOP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001390; sid: 5001390; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A non-http resource access is denied by policy engine"; content: "NONHTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001391; sid: 5001391; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "OTHERCONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001392; sid: 5001392; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with PID is being restarted"; content: "PB_PROCESS_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001393; sid: 5001393; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with pid has reached maximum number of restarts"; content: "PB_SYSTEM_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001394; sid: 5001394; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation regex error"; content: "PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001395; sid: 5001395; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Pitboss watch is added or deleted on a process with the process id PID"; content: "PITBOSS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001396; sid: 5001396; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation fails"; content: "PROPFAIL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001397; sid: 5001397; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation is successful"; content: "PROPSUCCESS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001398; sid: 5001398; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a request header"; content: "REQ_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001399; sid: 5001399; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation parsing error"; content: "REQ_PARSE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001400; sid: 5001400; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation error in a request header"; content: "REQ_WRITE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001401; sid: 5001401; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response header"; content: "RESP_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001402; sid: 5001402; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is down"; content: "ROUTEDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001403; sid: 5001403; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is up"; content: "ROUTEUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001404; sid: 5001404; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Advertised"; content: "ROUTE_ADVERTISED"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001405; sid: 5001405; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA state change"; content: "ROUTE_HASTATE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001406; sid: 5001406; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Relearnt"; content: "ROUTE_RELEARN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001407; sid: 5001407; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Withdrawn"; content: "ROUTE_WITHDRAWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001408; sid: 5001408; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Certificate Expiry Imminent"; content: "SSL_CERT_EXPIRY_IMMINENT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001409; sid: 5001409; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Failure"; content: "SSL_CRL_UPDATE_FAILURE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001410; sid: 5001410; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Success"; content: "SSL_CRL_UPDATE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001411; sid: 5001411; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Failure"; content: "SSL_HANDSHAKE_FAILURE"; classtype: network-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001412; sid: 5001412; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate IssueName"; content: "SSL_HANDSHAKE_ISSUERNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001413; sid: 5001413; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate SubjectName"; content: "SSL_HANDSHAKE_SUBJECTNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001414; sid: 5001414; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Success"; content: "SSL_HANDSHAKE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001415; sid: 5001415; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - CPU started"; content: "STARTCPU"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001416; sid: 5001416; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration started"; content: "STARTSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001417; sid: 5001417; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System Started"; content: "STARTSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001418; sid: 5001418; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA State has changed"; content: "STATECHANGE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001419; sid: 5001419; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN and the group for the user has been extracted"; content: "STA_VALIDATE_RESP"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001420; sid: 5001420; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration has stopped"; content: "STOPSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001421; sid: 5001421; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System stopped"; content: "STOPSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001422; sid: 5001422; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logged TCP connection related information"; content: "TCPCONNSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001423; sid: 5001423; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - An SSLVPN connection timed out"; content: "TCPCONN_TIMEDOUT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001424; sid: 5001424; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - UDP flow"; content: "UDPFLOWSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001425; sid: 5001425; rev:2;) # Triggers on non-citrix related events #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unknown Error"; content: " UNKNOWN "; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001426; sid: 5001426; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to down"; content: "VIPRHIDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001427; sid: 5001427; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to up"; content: "VIPRHIUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001428; sid: 5001428; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRID6DOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001429; sid: 5001429; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRIDDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001430; sid: 5001430; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to INIT"; content: "VRIDINIT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001431; sid: 5001431; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to master"; content: "VRIDUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001432; sid: 5001432; rev:2;) sagan-1.2.0/rules/openvpn.rules0000644000175000017500000000555113310533411015440 0ustar champchamp# Sagan openvpn.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # OpenVPN rules. Created by Robert Nunley (rnunley@quadrantsec.com) # 03/11/2013 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENVPN] Authentication failure [0/5]"; content: "Decrypt packet error"; parse_src_ip: 1; default_proto: udp; default_dst_port: $OPENVPN_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001651; program: openvpn; threshold:type limit, track by_src, count 5, seconds 300; sid: 5001651; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENVPN] Authentication success"; content: "Initialization Sequence Completed"; parse_src_ip: 1; default_proto: udp; default_dst_port: $OPENVPN_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001652; program: openvpn; sid: 5001652; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENVPN] Unencrypted VPN connection initiated"; content: "tunnelled as cleartext"; parse_src_ip: 1; default_proto: udp; default_dst_port: $OPENVPN_PORT; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001653; program: openvpn; sid: 5001653; rev:3;) sagan-1.2.0/rules/nxlog.rules0000644000175000017500000000735213310533411015103 0ustar champchamp# Sagan nxlog.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Steve Rawls (srawls@quadrantsec.com) - 2017/04/25 alert any any any -> any any (msg: "[NXLOG] Unable to read eventlog"; content: "EvtNext failed with error 15007|3a| "; xbits: isnotset,by_src,nxlog_problem;after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,nxlog_problem,86400; classtype: program-error; program: nxlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5003108; sid:5003108; rev:4;) alert any any any -> any any (msg: "[NXLOG] Service stopping"; content: "stopping nxlog service"; xbits: isnotset,by_src,reboot.windows; xbits: isnotset,by_src,nxlog_problem; classtype: program-error; program: nxlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5003109; sid:5003109; rev:4;) #alert any any any -> any any (msg: "[NXLOG] Termination Request"; content: "nxlog received a termination request signal"; xbits: isnotset,by_src,reboot.windows|nxlog_problem; classtype: program-error; program: nxlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5003110; sid:5003110; rev:3;) alert any any any -> any any (msg: "[NXLOG] Missing Windows Log Message"; pcre: "/ [0-9][0-9][0-9][0-9]?: $/"; program: *Security*|AppLocker|Application|Backup|Bonjour|CPQCISSE|Citrix|DAC|DHCP-Server|EMET|Eventlog|MSSQL*|MsiInstaller|NtFrs|Ntfs|RemoteAccess|Service|Service_Control_Manager|Symantec|Sysmon|System|USER32|Tenable|TermService|The|WinVNC4|crypt32; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,nxlog_problem,86400; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003111; sid:5003111; rev:6;) alert any any any -> any any (msg: "[NXLOG] Service restart to correct problem [CLEAR XBIT]"; content: "stopping nxlog service"; xbits: isnotset,by_src,reboot.windows; xbits: isset,by_src,nxlog_problem; xbits: unset,by_src,nxlog_problem; xbits:nounified2; xbits:noeve; classtype: system-event; program: nxlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5003125; sid:5003125; rev:2;) sagan-1.2.0/rules/as400.rules0000644000175000017500000001616213310533411014602 0ustar champchamp# Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These rules were created from output from iSecurity for AS/400's. The signature are probably # generic enough to work with anything. # https://seasoft.com/products/solutions-for-ibm-i/audit-compliance-management/isecurity-syslog # 10.16.10.200|local6|crit|crit|b2|2018-04-27|13:28:13|CSYS| iSecurity/Audit: MPW1600 PW/P *AUTFAIL An incorrect password was entered. User GUEST. Device XXXXXXXX. Remote location . Local location . Network Id . alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL An incorrect password was entered"; content: " MPW1600 "; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003771; sid:5003771; rev:2;) # 10.16.101.200|local6|alert|alert|b1|2018-03-19|11:39:12|CSYS| iSecurity/Audit: MPW1800 PW/R *AUTFAIL Attempted signon (user authentication) failed because password was expired. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL fail - password expired [no username]"; content: " MPW1800 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003772; sid:5003772; rev:1;) # 10.16.101.200|local6|alert|alert|b1|2018-03-19|05:25:26|CSYS| iSecurity/Audit: MVP1600 VP/P *AUTFAIL User GUEST; An incorrect network password was used. Server *SYSTEM. Computer ::ffff:1. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - incorrect network password was used; content: " MVP1600 "; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003773; sid:5003773; rev:2;) # 10.16.101.200|local6|alert|alert|b1|2018-03-14|14:41:26|CSYS| iSecurity/Audit: MAF0100 AF/A *AUTFAIL User GUEST; Not authorized to object QSYS/XXXXXXX *LIB in program /. Path name . alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Not authorized to object"; content: " MAF0100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003774; sid:5003774; rev:1;) # 10.16.101.200|local6|crit|crit|b2|2018-03-23|17:32:56|CSYS| iSecurity/Audit: MPW2100 PW/U *AUTFAIL User name GUEST not valid. Device . Remote location . Local location . Network Id . alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - User name not valid"; content: " MAF0100 "; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003775; sid:5003775; rev:2;) # 10.16.101.200|local6|err|err|b3|2018-03-19|19:33:32|CSYS| iSecurity/Audit: MAF1100 AF/K *AUTFAIL User GUEST attempted to perform an operation on QSYS/QTEDBGS *SRVPGM without the required Special Authority. JOB 111111/GUEST/XXXXXXXXXX. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Operation SVRPGM wihtout authority"; content: " MAF1100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003776; sid:5003776; rev:1;) # 10.16.101.200|local6|alert|alert|b1|2018-04-27|14:01:07|CSYS| iSecurity/Audit: MPW1700 PW/Q *AUTFAIL User GUEST. Attempted signon (user authentication) failed because user GUEST profile was disabled. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Failed because profile was disabled"; content: " MPW1700 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003777; sid:5003777; rev:1;) # Might be noisey # # 10.16.101.200|local6|alert|alert|b1|2018-03-12|20:07:26|CSYS| iSecurity/Audit: MAF0100 AF/A *AUTFAIL User GUEST; Not authorized to object *N/*N *DIR in program /. Path name /home/GUEST. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - User not authorized to object"; content: " MAF0100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003778; sid:5003778; rev:1;) # 10.16.101.200|local6|notice|notice|b5|2018-04-24|18:18:50|CSYS| iSecurity/Audit: MAD2100 AD/U *SECURITY User GUEST; XXXXXXX used to change auditing of user GUEST. Job 111111/GUEST/XXXXXXXXX. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[AS400] AUTFAIL - Changed audit status of user"; content: " MAD2100 "; default_proto: tcp; classtype: unsuccessful-user; normalize; after: track by_username, count 3, seconds 900; threshold: type limit, track by_username, count 2, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5003779; sid:5003779; rev:1;) sagan-1.2.0/rules/rsync.rules0000644000175000017500000000724113310533411015107 0ustar champchamp# Sagan rsync.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] mkdir failure. Permission denied"; program: rsync|rsyncd; content: "mkdir"; content: "Permission denied"; default_proto: tcp; default_dst_port: $RSYNC_PORT; classtype: program-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5001050; sid: 5001050; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] stat failure. Permission denied"; program: rsync|rsyncd; content: "stat"; content: "Permission denied"; default_proto: tcp; default_dst_port: $RSYNC_PORT; classtype: program-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5001051; sid: 5001051; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Inbound rsync connection"; program: rsync|rsyncd; content: "rsync to"; content: "from"; default_proto: tcp; default_dst_port: $RSYNC_PORT; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001052; sid: 5001052; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Connection closed stats"; program: rsync|rsyncd; content: "sent"; content: "received"; content: "total size"; default_proto: tcp; default_dst_port: $RSYNC_PORT; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001053; sid: 5001053; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Authentication failure"; program: rsync|rsyncd; content: "auth failed on module"; parse_port; default_proto: tcp; default_dst_port: $RSYNC_PORT; classtype: attempted-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001054; sid: 5001054; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RSYNC] Some files could not be transferred"; program: rsync|rsyncd; content: "rsync error"; content: "code 23"; default_proto: tcp; default_dst_port: $RSYNC_PORT; classtype: program-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5001055; sid: 5001055; rev:4;) sagan-1.2.0/rules/cisco-correlated.rules0000644000175000017500000002344513310533411017177 0ustar champchamp# Sagan cisco-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after recon activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003210; sid:5003210; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after honeypot activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003211; sid:5003211; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after exploit attempt"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003212; sid:5003212; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after brute force activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003232; sid:5003232; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after recon activity"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003213; sid:5003213; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after honeypot activity"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003214; sid:5003214; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after exploit attempt"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003215; sid:5003215; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after brute force activity"; program: %ASA*-6-605005; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003233; sid:5003233; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after recon activity"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003216; sid:5003216; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after honey activity"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003217; sid:5003217; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after exploit attempt"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003218; sid:5003218; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after brute force activity"; program: %ASA*-6-716001|%ASA*-6-716038|%ASA*-6-734001|%ASA*-6-722022|%ASA*-6-722023; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003234; sid:5003234; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after recon activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003219; sid:5003219; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after honeypot activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003220; sid:5003220; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after exploit attempt"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003221; sid:5003221; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN disconnect after brute force activity"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003235; sid:5003235; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after recon activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,recon; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003222; sid:5003222; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after honeypot activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,honeypot; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003223; sid:5003223; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after exploit attempt"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003224; sid:5003224; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success brute force activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; xbits: isset,by_src,brute_force; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5003236; sid:5003236; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after recon activity"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003225; sid:5003225; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after honeypot activity"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003226; sid:5003226; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after exploit attempt"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003227; sid:5003227; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after brute force activity"; program: %ASA*-6-303002|%ASA*-6-303002; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5003237; sid:5003237; rev:1;) sagan-1.2.0/rules/blacklist.rules0000644000175000017500000000431213310533411015715 0ustar champchamp# Sagan blacklist.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # These are CATCH ALL rules. This means it will parse _all_ logs. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLACKLIST] Suspicious communications detected via Blacklist"; blacklist: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002271; sid: 5002271; rev:3;) sagan-1.2.0/rules/cisco-meraki.rules0000644000175000017500000001225713310533411016322 0ustar champchamp# Sagan cisco-meraki.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## MERAKI MX Security Appliance Rules ## # "Casey Pennington" # 2017/03/07 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] SSID Spoofing Detected"; content: "type=ssid_spoofing_detected"; classtype: suspicious-traffic; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5003026; rev:3;) # VPN connectivity change # alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] VPN connectivity change"; content: "type=vpn_connectivity_change"; classtype: suspicious-traffic; sid:5003042; rev:2;) # Uplink connectivity down # alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] Uplink connectivity change"; content: "MX84 events"; content: "down"; classtype: system-event; sid:5003043; rev:2;) # Uplink conectivity failover # alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MERAKI] Uplink connectivity change"; content: "MX84 events"; content: "failover"; classtype: system-event; sid:5003044; rev:2;) # Security_event alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Malicious file blocked by amp"; content: "malicious action=block"; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5003045; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] File issued retrospective malicious disposition"; content: "malicious action=allow"; classtype: suspicious-traffic; reference: url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/; sid:5003046; rev:2;) ## MERAKI MR Access Points Rules ## # WPA failed authentication attempt alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "auth_neg_failed='1'"; content: "type=disassociation"; classtype: attempted-user; sid:5003047; rev:2;) # 802.1x failed authentication attempt alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] 802.1x failed authentication attempt"; content: "type=8021x_eap_failure radio='0'"; content: "type=disassociation"; classtype: attempted-user; sid:5003048; rev:2;) # Wireless packet flood detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] WPA failed authentication attempt"; content: "type=device_packet_flood"; content: "packet='deauth'"; classtype: attempted-user; reference: url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf; sid:5003049; rev:2;) # Flow denied by Layer 3 firewall alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Flow denied by Layer 3 firewall"; content: "MR18 flows deny"; classtype: suspicious-traffic; sid:5003050; rev:2;) #* MERAKI MS Switches Rules ## # Port status changed # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Port status changed"; content: "MS220_8P events port"; content: "status"; classtype: system-event; sid:5003051; rev:2;) # Virtual router collision alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Virtual router collision"; content: "VRRP packet"; classtype: system-event; sid:5003052; rev:3;) # VRRP transition alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] VRRP transition"; content: "VRRP"; content: "changed"; classtype: system-event; sid:5003053; rev:2;) # Blocked DHCP server response alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-MERAKI] Blocked DHCP server response"; content: "Blocked DHCP"; classtype: system-event; sid:5003054; rev:2;) sagan-1.2.0/rules/openssh-geoip.rules0000644000175000017500000000647513310533411016541 0ustar champchamp# Sagan openssh-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. # 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-GEOIP] Authentication success via password from outside HOME_COUNTRY"; content: "Accepted password"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001874; normalize; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001874; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-GEOIP] Authentication success via publickey from outside HOME_COUNTRY"; content: "Accepted publickey"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001875; normalize; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001875; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-GEOIP] Authentication success via keyboard from outside HOME_COUNTRY"; content: "Accepted keyboard-interactive"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001876; normalize; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001876; rev:3;) sagan-1.2.0/rules/ssh-tectia-server-geoip.rules0000644000175000017500000000442413310533411020422 0ustar champchamp# Sagan ssh-tectia-server-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-GEOIP] Authentication success from outside HOME_COUNTRY"; content: "Login_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001878; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001878; rev:4;) sagan-1.2.0/rules/apc-emu.rules0000644000175000017500000000534013310533411015276 0ustar champchamp# Sagan apc-emu.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Humidity violation"; content: "humidity violation,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001057; sid: 5001057; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Humidity violation cleared"; content: "humidity violation cleared,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001058; sid: 5001058; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Front door opened"; content: "Front Door' opened,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001059; sid: 5001059; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Front door closed"; content: "Front Door' closed,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001060; sid: 5001060; rev:2;) sagan-1.2.0/rules/f5-big-ip.rules0000644000175000017500000000446113310533411015431 0ustar champchamp# Sagan f5-big-ip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP] Brute force Attempt [5/1]"; content: "failed to login after"; content: "sshd"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002946; sid:5002946; rev:2;) sagan-1.2.0/rules/vmware-geoip.rules0000644000175000017500000000554613310533411016361 0ustar champchamp# Sagan vmware-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; pcre: "/Accepted password for|login from/i"; default_proto:tcp; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002381; sid:5002381; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; content: " logged in "; default_proto:tcp; classtype: successful-admin; program: Hostd; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002382; sid:5002382; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful"; content: "Accepted password"; default_proto:tcp; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002383; sid:5002383; rev:3;) sagan-1.2.0/rules/citrix-brointel.rules0000644000175000017500000000617413310533411017073 0ustar champchamp# Sagan citrix-brointel.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from Bro Intel IP (Champ Clark / 04/01/2015) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BROINTEL] Login from outside Bro Intel listed IP"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002262; sid: 5002262; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BROINTEL] AAA LOGIN_FAILED from Bro Intel listed IP"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002282; sid:5002282; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BROINTEL] SSLVPN HTTPREQUEST from Bro Intel listed IP"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002286; sid:5002286; rev:3;) sagan-1.2.0/rules/ntp.rules0000644000175000017500000000406613310533411014554 0ustar champchamp# Sagan ntp.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NTP] Permission denied error"; content:"permission denied"; program: ntpd*; default_proto: udp; default_dst_port: $NTp_PORT; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000041; sid: 5000041; rev:4;) sagan-1.2.0/rules/vsftpd-geoip.rules0000644000175000017500000000476013310533411016363 0ustar champchamp# Sagan vsftpd-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-GEOIP] Authentication successful from outside HOME_COUNTRY"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: vsftpd; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002387; sid:5002387; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-GEOIP] File uploaded from outside HOME_COUNTRY"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; country_code: track by_src, isnot $HOME_COUNTRY; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002388; sid:5002388; rev:2;) sagan-1.2.0/rules/windows-brointel.rules0000644000175000017500000010352513310533411017261 0ustar champchamp# Sagan windows-brointel.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # ************************************************************* # Windows bro-intel rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BROINTEL] RDP / Logon type 10 from a Bro Intel listed IP"; program: *Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bro-intel: by_src; program: *Security*; parse_src_ip: 1; normalize; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002224; sid: 5002224; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [0/5]"; program: *Security*; content: " 529|3a| "; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002225; sid: 5002225; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002226; sid: 5002226; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002227; sid: 5002227; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002228; sid: 5002228; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002229; sid: 5002229; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure - Account locked from a Bro Intel listed IP [0/5]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002230; sid: 5002230; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Logon Failure from a Bro Intel listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: *Security*; bro-intel: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002231; sid: 5002231; rev:4;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bro-intel: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002563; sid:5002563; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002562; sid:5002562; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002404; sid:5002404; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002405; sid: 5002405; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002406; sid: 5002406; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002407; sid: 5002407; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002408; sid: 5002408; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002409; sid: 5002409; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002410; sid: 5002410; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002411; sid: 5002411; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002412; sid: 5002412; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002413; sid: 5002413; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002414; sid: 5002414; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002415; sid: 5002415; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002416; sid: 5002416; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002417; sid: 5002417; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002418; sid: 5002418; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002419; sid: 5002419; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002420; sid: 5002420; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002421; sid: 5002421; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002422; sid: 5002422; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002423; sid: 5002423; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002424; sid: 5002424; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002425; sid: 5002425; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002426; sid: 5002426; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002427; sid: 5002427; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002428; sid: 5002428; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002429; sid: 5002429; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002430; sid: 5002430; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002431; sid: 5002431; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002432; sid: 5002432; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002433; sid: 5002433; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002434; sid: 5002434; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002435; sid: 5002435; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002436; sid: 5002436; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002437; sid: 5002437; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002438; sid: 5002438; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002439; sid: 5002439; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002440; sid: 5002440; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002441; sid: 5002441; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002442; sid: 5002442; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002443; sid: 5002443; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002444; sid: 5002444; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002445; sid: 5002445; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002446; sid: 5002446; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002447; sid: 5002447; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002448; sid: 5002448; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002449; sid: 5002449; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002450; sid: 5002450; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002451; sid: 5002451; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002452; sid: 5002452; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002453; sid: 5002453; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002454; sid: 5002454; rev:3;) sagan-1.2.0/rules/cisco-blacklist.rules0000644000175000017500000001142413310533411017015 0ustar champchamp# Sagan cisco-blacklist.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # For log examples, see cisco-geoip.rules. This is just rules: alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] VPN Login from blacklisted IP"; program: %ASA*-6-716038; blacklist: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002240; sid: 5002240; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] Console login from blacklisted IP"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002241; sid: 5002241; rev: 3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] Login permitted from blacklisted IP"; program: %ASA*-6-605005; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002242; sid: 5002242; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] WebVPN login from blacklisted IP"; program: %ASA*-6-716001; blacklist: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002243; sid: 5002243; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] VPN disconnect from blacklisted IP"; program: %ASA*-4-113019; blacklist: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002244; sid: 5002244; rev: 3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP"; program: %ASA*-6-734001; blacklist: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002245; sid: 5002245; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] ACS Login success from blacklisted IP"; program: CisACS_01_PassedAuth; blacklist: by_src; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002246; sid: 5002246; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP [2]"; program: %ASA*-6-722022|%ASA*-6-722023; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002247; sid: 5002247; rev: 2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA*-6-303002; blacklist: by_src; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002248; sid: 5002248; rev: 3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA*-6-303002; blacklist: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002249; sid: 5002249; rev: 2;) sagan-1.2.0/rules/racoon.rules0000644000175000017500000000705113310533411015231 0ustar champchamp# Sagan racoon.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Informational message"; content: "INFO"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000269; sid: 5000269; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Error message"; content: "ERROR"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000270; sid: 5000270; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Warning message"; content: "WARNING"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000271; sid: 5000271; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - ISAKMP-SA - VPN established"; content: "ISAKMP-SA established"; classtype: successful-user ; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000272; sid: 5000272; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Roadwarrior configuration error [ignored error]"; content: "such policy does not already exist"; classtype: unsuccessful-user; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000273; sid: 5000273; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Roadwarrior configuration error [ignored warning]"; content: "ignore INITIAL-CONTACT notification"; classtype: unsuccessful-user; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000274; sid: 5000274; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Invalid configuration settings [ignored error]"; content: "ERROR"; pcre: "/invalid attribute|rejected/i"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000275; sid: 5000275; rev:2;) sagan-1.2.0/rules/oracle.rules0000644000175000017500000000632113310533411015214 0ustar champchamp# Sagan oracle.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # 34: Audit trail: LENGTH: "351" SESSIONID:[9] "269111111" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[8] "XXXXXXX" USERHOST:[17] "XXXX\XXXX-XXXXX" TERMINAL:[12] "XXXX-XXXXXXX" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=XX.XX.XX.XX)(PORT=XXXXX))" OS$USERID:[3] "Bob" DBID:[10] "4004821111" . # 34: Audit trail: LENGTH: "358" SESSIONID:[9] "269811111" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[14] "XXXXXXXXZZZZZZ" USERHOST:[17] "XXXX\XXXX-XXXXXX" TERMINAL:[12] "XXXXX-XXXXXX" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=XX.XX.XX.XX)(PORT=XXXXXX))" OS$USERID:[3] "Bob" DBID:[10] "4004827967" . alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ORACLE] Authentication Failure"; content: "RETURNCODE|3a|[4] |22|1017|22|"; default_proto: tcp; default_dst_port: 1521; classtype: unsuccessful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001717; sid:5001717; rev: 4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ORACLE] Brute force authentication failure [5/1]"; content: "RETURNCODE|3a|[4] |22|1017|22|"; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: 1521; classtype: unsuccessful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002949; sid:5002949; rev: 2;) sagan-1.2.0/rules/barracuda.rules0000644000175000017500000001443313310533411015676 0ustar champchamp# Sagan barracuda.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Barracuda rules by Corey Fisher - 02/17/2016 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Last Auto Backup Time Changed"; content: "CHANGE last_auto_backup_time"; content: "debug|8f"; program: web; reference: url,wiki.quadrantsec.com/bin/view/Main/5002782; classtype: system-event; sid:5002782; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Spyware Exploit"; content: "Spyware.Exploit.Misc.MD"; content: "pcaptor"; program: pcaptor; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002783; classtype: suspicious-traffic; sid:5002783; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] AdWare Win32 Agent"; content: "AdWare.Win32.Agent.bjx"; content: "pcaptor"; program: pcaptor; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002784; classtype: suspicious-traffic; sid:5002784; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Login"; content: "LOGIN"; content: !"FAILED_LOGIN"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002785; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: system-event; sid:5002785; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Failed Login"; content: "FAILED_LOGIN"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002786; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-admin; sid:5002786; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Brute force login attempt [5/5]"; content: "FAILED_LOGIN"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002945; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-admin; sid:5002945; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Spyware Filter Change"; content: "spy_exempted"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002787; classtype: system-event; sid:5002787; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Snort Enabled"; content: "snort_enabled"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002788; classtype: system-event; sid:5002788; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Ipoque Enabled"; content: "ipoque_enabled"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002789; classtype: system-event; sid:5002789; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Failed Login Log Change"; content: "failed_login"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002790; classtype: system-event; sid:5002790; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Change to URL Whitelist"; content: "spy_url_whitelist"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002791; classtype: system-event; sid:5002791; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Change to URL Blacklist"; content: "spy_url_blacklist"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002792; classtype: system-event; sid:5002792; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] Policy Block Change"; content: "policy_block"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002793; classtype: system-event; sid:5002793; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] User Password Changed"; content: "user_password"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002794; classtype: system-event; sid:5002794; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] System Password Changed"; content: "system_password"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002795; classtype: system-event; sid:5002795; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Barracuda] System Shutdown"; content: "set_set_shutdown"; content: "CHANGE"; program: web; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002796; classtype: system-event; sid:5002796; rev:3;) sagan-1.2.0/rules/passwordstate.rules0000644000175000017500000003674713310533411016671 0ustar champchamp# Sagan passwordstate.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Rule's for "PasswordState" from www.clickstudios.com.au. PasswordState is an enterprise password manager. These # rules where created by Jeff Ward (jward@quadrantsec.com) # # 2018/01/25 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Access was Granted"; content:"Passwordstate:"; content:"Access"; content:"granted"; parse_src_ip: 1; content: "Passwordstate:"; classtype: not-suspicious; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003342; sid:5003342; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Access has been Removed"; content:"Passwordstate:"; content:"removed access"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003343; sid:5003343; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] All Passwords Exported"; content:"Passwordstate:"; content:"exported all"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003344; sid:5003344; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Audit Records Purged"; content:"Passwordstate:"; content:"purged"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003345; sid:5003345; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Task Deleted"; content:"Passwordstate:"; content:"Password Reset"; content:"deleted"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003346; sid:5003346; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Updated"; content:"Discovery Job"; content:"Passwordstate:"; content:"updated"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003347; sid:5003347; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Permissions Added"; content:"Passwordstate:"; content:"Discovery Job"; content:"permission"; parse_src_ip: 1; classtype: misc-activity; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003348; sid:5003348; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Removed"; content:"Passwordstate:"; content:"Discovery Job"; content:"removed"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003349; sid:5003349; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Discovery Job Deleted"; content:"Discovery Job"; content:"Passwordstate:"; content:"deleted"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003350; sid:5003350; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Document Deleted"; content:"Passwordstate:"; content:"deleted the document"; parse_src_ip: 1; classtype: system-event; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003351; sid:5003351; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Encryption Keys Exported"; content:"Passwordstate:"; content:"exported the encryption"; parse_src_ip: 1; classtype: suspicious-command; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003352; sid:5003352; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Updated"; content:"Passwordstate:"; content:"updated the Password"; parse_src_ip: 1; classtype: misc-activity; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003353; sid:5003353; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Login Attempt Failed"; content:"Passwordstate:"; content:"Failed"; content:"login attempt"; parse_src_ip: 1; classtype: system-event; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003354; sid:5003354; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Privileged Account Credentials Deleted"; content:"Passwordstate:"; content:"deleted the Privileged Account Credential"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003355; sid:5003355; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Privileged Account Credentials Permissions Added"; content:"Passwordstate:"; content:"Privileged"; content:"added permissions"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003356; sid:5003356; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Privileged Account Credentials Permissions Removed"; content:"Passwordstate:"; content:"Privileged"; content:"removed permissions"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003357; sid:5003357; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Administrator Added"; content:"Passwordstate:"; content:"Security Administrator"; content:"added"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003358; sid:5003358; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Administrator Removed"; content:"Passwordstate:"; content:"Security Administrator"; content:"removed"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003359; sid:5003359; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Administrator Role Updated"; content:"Passwordstate:"; content:"Security Administrator"; content:"updated"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003360; sid:5003360; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Group Added"; content:"Passwordstate:"; content:"Group"; content:"added the"; content:"Security Group"; content:"to Passwordstate"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003361; sid:5003361; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Group Updated"; content:"Passwordstate:"; content:"updated"; content:"Security Group"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003362; sid:5003362; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Security Group Deleted"; content:"Passwordstate:"; content:"deleted"; content:"Security Group"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003363; sid:5003363; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] User Account Added to Security Group"; content:"Passwordstate:"; content:"Security Group"; content:"added"; content:"SysID"; content:"to the"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003364; sid:5003364; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] User Account Disabled"; content:"Passwordstate:"; content:"disabled the User Account"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003365; sid:5003365; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] User Removed From Security Group"; content:"Passwordstate:"; content:"from the Security Group"; content:"removed"; parse_src_ip: 1; classtype: successful-admin; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003366; sid:5003366; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Copied Between Password Lists"; content:"Passwordstate:"; content:"Copied from Password List"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003367; sid:5003367; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Deleted"; content:"Passwordstate:"; content:"deleted the password '"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003368; sid:5003368; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password History Exported"; content:"Passwordstate:"; content:"exported Historical"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003369; sid:5003369; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password List Deleted"; content:"Passwordstate:"; content:"deleted the Password List"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003370; sid:5003370; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Moved"; content:"Passwordstate:"; content:"moved the Password"; parse_src_ip: 1; classtype: suspicious-traffic; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003371; sid:5003371; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Failed"; content:"Passwordstate:"; content:"failed to process the Password Reset"; parse_src_ip: 1; classtype: bad-unknown; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003372; sid:5003372; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Removed from Queue"; content:"Passwordstate:"; content:"Password Reset"; content:"removed"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003373; sid:5003373; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Password Reset Task Updated"; content:"Passwordstate:"; content:"Password Reset"; content:"updated"; parse_src_ip: 1; classtype: configuration-change; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003374; sid:5003374; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PasswordState] Brute Force Login Attempt [5/5]"; content:"Passwordstate:"; content:"Failed"; content:"login attempt"; parse_src_ip: 1; set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5,seconds 300; classtype: system-event; reference: url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf; reference: url,wiki.quadrantsec.com/bin/view/Main/5003375; sid:5003375; rev:1;) sagan-1.2.0/rules/cisco-prime.rules0000644000175000017500000010364613310533411016171 0ustar champchamp# Sagan cisco-prime.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Champ Clark (08/28/2014) # # These rules look for "eventType={type}("; For example, "eventType=AP_BIG_NAV_DOS_ATTACK(". # We actually trigger on the items between the = and (. # AP_BIG_NAV_DOS_ATTACK # The AP ''{0}'' with protocol ''{1}'' receives a message with a large NAV field and all traffic on the channel is suspended. This is most likely a malicious denial of service attack. # The system detected a possible denial of service attack and suspended all traffic to the affected channel. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] BIG NAV DOS Attack"; program: snmptrapd; content: "=AP_BIG_NAV_DOS_ATTACK|28|"; classtype: attempted-dos; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002122; sid:5002122; rev:3;) # AP_CONTAINED_AS_ROGUE # AP ''{0}'' is being contained. This is due to rogue device spoofing or targeting AP ''{0}'' BSSID on ''{1}'' radio. # An access point is reporting that it is being contained as a rogue. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detect and contained"; program: snmptrapd; content: "=AP_CONTAINED_AS_ROGUE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002123; sid:5002123; rev:3;) # AP_MAX_ROGUE_COUNT_EXCEEDED # AP ''{0}'' is being contained. This is due to rogue device spoofing or targeting AP ''{0}'' BSSID on ''{1}'' radio. # The number of rogues detected by a switch (controller) exceeds the internal threshold. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detected exceed theshold"; program: snmptrapd; content: "=AP_MAX_ROGUE_COUNT_EXCEEDED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002124; sid:5002124; rev:3;) # AUTHENTICATION_FAILURE # Switch ''{0}''. Authentication failure reported. # There was an SNMP authentication failure on the switch (controller). alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SNMP Authentication failure"; program: snmptrapd; content: "=AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002125; sid:5002125; rev:3;) # BSN_AUTHENTICATION_FAILURE # Switch ''{0}." User authentication from Switch ''{0}'' failed for username ''{1}'' and user type ''{2}." # A user authentication failure is reported for a local management user or a MAC filter is configured on the controller. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Authentication failure by local management user/MAC "; program: snmptrapd; content: "=BSN_AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002126; sid:5002126; rev:3;) # ROGUE_AP_DETECTED # Rogue AP or ad hoc rogue ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}." # The system has detected a rogue access point. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP or ADHOC detected"; program: snmptrapd; content: "=ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002127; sid:5002127; rev:3;) # ROGUE_AP_ON_NETWORK # Rogue AP or ad hoc rogue ''{0}'' is on the wired network. # A rogue access point is found reachable through the wired network. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP on the network!"; program: snmptrapd; content: "=ROGUE_AP_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002128; sid:5002128; rev:3;) # ROGUE_AP_REMOVED # Rogue AP or ad hoc rogue ''{0}'' is removed; it was detected as Rogue AP by AP ''{1}'' Radio type ''{2}.'' # The system is no longer detecting a rogue access point. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP has been removed"; program: snmptrapd; content: "=ROGUE_AP_REMOVED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002129; sid:5002129; rev:3;) # SENSED_TEMPERATURE_HIGH # The sensed temperature on the Switch ''{0}'' is too high. The current sensed temperature is ''{1}.'' # The internal temperature of the system has crossed the configured thresholds. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal high temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_HIGH|28|"; classtype: hardware-event; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002130; sid:5002130; rev:3;) # SENSED_TEMPERATURE_LOW # The sensed temperature on the Switch ''{0}'' is too low. The current sensed temperature is ''{1}.'' # The internal temperature of the device is below the configured limit in the system. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal low temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_LOW|28|"; classtype: hardware-event; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002131; sid:5002131; rev:3;) # STATION_AUTHENTICATION_FAIL # Client ''{0}'' has failed authenticating with AP ''{1},'' interface ''{2}.'' The reason code is ''{3}.'' # The system failed to authenticate a client. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station authentication failure"; program: snmptrapd; content: "=STATION_AUTHENTICATION_FAIL|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002132; sid:5002132; rev:3;) # STATION_ASSOCIATE_FAIL # Client ''{0}'' failed to associate with AP ''{1},'' interface ''{2}.'' The reason code is ''{3}.'' # A client station failed to associate with the system. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station association failure"; program: snmptrapd; content: "=STATION_ASSOCIATE_FAIL|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002133; sid:5002133; rev:3;) # STATION_BLACKLISTED # Client ''{0}'' which was associated with AP ''{1},'' interface ''{2}'' is excluded. The reason code is ''{3}.'' # A client is in the exclusion list and is not allowed to authenticate for a configured interval. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station blacklisted"; program: snmptrapd; content: "=STATION_BLACKLISTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002134; sid:5002134; rev:3;) # SWITCH_DETECTED_DUPLICATE_IP # Switch ''{0}'' detected duplicate IP address ''{0}'' being used by machine with mac address ''{1}.'' # The system has detected a duplicate IP address in the network that is assigned to the switch (controller). alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Duplicate IP address assigned to controller"; program: snmptrapd; content: "=SWITCH_DETECTED_DUPLICATE_IP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002135; sid:5002135; rev:3;) # TOO_MANY_USER_UNSUCCESSFUL_LOGINS # User ''{1}'' with IP Address ''{0}'' has made too many unsuccessful login attempts. # A management user has made too many login attempts. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Possible brute force from management user!"; program: snmptrapd; content: "=TOO_MANY_USER_UNSUCCESSFUL_LOGINS|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002136; sid:5002136; rev:3;) # ADHOC_ROGUE_AUTO_CONTAINED # Adhoc Rogue ''{0}'' was found and is auto contained as per WPS policy. # An ad hoc rogue that the system has detected earlier is now clear. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC contained"; program: snmptrapd; content: "=ADHOC_ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002137; sid:5002137; rev:3;) # ROGUE_AP_AUTO_CONTAINED # Rogue AP ''{0}'' is advertising our SSID and is auto contained as per WPS policy. # The system has automatically contained a rogue access point. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP auto contained"; program: snmptrapd; content: "=ROGUE_AP_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002138; sid:5002138; rev:3;) # TRUSTED_AP_INVALID_ENCRYPTION # Trusted AP ''{0}'' is invalid encryption. It is using ''{1}'' instead of ''{2}." It is auto contained as per WPS policy. # The system automatically contained a trusted access point that has invalid encryption. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid encryption"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_ENCRYPTION|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002140; sid:5002140; rev:3;) # TRUSTED_AP_INVALID_RADIO_POLICY # Trusted AP ''{0}'' has invalid radio policy. It is using ''{1}'' instead of ''{2}." It has been auto contained as per WPS policy. # The system has contained a trusted access point with an invalid radio policy. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid radio policy"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_RADIO_POLICY|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002141; sid:5002141; rev:3;) # TRUSTED_AP_INVALID_SSID # Trusted AP ''{0}'' has invalid SSID. It was auto contained as per WPS policy. # The system has automatically contained a trusted access point for advertising an invalid SSID. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid SSID"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_SSID|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002142; sid:5002142; rev:3;) # TRUSTED_AP_MISSING # Trusted AP ''{0}'' is missing or has failed. # The wireless system no longer detects a trusted access point. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP missing"; program: snmptrapd; content: "=TRUSTED_AP_MISSING|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002143; sid:5002143; rev:3;) # AP_IMPERSONATION_DETECTED # AP Impersonation with MAC ''{0}'' is detected by authenticated AP ''{1}'' on ''{2}'' radio and Slot ID ''{3}.'' # A radio of an authenticated access point has heard from another access point whose MAC address neither matches that of a rogue nor is it an authenticated neighbor of the detecting access point. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] AP impersionation detected!"; program: snmptrapd; content: "=AP_IMPERSONATION_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002144; sid:5002144; rev:3;) # SIGNATURE_ATTACK_DETECTED # IDS Signature attack detected on Switch ''{0}." The Signature Type is ''{1}," Signature Name is ''{2},'' and Signature description is ''{3}." # The switch (controller) is detecting a signature attack. The switch (controller) has a list of signatures that it monitors. When it detects a signature, it provides the name of the signature attack in the alert it generates. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002145; sid:5002145; rev:3;) # AP_AUTHORIZATION_FAILURE # * Failed to authorize AP "{0}." Authorization entry does not exist in Controllers "{1}" AP Authorization List. # * Failed to authorize AP "{0}." The authorization key of the AP does not match with SHA1 key in Controllers "{1}" AP Authorization List. # * Failed to authorize AP "{0}." Controller "{1}" could not verify the Self Signed Certificate from the AP. # * Failed to authorize AP "{0}." AP has a self signed certificate where as the Controllers "{1}" AP authorization list has Manufactured Installed Certificate for this AP. # An alert is generated when an access point fails to associate with a controller due to authorization issues. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002146; sid:5002146; rev:3;) # CISCO_LWAPP_MESH_CONSOLE_LOGIN # Console login successful or failed. # The console port provides the ability for the customer to change the username and password to recover the stranded outdoor access point. To prevent any unauthorized user access to the access point, the NCS sends an alarm when someone tries to log in. This alarm is required to provide protection because the access point is physically vulnerable being located outdoors. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH Console login"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_CONSOLE_LOGIN|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002147; sid:5002147; rev:3;) # CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE # Fails to authenticate with controller. # The NCS receives a trap from the controller. The trap contains the MAC addresses of those access points that failed authorization. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authorization failure"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002148; sid:5002148; rev:3;) # IDS_SHUN_CLIENT_TRAP # The Cisco Intrusion Detection System "{0}" has detected a possible intrusion attack by the wireless client "{1}." # This trap is generated in response to a shun client clear alert originated from a Cisco IDS/IPs appliance ("{0}") installed in the data path between the wireless client ("{1}") and the intranet of the site. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Shun client alert from IDS/IPS appliance!"; program: snmptrapd; content: "=IDS_SHUN_CLIENT_TRAP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002149; sid:5002149; rev:3;) # MFP_ANOMALY_DETECTED_TRAP # MFP configuration of the WLAN was violated by the radio interface "{0}" and detected by the radio interface "{1}" of the access point with MAC address "{2}." The violation is "{3}." # This notification is sent by the agent when the MFP configuration of the WLAN was violated by the radio interface cLApIfSmtDot11Bssid and detected by the radio interface cLApDot11IfSlotId of the access point cLApSysMacAddress. This violation is indicated by cLMfpEventType. When observing the management frame(s) given by cLMfpEventFrames for the last cLMfpEventPeriod time units, the controller reports the occurrence of a total of cLMfpEventTotal violation events of type cLMfpEventType. When the cLMfpEventTotal is 0, no further anomalies have recently been detected, and the NMS should clear any alarm raised about the MFP errors. Note This notification is generated by the controller only if MFP was configured as the protection mechanism through cLMfpProtectType. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MFP anomaly detected"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002150; sid:5002150; rev:3;) # MESH_AUTHORIZATIONFAILURE # MESH "{0}" fails to authenticate with controller because "{1}". # A mesh access point failed to join the mesh network because its MAC address is not listed in the MAC filter list. The alarm includes the MAC address of the mesh access point that failed to join. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authentication failure"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002151; sid:5002151; rev:3;) # GUEST_USER_ADDED # Guest user "{0}" created on the controller "{1}." # This notification is sent by the agent when the GuestUser account is created successfully. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user created on controller"; program: snmptrapd; content: "=GUEST_USER_ADDED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002152; sid:5002152; rev:3;) # GUEST_USER_AUTHENTICATED # Guest user "{1}" logged into controller "{0}." # This notification is sent by the agent when the GuestUser logged into the network through webauth successfully. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user authenticated"; program: snmptrapd; content: "=GUEST_USER_AUTHENTICATED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002153; sid:5002153; rev:3;) # GUEST_USER_LOGOFF # Guest user "{1}" logged out from the controller "{0}." # This notification is sent by the agent when a GuestUser who was previously logged into the network logs out. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user logoff"; program: snmptrapd; content: "=GUEST_USER_LOGOFF|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002154; sid:5002154; rev:3;) # SI_SECURITY_TRAPS # Raised when Interferer marked as a security threat is detected by the network. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SI Security trap raised!"; program: snmptrapd; content: "=SI_SECURITY_TRAPS|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002155; sid:5002155; rev:3;) # FAN_MONITOR # Cooling fan failure [ applies to MSE-3355 only]. One of the CPU cooling fans on $HOST [$IP] has failed. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Cooling fan failure [MSE-3355]"; program: snmptrapd; content: "=FAN_MONITOR|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002156; sid:5002156; rev:3;) # FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Friendly". # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected on network"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002157; sid:5002157; rev:3;) # FRIENDLY_ROGUE_AP_DETECTED # A rogue access point was detected by the system with classification "Friendly". # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002158; sid:5002158; rev:3;) # UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002159; sid:5002159; rev:3;) # UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002160; sid:5002160; rev:3;) # UNCLASSIFIED_ROGUE_AP_DETECTED_CONTAINED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002161; sid:5002161; rev:3;) # UNCLASSIFIED_ROGUE_AP_DETECTED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002162; sid:5002162; rev:3;) # MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002163; sid:5002163; rev:3;) # MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002164; sid:5002164; rev:3;) # MALICIOUS_ROGUE_AP_DETECTED_CONTAINED # Malicious Rogue AP detected as contained. # A rogue access point was detected on network by the system with classification "Malicious" in contained state. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002165; sid:5002165; rev:3;) # MALICIOUS_ROGUE_AP_DETECTED # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002166; sid:5002166; rev:3;) # ROGUE_ADHOC_DETECTED_ON_NETWORK # Adhoc Rogue detected on network. # Rogue AP ''{0}'' is on wired network. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002167; sid:5002167; rev:3;) # ROGUE_ADHOC_DETECTED_CONTAINED # Adhoc Rogue detected contained. # Rogue AP contained. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network contained"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002168; sid:5002168; rev:3;) # ROGUE_AP_STATE_CHANGE # Rogue detected. # Rogue AP marked as {0} AP. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP state change"; program: snmptrapd; content: "=ROGUE_AP_STATE_CHANGE|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002170; sid:5002170; rev:3;) # ROGUE_DETECTED # Rogue detected. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected"; program: snmptrapd; content: "=ROGUE_DETECTED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002171; sid:5002171; rev:3;) # ROGUE_DETECTED_CONTAINED # Rogue detected contained. # Adhoc Rogue contained. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected contained"; program: snmptrapd; content: "=ROGUE_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002172; sid:5002172; rev:3;) # ROGUE_DETECTED_ON_NETWORK # Rogue detected on network. # None alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected on network"; program: snmptrapd; content: "=ROGUE_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002173; sid:5002173; rev:3;) # ROGUE_AUTO_CONTAINED # Rogue auto contained. # Rogue AP ''{0}'' on Controller ''{1}'' was advertising our SSID and has been auto contained as per WPS policy. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue auto contained"; program: snmptrapd; content: "=ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002174; sid:5002174; rev:3;) # USER_AUTHENTICATION_FAILURE # User Authentication Failure. # ''%s'' ''%s'' failed authentication on Controller ''%s''. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] User authentication failure"; program: snmptrapd; content: "=USER_AUTHENTICATION_FAILURE|28|"; xbits: set,recon,86400; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002175; sid:5002175; rev:4;) # WIPS_TRAPS # Dynamically generated per alarm. # See the wIPS alarm encyclopedia under NCS > Configuration > wIPS Profiles. # READ ME: This could be split out more. Cisco documentation has the "alarm names", but lacks SNMP Trap examples. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIPS Event!"; program: snmptrapd; content: "=WIPS_TRAPS|28|"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002176; rev:3;) sagan-1.2.0/rules/windows-owa.rules0000644000175000017500000000716313310533411016232 0ustar champchamp# Sagan windows-owa.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # OWA "reason" codes: # # reason=0 Nothing # reason=1 You've successfully signed out of Outlook Web App. Please close all browser windows. # reason=2 The user name or password you entered isn't correct. Try entering it again. # reason=3 Your session has timed out. To protect your account from unauthorized access, the connection to # your mailbox is closed after a period of inactivity. Please re-enter your user name and password. # reason=4 Your password has been changed. You can now sign in with your new password. # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:32 10.1.2.1 GET /owa/auth/logon.aspx replaceCurrent=1&reason=2&url=https%3a%2f%2fwebmail.example.org%2fowa%2f 443 - 12.12.12.12 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) cookieTest=1;+OutlookSession=ba7a32d49c144484d9fb790bd1f;+PBack=0;+tzid=Eastern+Standard+Time;+owacsdc=1 - 200 0 0 0 # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:32 10.1.2.1 POST /owa/auth.owa - 443 bob 12.12.12.12 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) OutlookSession=b87b312d49b7441891b1099fb790bd1e;+PBack=0;+tzid=Eastern+Standard+Time;+owacsdc=1 https://webmail.example.org/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fwebmail.example.org%2fowa%2f 401 1 1326 3156 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA] Login failure - Brute force [25/1]"; content: "/owa/auth/logon.aspx"; nocase; content: "reason=2&"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002264; sid: 5002264; rev:6;) sagan-1.2.0/rules/.last_used_sid0000644000175000017500000000001013310533411015503 0ustar champchamp5003780 sagan-1.2.0/rules/huawei.rules0000644000175000017500000004501613310533411015235 0ustar champchamp# Sagan huawei.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Huawei router rules. Create by Robert Nunley (rnunley@quadrantsec.com) # 08/06/2012 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ARP_DUPLICATE_IPADDR"; content: "ARP/4/ARP_DUPLICATE_IPADDR"; default_proto: udp; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001533; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] DHCPC_LOG_NAK"; content: "DHCPC/4/DHCPC_LOG_NAK"; default_proto: udp; default_dst_port: 68; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001534; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] DHCPC_LOG_REQIP_SUCCESS"; content: "DHCPC/4/DHCPC_LOG_REQIP_SUCCESS"; content: "has acquired ip address successfully"; default_proto: udp; default_dst_port: 68; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001535; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] DHCPC_LOG_REQIP_SUCCESS"; content: "DHCPC/4/DHCPC_LOG_REQIP_SUCCESS"; content: "vlan"; content: "has acquired ip address successfully"; default_proto: udp; default_dst_port: 68; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001536; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - USERIN Login successful"; content: "FTPS/4/USERIN"; content: "login succeeded"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001537; rev:3) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - USERIN Login failed"; content: "FTPS/4/USERIN"; content: "login failed"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001538; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - USEROUT Logout"; content: "FTPS/4/USEROUT"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001539; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - RECVDATA"; content: "FTPS/5/RECVDATA"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001540; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - REQUEST"; content: "FTPS/5/REQUEST"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001541; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - SENDDATA"; content: "FTPS/5/SENDDATA"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001542; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] HTTPD - FAIL"; content: "HTTPD/4/FAIL"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001543; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] HTTPD - OUT"; content: "HTTPD/4/OUT"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001544; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] HTTPD - PASS"; content: "HTTPD/4/PASS"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001545; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - IP spoof attack"; content: "SEC/4/ATCKDF"; content: "IP spoof attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001546; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Fraggle attack"; content: "SEC/4/ATCKDF"; content: "fraggle attack"; default_proto: udp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001547; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Smurf attack"; content: "SEC/4/ATCKDF"; content: "Smurf attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001548; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Land attack"; content: "SEC/4/ATCKDF"; content: "land attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001549; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Time stamp attack"; content: "SEC/4/ATCKDF"; content: "Time stamp attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001550; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip options attack"; content: "SEC/4/ATCKDF"; content: "Ip options attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001551; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip option source route attack"; content: "SEC/4/ATCKDF"; content: "Ip option source route attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001552; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - ICMP flood attack"; content: "SEC/4/ATCKDF"; content: "ICMP flood attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001553; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Redirect attack"; content: "SEC/4/ATCKDF"; content: "Redirect attack"; default_proto: icmp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001554; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - TCP flood attack"; content: "SEC/4/ATCKDF"; content: "TCP flood attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001555; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Winnuke attack"; content: "SEC/4/ATCKDF"; content: "Winnuke attack"; default_proto: tcp; default_dst_port: 139; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001556; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ping of death attack"; content: "SEC/4/ATCKDF"; content: "Ping of death attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001557; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Tear drop attack"; content: "SEC/4/ATCKDF"; content: "Tear drop attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001558; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Trace route attack"; content: "SEC/4/ATCKDF"; content: "Trace route attack"; default_proto: icmp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001559; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip options route record attack"; content: "SEC/4/ATCKDF"; content: "Ip options route record attack"; default_proto: tcp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001560; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Port scan attack"; content: "SEC/4/ATCKDF"; content: "Port scan attack"; default_proto: udp; classtype: network-scan; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001561; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Unreachable attack"; content: "SEC/4/ATCKDF"; content: "Unreachable attack"; default_proto: icmp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001562; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - UDP flood attack"; content: "SEC/4/ATCKDF"; content: "Udp flood attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001563; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Syn flood attack"; content: "SEC/4/ATCKDF"; content: "Syn flood attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001564; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Other-protocol attack"; content: "SEC/4/ATCKDF"; content: "other-protocol attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001565; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Large ICMP attack"; content: "SEC/4/ATCKDF"; content: "Large ICMP attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001566; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - IP Fragment attack"; content: "SEC/4/ATCKDF"; content: "IP Fragment attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001567; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] ATCKDF - Ftp Bounce attack"; content: "SEC/4/ATCKDF"; content: "Ftp Bounce attack"; default_proto: tcp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001568; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Too much Half Con of SYN Flood"; content: "SEC/4/ATCKDF"; content: "Too much Half Con of SYN Flood"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001569; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Tcp flag attack"; content: "SEC/4/ATCKDF"; content: "Tcp flag attack"; default_proto: tcp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001570; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BIND - VPN bound IP address"; content: "SEC/4/BIND"; content: "vpn:"; content: "is binded to Ip Address"; default_proto: udp; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001571; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BIND - VPN unbound IP address"; content: "SEC/4/BIND"; content: "vpn:"; content: "is unbinded to Ip Address"; default_proto: udp; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001572; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - VPN added to blacklist"; content: "SEC/4/BLACKLIST"; content: "is added to blacklist"; default_proto: udp; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001573; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - VPN removed from blacklist"; content: "SEC/4/BLACKLIST"; content: "is removed from blacklist"; default_proto: udp; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001574; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - Blacklist cleared"; content: "SEC/4/BLACKLIST"; content: "Clear All blacklist"; default_proto: udp; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001575; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SESSION"; content: "SEC/4/SESSION"; default_proto: udp; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001576; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SHELL - LOGIN"; content: "SHELL/4/LOGIN "; default_proto: tcp; default_dst_port: 514; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001577; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SHELL - LOGIN_FAIL"; content: "SHELL/4/LOGIN_FAIL"; default_proto: tcp; default_dst_port: 514; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001578; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET 514 (msg:"[HUAWEI] SHELL - LOGOUT"; content: "SHELL/4/LOGOUT"; default_proto: tcp; default_dst_port: 514; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001579; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SHELL - CMD"; content: "SHELL/4/CMD"; default_proto: tcp; classtype: system-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001580; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FanAbnormal"; content: "SRM/3/FanAbnormal"; default_proto: udp; classtype: hardware-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001581; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] VentTemp2Hot"; content: "SRM/3/VentTemp2Hot"; default_proto: udp; classtype: hardware-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001582; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - add_success"; content: "SSH/4/add_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: system-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001583; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL"; content: "SSH/4/LOGIN_FAIL "; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001584; rev:3;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL - Brute force [5/5]"; content: "SSH/4/LOGIN_FAIL "; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001592; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_CHALLENGE_ERR"; content: "SSH/4/LOGIN_FAIL_CHALLENGE_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001585; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_COOKIE_ERR"; content: "SSH/4/LOGIN_FAIL_COOKIE_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001586; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_DISSCONNECT"; content: "SSH/4/LOGIN_FAIL_DISSCONNECT"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001587; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_PWD_ERR"; content: "SSH/4/LOGIN_FAIL_PWD_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001588; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_RETRY_OUT"; content: "SSH/4/LOGIN_FAIL_RETRY_OUT"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001589; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_RSA_ERR"; content: "SSH/4/LOGIN_FAIL_RSA_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001590; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] VRRP - LogAuthFailed"; content: "VRRP/3/LogAuthFailed"; default_proto: udp; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001591; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] USER_NOT_EXIST"; content:"SSH/4/LOGIN_FAIL_USER_NOT_EXIST"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; threshold: type limit, track by_src, count 5, seconds 300; reference: url, http://www.huaweisymantec.com/en//download.do?id=658891; sid: 5001532; rev:5;) sagan-1.2.0/rules/vsftpd.rules0000644000175000017500000001036713310533411015262 0ustar champchamp# Sagan vsftpd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD] Session opened"; content: "CONNECT"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000194; sid: 5000194; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD] Authentication successful"; content: "OK LOGIN"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000195; sid: 5000195; rev:3;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD] Login failed - Brute force [5/5]"; content: "FAIL LOGIN"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; program: vsftpd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000196; sid: 5000196; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD] Login failed"; content: "FAIL LOGIN"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001530; sid: 5001530; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD] File uploaded"; content: "OK UPLOAD"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000197; sid: 5000197; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FTPD] User logged into an disabled account"; content: "OK LOGIN"; pcre: "/ apache | mysql | www | nobody | nogroup | portmap | named | rpc | mail | ftp | shutdown | halt | daemon | bin | postfix | shell | info | guest | psql | user | users | console | uucp | lp | sync | sshd | cdrom | ossec | sagan /"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000415; program: sshd; sid: 5000415; rev:4;) # Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[VSFTPD] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; program: vsftpd; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; reference: url,wiki.quadrantsec.com/bin/view/Main/5002953; sid:5002953; rev:4;) sagan-1.2.0/rules/windows-aetas.rules0000644000175000017500000000560613310533411016541 0ustar champchamp# Sagan windows-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon at suspicious time"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: *Security*; parse_src_ip: 1; parse_port; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002055; sid: 5002055; rev:7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 at suspicious time"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: *Security*; parse_src_ip: 1; days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002056; sid: 5002056; rev:5;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials at suspicious time"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002057; sid: 5002057; rev:5;) sagan-1.2.0/rules/juniper-geoip.rules0000644000175000017500000000614513310533411016530 0ustar champchamp# Sagan juniper-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-GEOIP] VPN Login from outside HOME_COUNTRY"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002028; sid:5002028; rev:2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-GEOIP] VPN Logout from outside HOME_COUNTRY"; program: Juniper; content: "Logout from"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002029; sid:5002029; rev:2;) # Juniper alerts for CVE 2015-7755 - Robert Nunley (rnunley@quadrantsec.com) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[ScreenOS-GEOIP] Juniper ScreenOS Admin Login from Outside of Home Country"; content: "Admin user"; content:"has logged on via"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; reference: url, wiki.quadrantsec.com/bin/view/Main/5002773; sid:5002773; rev:3;) sagan-1.2.0/rules/imapd-bluedot.rules0000644000175000017500000001065413310533411016501 0ustar champchamp# Sagan imapd-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGIN, user=bob, ip=[192.168.8.1], port=[36938], protocol=IMAP alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Login from a suspicious source"; program: imapd*; content: "LOGIN,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002075; sid:5002075; rev:4;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGOUT, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=96, sent=470, time=0, starttls=1 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Logout from a suspicious source"; program: imapd*; content: "LOGOUT,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002076; sid:5002076; rev:4;) # 10.1.1.1|mail|info|info|16|2014-06-12|04:06:34|imapd-ssl| TIMEOUT, user=bob, ip=[192.168.8.1], headers=714, body=8944, rcvd=1050, sent=15577, time=2701, starttls=1 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Timeout from a suspicious source"; program: imapd*; content: "TIMEOUT,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002077; sid:5002077; rev:4;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:53:51|imapd-ssl| DISCONNECTED, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=357, sent=981, time=10511, starttls=1 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Disconnect from a suspicious source"; program: imapd*; content: "DISCONNECTED,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002078; sid:5002078; rev:34) # 10.7.1.71|mail|debug|debug|17|2014-06-11|23:53:52|imapd-ssl| Connection, ip=[192.168.8.1] # alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Connection from a suspicious source"; program: imapd*; content: "Connection,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002079; sid:5002079; rev:4;) sagan-1.2.0/rules/cisco-ise-brointel.rules0000644000175000017500000000616513310533411017447 0ustar champchamp# Sagan cisco-ise-brointel.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* 10.0.0.1|local6|notice|notice|b5|2018-05-23|20:22:11|CISE_Passed_Authentications| 0000511111 3 0 2018-05-23 20:22:11.910 -04:00 0067111111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=139, Device IP Address=10.10.254.13, DestinationIPAddress=10.10.2.53, DestinationPort=1812, UserName=00-11-11-11-11-11, Protocol=Radius, RequestLatency=8, NetworkDeviceName=DEMO, User-Name=001111111111, NAS-IP-Address=10.10.254.13, NAS-Port=50002, Service-Type=Call Check, Framed-IP-Address=10.10.251.75, Framed-MTU=1500, Called-Station-ID=00-11-11-11-11-11, Calling-Station-ID=00-11-11-11-11-11, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/2, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1711111111111111111111, OriginalUserName=001111111111, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=11111111-1111-1111-1111-111111111111, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=00-11-11-11-11-11, AcsSessionID=nac-dc1/11111111l/1111111, alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-ISE-BROINTEL] Successful authentication from outside HOME_COUNTRY"; program: CISE_Passed_Authentications; content: "Device IP Address"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5003784; sid:5003784; rev:1;) sagan-1.2.0/rules/windows-malware.rules0000644000175000017500000013105713310533411017074 0ustar champchamp# Sagan windows-malware.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16464"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16464; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001735; sid: 5001735; rev:7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16465"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16465; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001736; sid: 5001736; rev:7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16470"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16470; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001737; sid: 5001737; rev:7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16471"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16471; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001738; sid: 5001738; rev:7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Black POS Malware Detected [5/5]"; pcre: "/ 4657: | 567: | 4688: | 592: /"; content: "POSWDS"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001951; sid: 5001951; rev:6;) #************************************************************* # These rules are base upon research by Russ Anthony. More # information can be found in his white paper at: # # https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262 #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; pcre: "/ 7034: | 7035: | 7046: | 7040: | 4689: | 593: /" ; pcre: "/Defender|Anti-Virus|antivirus/i"; content: "stop control"; xbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002011; sid: 5002011; rev:9;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious misspelled process"; pcre: "/ 4688: | 592: /"; pcre: "/(scvhost|svcdost|scvdost|iexplorer)\.exe/i"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001999; sid: 5001999; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Lower case drive letter used in process"; pcre: "/ 4688: | 592: /"; meta_content: "File Name|3a| %sagan%|3a|",c,d,e; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002000; sid: 5002000; rev:5;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for svchost.exe"; pcre: "/ 4688: | 592: /"; content: "\svchost.exe"; content:!"C|3a|\WINDOWS\System32\svchost.exe"; nocase; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002001; sid: 5002001; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for explorer.exe"; pcre: "/ 4688: | 592: /"; content: "\explorer.exe"; content:!"C|3a|\WINDOWS\explorer.exe"; nocase; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002002; sid: 5002002; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious application crash"; content: " 4097|3a| "; pcre: "/Adobe|Microsoft Office|Java|wmplayer/"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002003; sid: 5002003; rev:5;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious Tool Event"; pcre: "/ 4688: | 592: /"; pcre: "/win32dd.exe|win64dd.exe|cachedump|fgdump|gsecdump|lslsass|mimikatz|pwdump7|pwdumpx|pwdump|wce.exe|getlsasrvaddr|iam.exe|iam-alt|whosthere.exe|whosthere-alt|genhash|lsadump/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002006; sid: 5002006; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Virus Found!"; content: "virus found"; nocase; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002007; sid: 5002007; rev:2;) # Added by Champ Clark - 08/26/2014 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] RASWMI Malware process detected"; pcre: "/ 4688: | 592: /"; content: "|3a|\Windows\system32\wbem\raswmi.dll"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002103; sid:5002103; rev:4;) # Added by Champ Clark - 06/08/2016 # Security-Auditing| 4663: AUDIT_SUCCESS An attempt was made to access an object. Subject: *Security ID: S-1-5-21-3033682373-1303307761-3711879957-1000 Account Name: frankw Account Domain: frankw-PC Logon ID: 0x144f4 Object: Object Server: *Security Object Type: File Object Name: C:\ProgramData\Microsoft\User Account Pictures\B2DFD6E96212209F0583673878AA9EF6.locky Handle ID: 0x5d68 Process Information: Process ID: 0x6a8 Process Name: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe Access Request Information: Accesses: WriteAttributes Access Mask: 0x100 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Locky or AutoLocky ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".locky "; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002801; sid:5002801; reference: url,decrypter.emsisoft.com; rev:6;) # Ransomware rules By Corey Fisher (cfisher@quadrantsec.com) & Bryan Manradge. # 04/11/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "_Locky_recover_instructions.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002804; sid:5002804; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall 4.0 ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/HELP_YOUR_FILES|DECRYPT_INSTRUCTION/i"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#cryptowall4; reference: url,wiki.quadrantsec.com/bin/view/Main/5002805; sid:5002805; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "HELP_DECRYPT.txt"; content: "WriteData"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002806; sid:5002806; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite/DecryptorMax ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "ReadDecryptFilesHere.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/cryptinfinite-or-decryptormax-ransomware-decrypted/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002807; reference: url,decrypter.emsisoft.com;sid:5002807; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/HELP_TO_DECRYPT_YOUR_FILES.txt|Howto_Restore_FILES.txt|_how_recover_.TXT|_H_e_l_p_RECOVER_INSTRUCTIONS.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,www.pcrisk.com/removal-guides/8724-teslacrypt-virus; reference: url,wiki.quadrantsec.com/bin/view/Main/5002808; sid:5002808; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Teslacrypt ransomware note type 2 detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\+-xxx-HELP-xxx-\+[0-9a-zA-Z]+-\+\.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,www.virustotal.com/en/file/161d1b77a6867603745046e81e52a186ea764ba8c723c9698da707c245505e95/analysis/1458765163/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002809; sid:5002809; rev:5;) # More Ransomware rules by Champ Clark (cclark@quadrantsec.com). # # Data for these ransomware rules come from: # https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g # http://www.nyxbone.com/malware/RansomwareOverview.html # CryptoHasYou. - Trojan:Win32/Dynamer!ac or Rakhni alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content:!"\encoding\"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002819; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002819; rev:8;) # CryptoHasYou alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransom note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "YOUR_FILES_ARE_LOCKED.txt"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002820; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002820; rev:5;) # 7ev3n - Ransom:Win32/Empercrypt.A alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] 7ev3n - Ransom:Win32/Empercrypt.A ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content:".%sagan% ",R5A,R4A; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002821;reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url, https://github.com/hasherezade/malware_analysis/tree/master/7ev3n; sid:5002821; rev:8;) # BitCryptor - Win32/Cribit or CoinVault - Ransom: MSIL/Vaultlock.A alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Win32/Cribit or MSIL/Vaultlock.A ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".clf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002822; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,noransom.kaspersky.com; sid:5002822; rev:7;) # Cerber - Win32/Cerber alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber - Win32/Cerber ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cerber "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002823; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002823; rev:6;) # Chimera - Win32/Chicrypt alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Chimera - Win32/Chicrypt ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002824; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html;sid:5002824; rev:6;) # Coverton alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", coverton,enigma,czvxce; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002825; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002825; rev:6;) # CryptInfinite alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crinf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002826; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002826; rev:6;) # CryptoJoker alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crjoker "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002827; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002827; rev:6;) # CryptoTorLocker2015 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoTorLocker2015 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CryptoTorLocker2015! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002828; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002828; rev:6;) # CryptXXX or Gomasom alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX or Gomasom ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002829; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002829; rev:6;) # Hi Buddy! or Rakhni alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Hi Buddy! or Rakhni ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cry "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002830; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002830; rev:6;) # iLock, iLockLight or Lortok alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] iLock, iLockLight or Lortok ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crime "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002831; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002831; rev:6;) # Jigsaw - Ransom:MSIL/JigsawLocker.A alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw - MSIL/JigsawLocker.A"; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", btc,kkk,fun,gws; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002832; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom; sid:5002832; rev:6;) # Job Crypter, KimcilWare, SkidLocker, Pompous, Strictor or Rakhni alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] EDA2,HiddenTear,Job Crypter,KimcilWare,SkidLocker,Pompous,Strictor or Rakhni ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".locked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002833; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002833; rev:7;) # KeyBTC - Ransom: Win32/Isda - Ransom: BAT/Xibow alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeyBTC - Win32/Isda - BAT/Xibow ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".keybtc@inbox_com "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002834; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002834; rev:6;) # KimcilWare alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KimcilWare ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".kimcilware "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002835; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it; sid:5002835; rev:7;) # LeChiffre alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LeChiffre ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".lechiffre "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002836; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com/lechiffre; sid:5002836; rev:6;) # LowLevel04 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LowLevel04 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".oor."; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002847; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002847; rev:6;) # Magic alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Magic ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".magic "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002837; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002837; rev:6;) # MireWare alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] MireWare ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".fucked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002838; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002838; rev:6;) # Nemucod alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nemucod ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypted "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002839; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; reference: url,github.com/Antelox/NemucodFR; sid:5002839; rev:8;) # Offline ransomware alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Offline ransomware ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cbf "; nocase; program: *Security*; classtype: trojan-activity; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002840; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002840; rev:7;) # OMG! Ransomware alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] OMG! ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".LOL! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002841; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002841; rev:5;) # Radamant alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".RADAMANT "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002842; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; sid:5002842; rev:5;) # Rakhni alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton or Torrentlocker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",kraken,darkness,nochance,oshit,oplata@qq_com,relock@qq_com,crypto,helpdecrypt@ukr.net,pizda@qq_com,dyatel@qq_com,_ryp,nalog@qq_com,chifrator@qq_com,gruzin@qq_com,troyancoder@qq_com,encrypted,AES256,hb15; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002843; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/us/viruses/disinfection/10556; sid:5002843; rev:7;) # RemindMe alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] RemindMe ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.remindme |decrypt_your_files.html/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002844; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002844; rev:6;) # Rokku alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rokku ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".rokku "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002845; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002845; rev:5;) # Samas-Samsam alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas-Samsam ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",encryptedAES,encryptedRSA,encedRSA,justbtcwillhelpyou,btcbtcbtc; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002846; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002846; rev:6;) # Sanction alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sanction ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".sanction "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002848; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002848; rev:5;) # Sport alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sport ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".sport "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002849; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002849; rev:4;) # Surprise alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Surprise ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".suprise "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002850; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002850; rev:5;) # TeslaCrypt 0.x - 2.2.0 (defunct) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 0.x - 2.2.0 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",vvv,ecc,exx,ezz,abc,aaa,zzz,xyz; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002851; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt; reference: url,www.talosintel.com/teslacrypt_tool; sid:5002851; rev:4;) # TeslaCrypt 3.0+ (defunct) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0+ ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",micro,xxx,ttt; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002852; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002852; rev:4;) # Troldesh alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",better_call_saul,xtbl; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002853; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002853; rev:3;) # VaultCrypt alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zlader / Russian or VaultCrypt ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",vault,xort; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002854; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002854; rev:4;) # Virus-Encoder alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Virus-Encoder ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002855; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002855; rev:4;) # Xorist alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", EnCiPhErEd,73i87A,p5tkjw,PoAr2w; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002856; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/2911; sid:5002856; rev:4;) # XRTN alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] XRTN ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002857; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002857; rev:4;) # CryptFIle2 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptFIle2 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002858; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002858; rev:4;) # Cryaki alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryaki ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002859; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/8547; sid:5002859; rev:5;) # CTB-Locker alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CTB-Locker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".ctbl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002860; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002860; rev:4;) # El-Polocker alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] El-Polocker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".ha3 "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002861; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002861; rev:4;) # Mobef alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Mobef ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",KEYZ,KEYH0LES; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002862; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002862; rev:4;) # Alpha Ransomware alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".encrypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002863; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002863; rev:4;) # WonderCrypter alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.h3ll |SECRETISHIDINGHEREINSIDE.KEY|YOUGOTHACKED.TXT/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002864; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002864; rev:6;) # Zeta alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zeta ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "HELP_YOUR_FILES.HTML"; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002865; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002865; rev:4;) # PLAUGE17 (?) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.PLAUGE17 |PLAUGE17.TXT/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002866; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002866; rev:6;) # Unknown strains of ransomware alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible unknown strain ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.crypttt |\.8lock8 |\.neitrino |\.xcrypt |!!!ATTENTION.TXT!!!, READ_IT\.TXT|FILES_BACK.TXT|WHAT IS SQ_.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002867; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002867; rev:4;) # Based off a Tweet by Jack Crook (Twitter: @jackcr) after Derbycon talk. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Suspicious Service Control Manager Call"; content: " 7045|3a| "; pcre: "/cmd.exe|%COMSPEC%/i"; program: System|Service_Control_Manager; classtype: suspicious-traffic; reference: url,twitter.com/jackcr/status/779716898296520704; sid:5002956; rev:4;) # Alcatraz ransomware alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan%",.Alcatraz,ransomed.html; meta_nocase;; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5003024; reference: url,reference: url,www.virustotal.com/en/file/be3afa19c76c2270ccac7eacf68f89603032c0588f721215e15a9d1421567969/analysis/; sid:5003024; rev:3;) # Adylkuzz trojan rules. # Steve Rawls (2017/05/18) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Adylkuzz Trojan service installation detected"; pcre: "/ 4697: | 601: /"; pcre: "/ WELM | WHDMIDE /i"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5003117; reference: url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2; sid:5003116; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Adylkuzz Trojan log file detected"; pcre: "/ 4663: | 567: /"; content: "|2e 5f|Miner|5f 2e|log"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5003117; reference: url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2; sid:5003117; rev:1;) # New Petya rules - these are largely based on "open source" resources! # Champ Clark III / 2017/06/27 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5ee4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a,9717cfdc2d023812dbc84a941674eb23a2a8ef06,38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf,56c03d8e43f50568741704aee482704a4f5005ad; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; pcre: "/ 4663: | 567: | 5145: /"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:3;) # Jennifer Shannon @ Quadrantsec (2017/08/31) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoMix ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", empty,error,ogonia,cnc,exte; meta_nocase; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5003202; reference: url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/; sid:5003201; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky/CryptoMix ransomware note detected"; pcre: "/ 4663: | 567: | 5145: /"; meta_nocase; content: "_HELP_instructions.txt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5003202; reference: url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/; sid:5003202; rev:1;) # Steve Rawls - Bad Rabbit. alert any any any -> any any (msg: "[WINDOWS-MALWARE] Bad Rabbit Malware scheduled task detected"; content: "scheduled task"; nocase; meta_content: "%sagan%", viserion_,rhaegal,drogon ; meta_nocase; pcre: "/ 602: | 4698: /"; classtype: trojan-activity; program: Security*; reference: url,blog.talosintelligence.com/2017/10/bad-rabbit.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003204; sid:5003204; rev:1;) # Sam Castellano - More bad Rabbit (2017/11/07) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery SHA256 hash detected "; meta_content: "%sagan%", 8e2d709a262bd3a1ef288a87f737a7be8cdf9973751432bff7bf1956b83a94bc,8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93,afeee8b4acff87bc469a6f0364a81ae5d60a2add,de5c8d858e6e41da715dca1c019df0bfb92d32c0,630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da,579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648,0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6; meta_nocase; classtype: trojan-activity; reference: url,bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003206; sid:5003206; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery SHA1 hash detected "; content:"6d8104674ea6206080b050d73f265ea75edbd7d3"; nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003207; sid:5003207; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit payload delivery MD5 hash detected "; content:"1d4f2b4d8430941d383f8e49519f6d90"; nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003208; sid:5003208; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Bad Rabbit detected by filename "; pcre: "/ 4663: | 567: | 5145: /"; meta_content: "%sagan%",dispci.exe,8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93.exe,cscc.dat,infpub.dat,install_flash_player.exe; meta_nocase; classtype: trojan-activity; reference: url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100; reference: url,wiki.quadrantsec.com/bin/view/Main/5003209; sid:5003209; rev:1;) sagan-1.2.0/rules/cisco-ise-geoip.rules0000644000175000017500000000621513310533411016730 0ustar champchamp# Sagan cisco-ise-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* 10.0.0.1|local6|notice|notice|b5|2018-05-23|20:22:11|CISE_Passed_Authentications| 0000511111 3 0 2018-05-23 20:22:11.910 -04:00 0067111111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=139, Device IP Address=10.10.254.13, DestinationIPAddress=10.10.2.53, DestinationPort=1812, UserName=00-11-11-11-11-11, Protocol=Radius, RequestLatency=8, NetworkDeviceName=DEMO, User-Name=001111111111, NAS-IP-Address=10.10.254.13, NAS-Port=50002, Service-Type=Call Check, Framed-IP-Address=10.10.251.75, Framed-MTU=1500, Called-Station-ID=00-11-11-11-11-11, Calling-Station-ID=00-11-11-11-11-11, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/2, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1711111111111111111111, OriginalUserName=001111111111, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=11111111-1111-1111-1111-111111111111, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=00-11-11-11-11-11, AcsSessionID=nac-dc1/11111111l/1111111, alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-ISE-GEOIP] Successful authentication from outside HOME_COUNTRY"; program: CISE_Passed_Authentications; content: "Device IP Address"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5003781; sid:5003781; rev:1;) sagan-1.2.0/rules/zscaler.rules0000644000175000017500000010260513310533411015414 0ustar champchamp# Sagan zscaler.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Sagan rules for Zscaler proxy. Currently mostly user-agent rules. # Added by W.E Restepo & Jennifer Shannon (2017/07/24) # These rules only search for "allowed" traffic, not blocked traffic. Zscaler must send in CEF format. alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known Malicious user agent - MSIE 9.0 in version 10 format"; content:"requestClientApplication|3d|MSIE 9.0|0D 0A|"; reference:url,www.virustotal.com/en/file/aaf9b99314eb5201407bc82ee948c0a3a1c6b0a3288e230bc03e4c2a2b4287e3/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003126; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface"; content:"requestClientApplication|3d|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| na|3B| )"; reference:url,www.virustotal.com/en/file/ef420005a10d73b840604b517c4760400ccfc6c5baba0ae5d05ec6f88e56821e/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003127; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor"; content:"requestClientApplication|3d|Downloader 1.8|0D 0A|"; reference:url,www.virustotal.com/en/file/0F45FB61856437CB3123C4DEAC68942C17ADC6534719E583F22E3DE1F31C1CA5/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003128; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - HttpCall - Win.Trojan.Rukypee"; content:"requestClientApplication|3d|HttpCall"; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003129; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - MyProgramm - Win.Trojan.Rukypee"; content:"requestClientApplication|3d|MyProgramm"; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003130; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - Skypee - Win.Trojan.Rukypee"; content:"requestClientApplication|3d|Skypee"; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003131; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicous user agent string - XAgent - Operation Pawn Storm"; content:"requestClientApplication|3d|XAgent"; reference:url,www.virustotal.com/en/file/7313eaf95a8a8b4c206b9afe306e7c0675a21999921a71a5a16456894571d21d/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003132; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious user-agent string crackim"; content:"requestClientApplication|3d|crackim"; reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003133; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Win.Trojan.Darkcpn outbound connection"; content:"requestClientApplication|3d|Mozilla/4.0+(compatible|3B|+MSIE+6.0|3B|+Windows+NT+5.1|3B|+SV1|3B|+.NET+CLR+2.0.50727)|0D 0A|"; reference:url,virustotal.com/file/cab7cd418b1114c277f84c4fe59d05bcf53babf64f16ebe86ab11641bd6bbd94/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003134; rev:1;) # A lot of F/P #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] known malicious User-Agent string - MyIE 3.01"; content:"requestClientApplication|3d|Mozilla/4.0 (compatible|3B| MSIE"; reference:url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003135; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (agent)"; content:"requestClientApplication|3d|agent"; content:!".battle.net"; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003136; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; content:"requestClientApplication|3d|DriveCleaner Updater"; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003137; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; content:"requestClientApplication|3d|WinFix Master"; nocase; reference:url,doc.emergingthreats.net/2003545; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003138; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; content:"requestClientApplication|3d|Museon"; reference:url,doc.emergingthreats.net/2006418; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003139; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; content:"requestClientApplication|3d|pcsafe"; reference:url,doc.emergingthreats.net/2006420; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003140; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] klm123.com Spyware User Agent"; content:"requestClientApplication|3d|{"; content:!"directory.gladinet.com"; content:!"ff.avast.com|0d 0a|"; http_header; pcre:"/User-Agent\x3a \{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/iH"; reference:url,doc.emergingthreats.net/2007616; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003141; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (_)"; content:"requestClientApplication|3d|_|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003142; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Casino Related Spyware User-Agent Detected (Viper 4.0)"; content:"requestClientApplication|3d|Mozilla/5.0 (compatible, Viper 4.0)|0d 0a|"; reference:url,doc.emergingthreats.net/2008586; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003143; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (BlackSun)"; content:"requestClientApplication|3d|BlackSun"; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003144; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Win32.Tdss User Agent Detected (Mozzila)"; content:"requestClientApplication|3d|Mozzila"; http_header; reference:url,doc.emergingthreats.net/2010889; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003145; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User Agent (ScrapeBox)"; content:"requestClientApplication|3d|ScrapeBox"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003146; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Malware Related msndown"; content:"requestClientApplication|3d|msndown|0d 0a|"; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003147; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] W32/Goolbot.E Checkin UA Detected iamx"; content:"requestClientApplication|3d|iamx/"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003148; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious Win32 User Agent"; content:"requestClientApplication|3d|Win32"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003149; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (Our_Agent)"; content:" Our_Agent"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003150; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious user-agent (REKOM)"; content:"GET"; content:"requestClientApplication|3d|REKOM"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003151; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Moxilla"; content:"requestClientApplication|3d|Moxilla"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003152; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent VCTestClient"; content:"requestClientApplication|3d|VCTestClient"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003153; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent PrivacyInfoUpdate"; content:"requestClientApplication|3d|PrivacyInfoUpdate"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003154; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (VMozilla)"; content:"requestClientApplication|3d|VMozilla"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003155; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Sample"; content:"requestClientApplication|3d|sample"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003156; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Mozilla/3.0"; content:"requestClientApplication|3d|Mozilla/3.0|0d 0a|"; parse_src_ip: 1; parse_dst_ip: 2; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003157; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Optimum Installer User-Agent IE6 on Windows XP"; content:"requestClientApplication|3d|IE6 on Windows XP"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003158; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious User Agent (Lotto)"; content:"requestClientApplication|3d|Lotto"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003159; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent String (AskPartnerCobranding)"; content:"requestClientApplication|3d|AskPartner"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003160; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; content:"requestClientApplication|3d|VERTEXNET"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003161; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious user agent string (changhuatong)"; content:"requestClientApplication|3d|changhuatong|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003162; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] suspicious user agent string (CholTBAgent)"; content:"requestClientApplication|3d|CholTBAgent"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003163; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious user agent (mdms)"; content:"GET"; content:"requestClientApplication|3d|mdms|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003164; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious user agent (asd)"; content:"GET"; content:"requestClientApplication|3d|asd|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003165; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent SimpleClient 1.0"; content:"requestClientApplication|3d|SimpleClient "; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:bad-unknown; sid:5003166; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Known Skunkx DDOS Bot User-Agent Cyberdog"; content:"requestClientApplication|3d|Cyberdog"; reference:url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003167; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] EmailSiphon Suspicious User-Agent Inbound"; ; content:"requestClientApplication|3d|EmailSiphon"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003168; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] EmailSiphon Suspicious User-Agent Outbound"; content:"requestClientApplication|3d|EmailSiphon"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003169; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Binget PHP Library User Agent Outbound"; content:"requestClientApplication|3d|Binget/"; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003170; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] pxyscand/ Suspicious User Agent Outbound"; content:"requestClientApplication|3d|pxyscand/"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003171; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] PyCurl Suspicious User Agent Outbound"; content:"requestClientApplication|3d|PyCurl"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003172; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] Atomic_Email_Hunter User-Agent Inbound"; content:"requestClientApplication|3d|Atomic_Email_Hunter/"; reference:url,www.useragentstring.com/pages/useragentstring.php; fwsam: src, 1 day; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003173; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Atomic_Email_Hunter User-Agent Outbound"; content:"requestClientApplication|3d|Atomic_Email_Hunter/"; reference:url,www.useragentstring.com/pages/useragentstring.php; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003174; rev:1;) # This rule is to generic & generates many F/P #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Avzhan DDoS Bot User-Agent MyIE"; content:"requestClientApplication|3d|Mozilla"; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003175; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Win32/OnLineGames User-Agent (Revolution Win32)"; content:"requestClientApplication|3d|Revolution"; reference:url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003176; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Trojan Downloader User-Agent BGroom"; content:"requestClientApplication|3d|BGroom"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003177; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Trojan Downloader User-Agent (Tiny)"; content:"requestClientApplication|3d|tiny|0D 0A|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003178; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (adlib)"; content:! "econtrolsystems"; content:"requestClientApplication|3d|adlib/"; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003179; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; content:"requestClientApplication|3d|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003180; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] W32/Renos.Downloader User Agent zeroup"; content:"requestClientApplication|3d|zeroup"; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003181; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent (DownloadMR)"; content:"requestClientApplication|3d|DownloadMR"; nocase; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003182; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] User-Agent (ChilkatUpload)"; content:"requestClientApplication|3d|ChilkatUpload"; nocase; reference:url,chilkatsoft.com; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003183; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious user agent (Google page)"; content:"requestClientApplication|3d|Google page"; nocase; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003184; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] FOCA User-Agent"; content:"requestClientApplication|3d|FOCA|0d 0a|"; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:attempted-recon; sid:5003185; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] MSF Meterpreter Default User Agent"; content:"requestClientApplication|3d|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:bad-unknown; sid:5003186; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] WildTangent User-Agent (WT Games App)"; content:"requestClientApplication|3d|WT|20|Games|20|App|20|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:policy-violation; sid:5003187; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZSCALER] BLEXBot User-Agent"; content:"requestClientApplication|3d|Mozilla/5.0 (compatible|3b| BLEXBot/"; threshold:type limit, track by_dst, count 1, seconds 300; reference:url,webmeup.com/about.html; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:misc-activity; sid:5003188; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Microsoft Edge on Windows 10 SET"; content:"requestClientApplication|3d|Windows NT 10."; distance:0; content:"Edge/12."; distance:0; fast_pattern; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:misc-activity; sid:5003189; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Fake Opera 8.11 UA related to Trojan Activity"; content:"requestClientApplication|3d|opera/8.11|0d 0a|"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003190; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Gator Agent Traffic"; content:"requestClientApplication|3d|Gator"; reference:url,doc.emergingthreats.net/2000026; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:policy-violation; sid:5003191; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] ISearchTech.com XXXPornToolbar Activity (IST)"; content:"requestClientApplication|3d|IST"; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003192; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Better Internet Spyware User-Agent (poller)"; content:"requestClientApplication|3d|Poller"; reference:url,doc.emergingthreats.net/2002005; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003193; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] SideStep User-Agent"; content:"requestClientApplication|3d|SideStep"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:misc-activity; sid:5003194; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] 180 Solutions (Zango Installer) User Agent"; content:"requestClientApplication|3d|SAIv"; reference:url,doc.emergingthreats.net/2003062; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003195; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious User-Agent Fragment (WORKED)"; content:"requestClientApplication|3d|WORKED"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003196; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Detected known Malware Category"; content:!"cs4|3d|Clean Transaction"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003197; rev:1;) # Mobile leakages is content! as triggers a lot alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Detected known Threat Name"; content:!"cs5|3d|None"; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; content:!"Mobile Device information leakage"; content:!"Mobile PII Information Leakage"; default_dst_port: $HTTP_PORT; default_proto: tcp; xbits: set,web-attack,86400; classtype:trojan-activity; sid:5003198; rev:2;) sagan-1.2.0/rules/cisco-ise-bluedot.rules0000644000175000017500000000625713310533411017271 0ustar champchamp# Sagan cisco-ise-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* 10.0.0.1|local6|notice|notice|b5|2018-05-23|20:22:11|CISE_Passed_Authentications| 0000511111 3 0 2018-05-23 20:22:11.910 -04:00 0067111111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=139, Device IP Address=10.10.254.13, DestinationIPAddress=10.10.2.53, DestinationPort=1812, UserName=00-11-11-11-11-11, Protocol=Radius, RequestLatency=8, NetworkDeviceName=DEMO, User-Name=001111111111, NAS-IP-Address=10.10.254.13, NAS-Port=50002, Service-Type=Call Check, Framed-IP-Address=10.10.251.75, Framed-MTU=1500, Called-Station-ID=00-11-11-11-11-11, Calling-Station-ID=00-11-11-11-11-11, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/2, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1711111111111111111111, OriginalUserName=001111111111, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=11111111-1111-1111-1111-111111111111, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=00-11-11-11-11-11, AcsSessionID=nac-dc1/11111111l/1111111, alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-ISE-BLUEDOT] Successful authentication from outside HOME_COUNTRY"; program: CISE_Passed_Authentications; content: "Device IP Address"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5003782; sid:5003782; rev:1;) sagan-1.2.0/rules/courier-geoip.rules0000644000175000017500000000634513310533411016526 0ustar champchamp# Sagan courier-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Authentication failure from outside HOME_COUNTRY"; content: "LOGIN FAILED,"; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002394; sid:5002394; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Logout/disconnect from outside HOME_COUNTRY"; pcre: "/LOGOUT|DISCONNECTED/"; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002395; sid:5002395; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] User login from outside HOME_COUNTRY"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002396; sid:5002396; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Timeout from outside HOME_COUNTRY"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002397; sid:5002397; rev:2;) sagan-1.2.0/rules/juniper-bluedot.rules0000644000175000017500000000725013310533411017061 0ustar champchamp# Sagan juniper-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[JUNIPER-BLUEDOT] Juniper ScreenOS Admin Login from a known malicious IP"; content:"has logged on via"; content "00515"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; parse_src_ip: 1; default_proto: tcp; default_dst_port: $SSH_PORT; reference:cve,2015-7755; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; classtype:successful-admin; sid: 5002774; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-BLUEDOT] VPN Login from a known malicious source"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; default_proto: tcp; default_dst_port: $HTTPS_PORT; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003112; sid:5003112; rev:2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-GEOIP] VPN Logout from a known malicious source"; program: Juniper; content: "Logout from"; default_proto: tcp; default_dst_port: $HTTPS_PORT; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5003113; sid:5003113; rev:2;) # Juniper alerts for CVE 2015-7755 - Robert Nunley (rnunley@quadrantsec.com) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-BLUEDOT] Juniper ScreenOS Admin Login from a known malicous source"; content: "Admin user"; content:"has logged on via"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp: default_dst_port: $SSH_PORT: classtype: successful-user; parse_src_ip: 1; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; reference: url, wiki.quadrantsec.com/bin/view/Main/5003114; sid:5003114; rev:2;) sagan-1.2.0/rules/windows-blacklist.rules0000644000175000017500000010313413310533411017407 0ustar champchamp# Sagan windows-blacklist.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # ************************************************************* # Windows blacklist rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP"; program: *Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; blacklist: by_src; program: *Security*; parse_src_ip: 1; normalize; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002215; sid: 5002215; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5]"; program: *Security*; content: " 529|3a| "; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002216; sid: 5002216; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002217; sid: 5002217; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002218; sid: 5002218; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002219; sid: 5002219; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002220; sid: 5002220; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002222; sid: 5002222; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002223; sid: 5002223; rev:4;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; blacklist: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002509; sid: 5002509; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002510; sid: 5002510; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002511; sid: 5002511; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002512; sid: 5002512; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002513; sid: 5002513; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002514; sid: 5002514; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002515; sid: 5002515; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002516; sid: 5002516; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002517; sid: 5002517; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002518; sid: 5002518; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002519; sid: 5002519; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002520; sid: 5002520; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002521; sid: 5002521; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002522; sid: 5002522; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002523; sid: 5002523; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002524; sid: 5002524; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002525; sid: 5002525; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002526; sid: 5002526; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002527; sid: 5002527; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002528; sid: 5002528; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002529; sid: 5002529; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002530; sid: 5002530; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002531; sid: 5002531; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002532; sid: 5002532; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002533; sid: 5002533; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002534; sid: 5002534; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002535; sid: 5002535; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002536; sid: 5002536; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002537; sid: 5002537; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002538; sid: 5002538; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002539; sid: 5002539; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002540; sid: 5002540; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002541; sid: 5002541; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002542; sid: 5002542; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002543; sid: 5002543; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002544; sid: 5002544; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002545; sid: 5002545; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002546; sid: 5002546; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002547; sid: 5002547; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002548; sid: 5002548; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002549; sid: 5002549; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002550; sid: 5002550; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002551; sid: 5002551; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002552; sid: 5002552; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002553; sid: 5002553; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002554; sid: 5002554; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002555; sid: 5002555; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002556; sid: 5002556; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002557; sid: 5002557; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002558; sid: 5002558; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002559; sid: 5002559; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002560; sid: 5002560; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002561; sid: 5002561; rev:4;) sagan-1.2.0/rules/watchguard-geoip.rules0000644000175000017500000000515213310533411017202 0ustar champchamp# Sagan watchguard-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Watchguard rules by Kenneth Comollo ; # 2017/03/08 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD-GEOIP] VPN login from outside HOME_COUNTRY"; program WatchGuard*; content: "msg_id=|22|0207-0001|22|"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto:tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 2; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003095; rev:2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WATCHGUARD-GEOIP] FTP file transfer to outside HOME_COUNTRY"; program: WatchGuard*; country_code: track by_dst, isnot $HOME_COUNTRY; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003096; rev:2;) sagan-1.2.0/rules/windows-bluedot.rules0000644000175000017500000011232713310533411017101 0ustar champchamp# Sagan windows-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # ************************************************************* # Windows Bluedot rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLUEDOT] RDP / Logon type 10 from a Bluedot listed IP"; program: *Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; program: *Security*; parse_src_ip: 1; normalize; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002344; sid:5002344; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [0/5]"; program: *Security*; content: " 529|3a| "; classtype: unsuccessful-user; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002345; sid:5002345; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002346; sid:5002346; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002347; sid:5002347; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002348; sid:5002348; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002349; sid:5002349; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002350; sid:5002350; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Logon Failure from Bluedot listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002351; sid:5002351; rev:6;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002455; sid: 5002455; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002456; sid: 5002456; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002457; sid: 5002457; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002458; sid: 5002458; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002459; sid: 5002459; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002460; sid: 5002460; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002461; sid: 5002461; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002462; sid: 5002462; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002463; sid: 5002463; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002464; sid: 5002464; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002465; sid: 5002465; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002466; sid: 5002466; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002467; sid: 5002467; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002468; sid: 5002468; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002469; sid: 5002469; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002470; sid: 5002470; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002471; sid: 5002471; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002472; sid: 5002472; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002473; sid: 5002473; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002475; sid: 5002475; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002476; sid: 5002476; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002477; sid: 5002477; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002478; sid: 5002478; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002479; sid: 5002479; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002480; sid: 5002480; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002481; sid: 5002481; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002482; sid: 5002482; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002483; sid: 5002483; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002484; sid: 5002484; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002485; sid: 5002485; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002486; sid: 5002486; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002487; sid: 5002487; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002488; sid: 5002488; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002489; sid: 5002489; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002490; sid: 5002490; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002491; sid: 5002491; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002492; sid: 5002492; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002493; sid: 5002493; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002494; sid: 5002494; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002495; sid: 5002495; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002496; sid: 5002496; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002497; sid: 5002497; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002498; sid: 5002498; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002499; sid: 5002499; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002500; sid: 5002500; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002501; sid: 5002501; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002502; sid: 5002502; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002503; sid: 5002503; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002504; sid: 5002504; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002505; sid: 5002505; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002506; sid: 5002506; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002507; sid: 5002507; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002508; sid: 5002508; rev:6;) sagan-1.2.0/rules/vsftpd-correlated.rules0000644000175000017500000001071013310533411017374 0ustar champchamp# Sagan vsftpd-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after recon activity"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,by_src,recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5003329; sid:5003329; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after honeypot activity"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,by_src,honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5003330; sid:5003330; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after exploit attempt"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,by_src,exploit_attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5003331; sid:5003331; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] Authentication after brute force activity"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; program: vsftpd; xbits: isset,by_src,brute_force; reference: url,wiki.quadrantsec.com/bin/view/Main/5003332; sid:5003332; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after recon activity"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5003333; sid:5003333; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after honeypot activity"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5003334; sid:5003334; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after exploit attempt"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5003335; sid:5003335; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-CORRELATED] File uploaded after brute force activity"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5003336; sid:5003336; rev:1;) sagan-1.2.0/rules/palo-alto.rules0000644000175000017500000003362413310533411015645 0ustar champchamp# palo-alto.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Palo Alto Rules Created by Robert Nunley (rnunley@quadrantsec.com) # 10/23/2015 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Certificate has illegal URL"; content: "Certificate"; content: "has illegal URL"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002580; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] AntiVirus update job failed"; content: "AntiVirus update job failed"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002582; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Authorization failed - Brute Force [25/1] "; content: "Authorization failed for user "; default_proto: tcp; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002583; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Chassis Master Alarm"; content: "Chassis Master Alarm"; classtype: hardware-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002584; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed to connect to Panorama Server"; content: "Failed to connect to Panorama Server"; classtype: system-event; reference: url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002585; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed Interactive Login - Brute Force [15/1]"; content: "Failed keyboard-interactive/pam for invalid user"; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; xbits: set,brute_force,21600; after: track by_src, count 15, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002586; rev:4;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed to install software"; content: "Failed to install software"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002587; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] NTLM Authentication Brute Force - [25/1]"; content: "NTLM authentication failed for user"; after: track by_src, count 15, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002588; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] User Authentication - Brute Force [25/1]"; content: "User"; content: "failed authentication"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_prot: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002591; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Possible Replay Attempt Caused Disconnection"; content: "Disconnecting due to possible replay attempt"; default_proto: tcp; classtype: network-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002592; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] PPPoE Brute Force Attempt - [25/1]"; content: "PPPoE session failed to connect"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002595; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN User Authentication Failure - Brute Force [25/1]"; content: "SSL VPN user authentication failed"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002596; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN Login - Brute Force [25/1]"; content: "SSL VPN user login failed"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002598; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Certificate is revoked"; content: "Certificate"; content: "is revoked"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002600; rev:2;) #####Below Contributed by ~Cyber.Tao.Flow~ ########URLZ alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Malware URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",malware-sites,"; threshold: type limit, count 1, seconds 1800, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002749; rev:5;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Phishing URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",phishing-and-other-frauds,"; threshold: type limit, count 1, seconds 600, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002750; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Spyware or Adware URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",spyware-and-adware,"; threshold: type limit, count 1, seconds 1800, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002751; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url Blocked by policy or category"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:!",malware-sites,"; content:!",phishing-and-other-frauds,"; content:!",spyware-and-adware,"; threshold: type limit, count 1, seconds 1800, track by_dst; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp: default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002752; rev:3;) ##### ##### Following rule is used in conjunction with meta_content variable IGNOREDL and set silent xbit which are checked in rule 5002762 #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url silent xbit set"; content:",THREAT,url,"; content:!",block-url,"; meta_content: "%sagan%",$IGNOREDL; meta_nocase; xbits:set,downloadnolog,60; xbits:nounified2; xbits:noeve; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002754; rev:5;) #####VIRI alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Virus Detected"; content:"THREAT,virus"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,threatvault.paloaltonetworks.com; sid: 5002755; rev:2;) #####VULNZPloitZ By Direction alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Critical Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external,/i"; content:",critical,"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002756; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Critical Severity Exploit Outbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",critical,"; normalize; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002757; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] High Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external/i"; content:",high,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002758; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] High Severity Exploit Outbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",high,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002759; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Medium Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external/i";; content:",medium,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002760; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Medium Severity Exploit Outbound"; content:"THREAT,vulnerability";pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",medium,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002761; rev:3;) ######FILE ###Uses xbit set in rule 5002754. Only enable after setting IGNOREDL domains for meta_content. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Executable File Download"; content:"THREAT,file"; pcre: "/Microsoft PE File|Windows Executable/i"; xbits: isnotset,both,downloadnolog; content:!"ms-update"; content:!"adobe-update"; content:!"google-update"; content:!"java-update"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-filename-detect; sid:5002762; rev: 6;) ### ######Spyware DNS alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Suspicious DNS Request"; content:"THREAT,spyware,"; content:",Suspicious DNS Query"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; default_proto: udp; default_dst_port: $DNS_PORT; classtype: network-event; threshold: type limit, track by_src, count 5, seconds 1800; reference: url,threatvault.paloaltonetworks.com; sid:5002763; rev:5;) sagan-1.2.0/rules/juniper-aetas.rules0000644000175000017500000000504213310533411016515 0ustar champchamp# Sagan juniper-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-AETAS] VPN Login at suspicious time"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002047; sid:5002047; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-AETAS] VPN Logout at suspicious time"; program: Juniper; content: "Logout from"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002048; sid:5002048; rev:3;) sagan-1.2.0/rules/nginx.rules0000644000175000017500000001032213310533411015066 0ustar champchamp# Sagan nginx.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx error message"; pcre: "/^\S+ \S+ [error]/i"; classtype: program-error; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000168; sid: 5000168; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx warning message"; pcre: "/^\S+ \S+ [warn]/i"; classtype: program-error; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000169; sid:5000169; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx critical message"; pcre: "/^\S+ \S+ [crit]/i"; classtype: program-error; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000170; sid:5000170; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx 404 error"; pcre: "/no such file or directory|is not found/i"; classtype: suspicious-filename-detect; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000171; sid:5000171; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Incomplete client request"; content: "Software caused connection abort"; classtype: suspicious-traffic; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000172; sid:5000172; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Initial 401 authentication request"; content: "no user/password was provided for basic authentication"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000173; sid:5000173; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Web authentication failed"; pcre: "/password mismatch, client|was not found in/i"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000174; sid:5000174; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Invalid URI, file name too long"; content: "File name too long"; classtype: suspicious-filename-detect; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000175; sid:5000175; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx brute force authentication attempt [5/1]"; pcre: "/password mismatch, client|was not found in/i"; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: nginx; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002948; sid:5002948; rev:1;) sagan-1.2.0/rules/vmware-correlated.rules0000644000175000017500000001375313310533411017401 0ustar champchamp# Sagan vmware-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after recon activity"; pcre: "/Accepted password for|login from/i"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,recon; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003317; sid:5003317; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after honeypot activity"; pcre: "/Accepted password for|login from/i"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,honeypot; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003318; sid:5003318; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after exploit attempt"; pcre: "/Accepted password for|login from/i"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003319; sid:5003319; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after brute force activity"; pcre: "/Accepted password for|login from/i"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,brute_force; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003320; sid:5003320; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after recon activity"; content: " logged in "; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,recon; program: Hostd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003321; sid:5003321; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after honeypot activity"; content: " logged in "; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,honeypot; program: Hostd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003322; sid:5003322; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after exploit attempt"; content: " logged in "; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; program: Hostd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003323; sid:5003323; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after brute force activity"; content: " logged in "; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,brute_force; program: Hostd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003324; sid:5003324; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after recon activity"; content: "Accepted password"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,recon; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003325; sid:5003325; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after honeypot activity"; content: "Accepted password"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,honeypot; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003326; sid:5003326; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after exploit attempt"; content: "Accepted password"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003327; sid:5003327; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after brute force activity"; content: "Accepted password"; default_proto: tcp; classtype: correlated-attack; xbits: isset,by_src,brute_force; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003328; sid:5003328; rev:1;) sagan-1.2.0/rules/adtran.rules0000644000175000017500000000453213310533411015222 0ustar champchamp# Sagan adtran.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Adtran rules by James Lay - 06/25/2012 (actually, added well before that.. hrmph). alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] TCP INTERNAL BLOCK"; content: "Access Policy"; content: "tcp"; default_proto: tcp; program: FIREWALL; normalize; classtype: bad-unknown; sid:5001126; reference: url,wiki.quadrantsec.com/bin/view/Main/5001126; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] UDP INTERNAL BLOCK"; content: "Access Policy"; content: "udp"; default_proto: udp; program: FIREWALL; normalize; classtype: bad-unknown; sid:5001127; reference: url,wiki.quadrantsec.com/bin/view/Main/5001127; rev:4;) sagan-1.2.0/rules/nfcapd.rules0000644000175000017500000004014613310533411015205 0ustar champchamp# Sagan nfcapd.rules # Copyright (c) 2009-2017, Quadrant Informat.AP...curity # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ############################################################################## # These rules are intended for the NetFlow protocol. This requires that your # system has "nfdump" tools install. In particular, the Quadrant modified # "nfdump", that allows the program "nfcapd" to receive, decode and send # to the Sagan FIFO. # # For more information see: # # https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganNetflow # Example log string sent to the FIFO from the modified "nfcapd": # source_ip: 10.10.0.1/80, destination_ip: 173.165.207.65/16464, protocol: UDP, duration: 5.400, flags: |.AP...|, tos: 0, packets: 312, bytes: 4222451716, last_time: 2013-11-30 01:10:24, vlan_src: 32767, vlan_dst: 0 # Possible IRC traffic #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize; content: "/6667, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6667; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001984; sid: 5001984; rev:10;) # 6697 - IRC traffic #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize; content: "/6697, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6697; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001985; sid: 5001985; rev:11;) # 6660-6669, 7000 #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6660 [5/5]"; program: nfcapd; normalize; content: "/6660, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6660; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001986; sid: 5001986; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6661 [5/5]"; program: nfcapd; normalize; content: "/6661, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6661; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001987; sid: 5001987; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6662 [5/5]"; program: nfcapd; normalize; content: "/6662, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6662; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001988; sid: 5001988; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6663 [5/5]"; program: nfcapd; normalize; content: "/6663, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6663; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001989; sid: 5001989; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6664 [5/5]"; program: nfcapd; normalize; content: "/6664, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6664; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001990; sid: 5001990; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6665 [5/5]"; program: nfcapd; normalize; content: "/6665, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6665; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001991; sid: 5001991; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6666 [5/5]"; program: nfcapd; normalize; content: "/6666, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6666; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001992; sid: 5001992; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6668 [5/5]"; program: nfcapd; normalize; content: "/6668, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6698; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001993; sid: 5001993; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 6669 [5/5]"; program: nfcapd; normalize; content: "/6669, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6999; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001994; sid: 5001994; rev:8;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible IRC - Port 7000 [5/5]"; program: nfcapd; normalize; content: "/7000, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 7000; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001995; sid: 5001995; rev:8;) # SSH #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] PUSH/ACK Traffic Detected [5/5]"; program: nfcapd; normalize; content: "/22, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001996; sid: 5001996; rev: 8;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] PUSH/ACK Traffic Detected - Port 2222 [5/5]"; program: nfcapd; normalize; content: "/2222, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 2222; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 20, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001997; sid: 5001997; rev: 9;) # Telnet alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Telnet Traffic Detected via PUSH/ACK [5/5]"; program: nfcapd; normalize; content: "/23, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001998; sid: 5001998; rev:8;) # Bittorrent traffic via nfcapd - Robert Nunley 05/08/2015 #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6881 [5/5]"; program: nfcapd; normalize; content: "/6881, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6881; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002291; sid: 5002291; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6882 [5/5]"; program: nfcapd; normalize; content: "/6882, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6882; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002292; sid: 5002292; rev:6;); #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6883 [5/5]"; program: nfcapd; normalize; content: "/6883, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6883; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002293; sid: 5002293; rev:6;); #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6884 [5/5]"; program: nfcapd; normalize; content: "/6884, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6884; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002294; sid: 5002294; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6885 [5/5]"; program: nfcapd; normalize; content: "/6885, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6885; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002295; sid: 5002295; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6886 [5/5]"; program: nfcapd; normalize; content: "/6886, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6886; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002296; sid: 5002296; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6887 [5/5]"; program: nfcapd; normalize; content: "/6887, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6887; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002297; sid: 5002297; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6888 [5/5]"; program: nfcapd; normalize; content: "/6888, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6888; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002298; sid: 5002298; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible BitTorrent - Port 6889 [5/5]"; program: nfcapd; normalize; content: "/6889, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 6889; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002299; sid: 5002299; rev:6;) # Tor traffic via nfcapd - Robert Nunley 05/08/2015 #alert any $HOME_NET any -> $EXTERNAL_NET any(msg: "[NFCAPD] Possible TOR - Port 9001"; program: nfcapd; normalize; content: "/9001, protocol|3a| TCP,"; xbits: set, tor_traffic, 15; xbits:nounified2; xbits:noeve; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 9001; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; reference: url, wiki.quadrantsec.com/bin/view/Main/5002300; reference: url, torstatus.blutmagie.de; sid: 5002300; rev:10;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible TOR - Port 9030 after Port 9001"; program: nfcapd; normalize; content: "/9030, protocol|3a| TCP,"; xbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 9030; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002301; reference: url, torstatus.blutmagie.de; sid: 5002301; rev:7;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD] Possible TOR - Port 443 after Port 9001"; program: nfcapd; normalize; content: "/443, protocol|3a| TCP,"; xbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; default_proto: tcp; default_dst_port: 443; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002302; reference: url, torstatus.blutmagie.de; sid: 5002302; rev:7;) sagan-1.2.0/rules/honeyd.rules0000644000175000017500000001116213310533411015234 0ustar champchamp# Sagan honeyd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Added by Robert Nunley (rnunley@quadantsec.com) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Connection made to honeypot"; content: "tcp"; program: honeydconnect; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; xbits: set, honeypot, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5001846; sid: 5001846; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Attempt to login to honeypot Telnet server [0/10]"; content: "Attempted "; program: honeyd; threshold type limit, track by_src, count 10, 300 seconds; parse_src_ip: 1; parse_dst_ip: 2; xbits: set, honeypot, 86400; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: attempted-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001847; sid: 5001847; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Attempt to login to honeypot Telnet server as admin user [0/10]"; content: "Attempted "; pcre: "/root | admin/"; program: honeyd; threshold type limit, track by_src, count 10, 300 seconds; parse_src_ip: 1; parse_dst_ip: 2; xbits: set, honeypot, 86400; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001848; sid: 5001848; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Attempt to login to honeypot FTP server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydftp; threshold type limit, track by_src, count 10, 300 seconds; xbits: set, honeypot, 86400; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: attempted-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001849; sid: 5001849; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Connection to honeypot IIS server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydwebiis; threshold: type limit, track by_src, count 10, 300 seconds; xbits: set, honeypot, 86400; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5001850; sid: 5001850; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Connection to honeypot Apache server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydwebapache; threshold: type limit, track by_src, count 10, 300 seconds; xbits: set, honeypot, 86400; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5001851; sid: 5001851; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Connection to honeypot SMTP server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydsmtp; threshold: type limit, track by_src, count 10, 300 seconds; xbits: set, honeypot, 86400; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: web-application-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5001852; sid: 5001852; rev:4;) sagan-1.2.0/rules/cisco-ise-blacklist.rules0000644000175000017500000000616713310533411017603 0ustar champchamp# Sagan cisco-ise-blacklist.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* 10.0.0.1|local6|notice|notice|b5|2018-05-23|20:22:11|CISE_Passed_Authentications| 0000511111 3 0 2018-05-23 20:22:11.910 -04:00 0067111111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=139, Device IP Address=10.10.254.13, DestinationIPAddress=10.10.2.53, DestinationPort=1812, UserName=00-11-11-11-11-11, Protocol=Radius, RequestLatency=8, NetworkDeviceName=DEMO, User-Name=001111111111, NAS-IP-Address=10.10.254.13, NAS-Port=50002, Service-Type=Call Check, Framed-IP-Address=10.10.251.75, Framed-MTU=1500, Called-Station-ID=00-11-11-11-11-11, Calling-Station-ID=00-11-11-11-11-11, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/2, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1711111111111111111111, OriginalUserName=001111111111, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=11111111-1111-1111-1111-111111111111, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=00-11-11-11-11-11, AcsSessionID=nac-dc1/11111111l/1111111, alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-ISE-BLACKLIST] Successful authentication from outside HOME_COUNTRY"; program: CISE_Passed_Authentications; content: "Device IP Address"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5003783; sid:5003783; rev:1;) sagan-1.2.0/rules/trendmicro.rules0000644000175000017500000000410513310533411016113 0ustar champchamp# Sagan trendmicro.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Trendmicro rules by Corey Fisher - 02/18/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[Trendmicro] Virus Found Unable to Quarantine"; content: "SLF_INCIDENT_EVT_VIRUS_FOUND_PASS_THRU"; content: "Unable to quarantine file"; program: TMCM; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002797; classtype: suspicious-traffic; sid:5002797; rev:3;) sagan-1.2.0/rules/nfcapd-malware.rules0000644000175000017500000001165013310533411016631 0ustar champchamp# Sagan nfcapd-malware.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ############################################################################## # These rules are intended to catch malware via the NetFlow protocol. This # requires that your system has "nfdump" tools install. In particular, the # Quadrant modified "nfdump", that allows the program "nfcapd" to receive # decode and send to the Sagan FIFO Netflow data. # # For more information see: # # https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganNetflow # Example log string sent to the FIFO from the modified "nfcapd": # source_ip: 10.10.0.1/80, destination_ip: 173.165.207.65/16464, protocol: UDP, duration: 5.400, flags: |.AP.SF|, tos: 0, packets: 312, bytes: 4222451716, last_time: 2013-11-30 01:10:24, vlan_src: 32767, vlan_dst: 0 #alert any $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16464 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16464, p"; default_proto: udp; default_dst_port: 16464; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001853; sid: 5001853; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16465 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16465, p"; default_proto: udp; default_dst_port: 16465; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001854; sid: 5001854; rev:6;) #alert any $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[NFCAPD] Netflow - ZeroAccess UDP port 16470 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16470, p"; default_proto: udp; default_dst_port: 16470; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001855; sid: 5001855; rev:5;) #alert any $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16471 detected [5/5]"; program: nfcapd; normalize; content: " UDP,"; content: "/16471, p"; default_proto: udp; default_dst_port: 16471; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001856; sid: 5001856; rev:6;) # Older TCP port 13620 (pre-Q2 2012) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[NFCAPD-MALWARE] Netflow - Old ZeroAccess TCP port 13620 detected [5/5]"; program: nfcapd; normalize; content: " TCP,"; content: "/13620, p"; default_proto: tcp; default_dst_port: 13620; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001857; sid: 5001857; rev: 5;) sagan-1.2.0/rules/windows-misc.rules0000644000175000017500000006001213310533411016367 0ustar champchamp# Sagan windows-misc.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows based rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Detection of net listening application [0/5]"; pcre: "/ 861: | 5154: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000306; sid: 5000306; rev:8;;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Privileged Service Called"; pcre: "/ 577: | 4673: /"; classtype: successful-admin; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000307; sid: 5000307; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Apple Bonjour service detect [iTunes installed?]"; classtype: policy-violation; program: Bonjour; reference: url,wiki.quadrantsec.com/bin/view/Main/5000308; sid: 5000308; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application error"; content: " 1001|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000309; sid: 5000309; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application hang"; content: " 1002|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000310; sid: 5000310; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application popup"; content: " 333|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000311; sid: 5000311; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SCSI bug fault occurred"; content: "SCSI bus fault"; classtype: hardware-event; program: CPQCISSE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000316; sid: 5000316; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job completed with exceptions"; content: " 57755|3a| "; classtype: program-error; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000312; sid: 5000312; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job cancellation"; content: " 34114|3a| "; classtype: program-error; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000313; sid: 5000313; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Alert - insert media"; content: " 58061|3a| "; classtype: hardware-event; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000314; sid: 5000314; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Service started"; content: " 57996|3a| "; classtype: system-event; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000315; sid: 5000315; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Citrix message"; classtype: system-event; program: Citrix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000317; sid: 5000317; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Trusted Platform Module [TPM] Error. User name not found"; content: " 17150|3a| "; classtype: unsuccessful-user; program: DAC; reference: url,wiki.quadrantsec.com/bin/view/Main/5000318; sid: 5000318; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was corrupted"; content: "was corrupted"; classtype: program-error; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000319; sid: 5000319; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was stopped"; content: "Service Stopped"; classtype: system-event; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000320; sid: 5000320; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service returned error"; content: "returned error"; classtype: program-error; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000322; sid: 5000322; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service reporting uptime [in seconds]"; content: "The system uptime"; classtype: not-suspicious; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000323; sid: 5000323; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] IPSec message"; classtype: not-suspicious; program: IPSec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000324; sid: 5000324; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] LSASRV - Could not establish a secure connection"; content: " 40961|3a| "; classtype: network-event; program: LSASRV; reference: url,wiki.quadrantsec.com/bin/view/Main/5000381; sid: 5000381; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server started"; content: "Microsoft SQL Server"; classtype: system-event; program: MSSQLSERVER; reference: url,wiki.quadrantsec.com/bin/view/Main/5000325; sid: 5000325; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server listening on network"; content: "SQL server listening"; classtype: network-event; program: MSSQLSERVER; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000326; sid: 5000326; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully installed software"; content: "installed successfully"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000327; sid: 5000327; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar installed"; content: "Google Toolbar"; content: "installed successfully"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000328; sid: 5000328; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Toolbar"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000329; sid: 5000329; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Update Helper"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000331; sid: 5000331; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - RegWork - Registry clearner"; content: "RegWork"; content: "Product"; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000330; sid: 5000330; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully updated software"; content: "Update"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000332; sid: 5000332; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] NtServicePack messsage - package or hotfix installed"; content: "was installed"; classtype: not-suspicious; program: NtServicePack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000334; sid: 5000334; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SNMP Service has started successfully"; content: " 1001|3a| ""; classtype: system-event; program: SNMP; reference: url,wiki.quadrantsec.com/bin/view/Main/5000335; sid: 5000335; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google Software Updater service is active"; content: "Google Software Updater service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000336; sid: 5000336; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000337; sid: 5000337; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000338; sid: 5000338; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus service is active [pen-test tool]"; content: "Tenable Nessus"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000339; sid: 5000339; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Remote Access Connection Manager service is active"; content: "Remote Access Connection Manager"; classtype: network-event; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000340; sid: 5000340; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Bonjour service is active [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000382; sid: 5000382; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus startup successful"; content: "startup was successful"; classtype: system-event; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000341; sid: 5000341; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus couldn't scan some files or directories"; content: "Could not scan"; classtype: program-error; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000342; sid: 5000342; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus New virus definition file loaded"; content: "New virus definition file loaded"; classtype: not-suspicious; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000343; sid: 5000343; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus Successful remote connect by administrator"; content: "with Admin role"; content: "User"; content: "connected from"; classtype: successful-admin; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000344; sid: 5000344; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus started [pen-test tool]"; content: "started successfully"; classtype: suspicious-traffic; program: Tenable; reference: url,wiki.quadrantsec.com/bin/view/Main/5000345; sid: 5000345; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinRM [Windows Remote Management] is started and listening"; content: " 10148|3a| "; classtype: network-event; program: WinRM; reference: url,wiki.quadrantsec.com/bin/view/Main/5000346; sid: 5000346; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection accepted"; content: "Connections"; content: "accepted"; default_proto: tcp; default_dst_port: 5900; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000347; sid: 5000347; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection closed - Requested security type not available"; content: "Requested security type not available"; content: "closed"; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000348; sid: 5000348; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection blacklisted"; content: "blacklisted"; content: "Connections"; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; parse_src_ip: 1; parse_port; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000349; sid: 5000349; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection Authentication failure"; content: "Authentication failure"; default_proto: tcp; default_dst_port: 5900; classtype: unsuccessful-user; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000350; sid: 5000350; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer"; content: "Connection reset by peer"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000351; sid: 5000351; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer [Non-shared]"; content: "Non-shared connection requested"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000352; sid: 5000352; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reading version failed"; content: "reading version failed"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000353; sid: 5000353; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection closed"; content: "Clean disconnection"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000354; sid: 5000354; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 HTTPServer event"; content: "HTTPServer"; default_proto: tcp; default_dst_port: 5900; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000355; sid: 5000355; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Crypt32 Failed to extract third-party root list"; content: " 4107|3a| "; classtype: program-error; program: crypt32; reference: url,wiki.quadrantsec.com/bin/view/Main/5000356; sid: 5000356; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Disk corruption [0/2]"; content: " 55|3a| "; classtype: hardware-event; program: Ntfs; threshold:type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001056; sid: 5001056; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MSSQLServer I/O error"; content: " 823|3a| "; classtype: program-error; program: Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001096; sid: 5001096; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application uninstall"; content: " 11724|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001182; sid: 5001182; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application install"; content: " 11707|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001183; sid: 5001183; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows is shutting down"; pcre: "/ 513: | 4609: /"; classtype: program-error; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001184; sid: 5001184; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] File system full"; content: " 13570|3a| "; classtype: system-error; program: NtFrs|Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001191; sid: 5001191; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] System time has changed"; pcre: "/ 520: | 4616: /"; content:!"|3a|\Program Files\VMware\VMware Tools\vmtoolsd.exe"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001194; sid: 5001194; rev:9;) # DHCP-Server| 1063: There are no IP addresses available for lease in the scope or superscope "VLAN_311_Example". # DHCP-Server| 1020: Scope, 10.100.1.0, is 97 percent full with only 2 IP addresses remaining. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is almost full"; content: " 1020|3a| "; classtype: program-error; program: DHCP-Server; threshold: type limit, track by_src, count 1, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5001649; sid: 5001649; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is FULL"; content: "100 percent full"; content: " 1020|3a| "; classtype: program-error; program: DHCP-Server; threshold: type limit, track by_src, count 1, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5001716; sid: 5001716; rev:5;) # BAD RULE BELOW #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope if full. No IP addresses left"; content: " 5001650|3a| "; classtype: network-event; program: DHCP-Server; reference: url,wiki.quadrantsec.com/bin/view/Main/5001650; sid: 5001650; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows audit log was cleared"; pcre: "/ 517: | 1102: /"; content: "audit log was cleared"; classtype: system-event; program: *Security*|Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5001185; sid: 5001185; rev:8;;) # Brian Echeverry - 05/07/2015 # SID 5002272 and 5002273 are noisy. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was modified"; content: " 5136|3a| "; classtype: configuration-change; program: *Security*; sid:5002272; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was created"; content: " 5137|3a| "; classtype: configuration-change; program: *Security*; sid:5002273; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was undeleted"; content: " 5138|3a| "; classtype: configuration-change; program: *Security*; sid:5002274; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was moved"; content: " 5139|3a| "; classtype: configuration-change; program: *Security*; sid:5002275; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [XBIT SET]"; content: " 1074|3a| "; program: System|USER32; xbits: set, reboot.windows,900; xbits:nounified2; xbits:noeve; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:23;) # Added by Brian Echeverry (09/22/2015) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures"; program: Microsoft_Antimalware; content: " 2001|3A| "; reference: url,wiki.quadrantsec.com/bin/view/Main/5002392; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; sid:5002392; rev:3;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Unable to log events to security log"; content: " 521|3a| "; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002564; sid:5002564; rev:4;) # Added by Champ Clark III (04/20/2016) - Great read at http://pastebin.com/raw/0SNSvyjJ #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of service via SCM"; content: " 7045|3a| "; content:!"ForeScout"; nocase; content:!"nxlog"; nocase; content:!"ccmsetup"; nocase; classtype: suspicious-traffic; program: System|Service_Control_Manager; reference: url,wiki.quadrantsec.com/bin/view/Main/5002817; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5002817; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of new service via Security Audit "; pcre: "/ 4697: | 601: /"; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002818; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5002818; rev:3;) # Added by Champ Clark III (08/19/2016) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Suspicious event logging service shut down."; content: " 1100|3a| "; xbits: isnotset,by_src,reboot.windows; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002941; sid:5002941; rev:4;) # Added by Champ Clark III (09/01/2016) # These target strange errors seen by evtsys. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Event log has been cleared."; content: " 104|3a| "; content: "cleared"; classtype: suspicious-traffic; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5002954; sid:5002954; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Logging has been stopped on this device"; content: " 570|3a| "; content: "callback"; classtype: suspicious-traffic; program: The; reference: url,wiki.quadrantsec.com/bin/view/Main/5002955; sid:5002955; rev:3;) alert any $HOME_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Fan failure detected"; content:" 10|3a| Fan "; content:" has failed"; classtype: hardware-event; program: System; reference: url,wiki.quadrantsec.com/bin/view/Main/5003040; sid:5003040; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of PSEXEC service via Security Audit "; content: "PSEXEC"; nocase; pcre: "/ 4697: | 601: /"; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5003105; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5003105; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of PSEXEC service via SCM"; content: "PSEXEC"; nocase; content: " 7045|3a| "; content:!"ForeScout"; nocase; content:!"nxlog"; nocase; content:!"ccmsetup"; nocase; classtype: suspicious-traffic; program: System|Service_Control_Manager; reference: url,wiki.quadrantsec.com/bin/view/Main/5003106; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5003106; rev:2;) sagan-1.2.0/rules/fatpipe-bluedot.rules0000644000175000017500000000543413310533411017037 0ustar champchamp# Sagan fatpipe-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-BLUEDOT] Login Success from suspicious source"; content: "Login|3a| Success"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002895; sid:5002895; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-BLUEDOT] Login Success - ADMINISTRATOR - from suspicious source"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002896; sid:5002896; rev:4;) sagan-1.2.0/rules/artillery.rules0000644000175000017500000002017313310533411015757 0ustar champchamp# Sagan artillery.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # "Artillery" is a project by TrustedSec that monitors, detect & block attacks. It is written in Python # and acts as an HIDS system. Artillery has the ability to write to local or remote syslog servers. These # Sagan rules trigger when Artillery detects something bad. These rules also act as a "gateway" between # Artillery and Snort consoles (Snorby/Sguil/etc). # # From the Artilley Website: "The purpose of Artillery is to provide a combination of a honeypot, file-system # monitoring, system hardening, real-time threat intelligence feeds, and overall health of a server to create a # comprehensive way to secure a system. # # Artillery is written by Dave Kennedy and the TrustedSec crew (@HackingDave / @TrustedSec). For more # information about Artillery, see https://www.trustedsec.com/downloads/artillery/ # # Alerts on anything from the program "Artillery". #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] General Artillery Message"; classtype: suspicious-traffic; program: Artillery; parse_src_ip: 1; parse_dst_ip: 2; parse_proto; reference: url,wiki.quadrantsec.com/bin/view/Main/5002080; reference: url,www.trustedsec.com/downloads/artillery; sid:5002080; rev:2;) # ftp_monitor.py # write_log("Artillery has blocked (blacklisted) the following IP for FTP brute forcing violations: " + ipaddress) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] FTP brute force violation"; content: "FTP brute forcing"; xbits: set,brute_force&honeypot,21600; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002081; reference: url,www.trustedsec.com/downloads/artillery; sid:5002081; rev:6;) # harden.py # Issue identified: %s permissions are not set to root. If an attacker compromises the system and is running under the Apache user account, could view these files. Recommendation: Change the permission of %s to root:root. Command: chown root:root %s\n\n" % (filename,filename,filename) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - Permissions not set as root"; content: "not set to root"; content: "Issue identified|3a|"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002082; reference: url,www.trustedsec.com/downloads/artillery; sid:5002082; rev:3;) # harden.py # Issue identified: /etc/vsftpd.conf allows Anonymous login. An attacker can gain a foothold to the system with absolutel zero effort. Recommendation: Change anonymous_enable yes to anonymous_enable no\n\n" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - vsftp.conf Anonymous FTP allowed"; content: "vsftpd.conf allows Anonymous login"; content: "Issue identified|3a|"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002083; reference: url,www.trustedsec.com/downloads/artillery; sid:5002083; rev:3;) # harden.py # Issue identified: /etc/ssh/sshd_config. SSH is running on the default port 22. An attacker commonly scans for these type of ports. Recommendation: Change the port to something high that doesn't get picked up by typical port scanners.\n\n" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - SSH running on default TCP port 22"; content: "Issue identified|3a|"; content: "SSH is running on the default port 22"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002084; reference: url,www.trustedsec.com/downloads/artillery; sid:5002084; rev:2;) # harden.py # Issue identified: /etc/ssh/sshd_config allows RootLogin. An attacker can gain root access to the system if password is guessed. Recommendation: Change RootLogin yes to RootLogin no\n\n" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - sshd_config allows RootLogin"; content: "sshd_config allows RootLogin"; content: "Issue identified|3a|"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002085; reference: url,www.trustedsec.com/downloads/artillery; sid:5002085; rev:3;) # honeypot.py # %s [!] Artillery has blocked (and blacklisted) the IP Address: %s for connecting to a honeypot restricted port: %s" % (now, ip, port) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport blocked/blacklisted address"; content: "honeypot restricted port"; content: "blocked"; parse_src_ip: 1; xbits: set,honeypot,86400; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002086; reference: url,www.trustedsec.com/downloads/artillery; sid:5002086; rev:4;) # honeypot.py # %s [!] Artillery has detected an attack from IP address: %s for a connection on a honeypot port: %s" % (now, ip, port) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport attack detected"; content: "detected an attack"; content: "honeypot"; parse_src_ip: 1; xbits: set,honeypot,86400; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002087; reference: url,www.trustedsec.com/downloads/artillery; sid:5002087; rev:3;) # monitor.py # output_file = "********************************** The following changes were detect at %s **********************************\n" % (datetime.datetime.now()) + output_file + "\n********************************** End of changes. **********************************\n\n" # warn_the_good_guys(subject, output_file) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] File changes have occured"; content: "following changes were detect"; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002088; reference: url,www.trustedsec.com/downloads/artillery; sid:5002088; rev:2;) # ssh_monitor.py # alert = "Artillery has blocked (blacklisted) the following IP for SSH brute forcing violations: " + ipaddress alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] SSH brute force violation"; content: "SSH brute forcing violations"; xbits: set,brute_force&honeypot,86400; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002089; reference: url,www.trustedsec.com/downloads/artillery; sid:5002089; rev:3;) sagan-1.2.0/rules/bash.rules0000644000175000017500000003316313310533411014670 0ustar champchamp# Sagan bash.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The following rules require bash to be compiled with syslog history support. With out this, there is no way # for sagan to "see" what users type. For more information, see: # # http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/ # # Gentoo users can rebuild bash with the "logger" USE flag. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] ./a.out execution attempt"; content:"./a.out"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000000; program: bash|-bash|sh|-sh; sid:5000000; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] gcc execution"; content:"gcc "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000001; program: bash|-bash|sh|-sh; sid:5000001; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] telnet execution"; content:"telnet "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000002; program: bash|-bash|sh|-sh; sid:5000002; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] nmap execution"; content:"nmap "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000003; program: bash|-bash|sh|-sh; sid:5000003; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/passwd access"; content:"/etc/passwd"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000004; program: bash|-bash|sh|-sh; sid:5000004; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/shadow access"; content:"/etc/shadow"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000005; program: bash|-bash|sh|-sh; sid:5000005; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] make execution"; content:"make"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000006; program: bash|-bash|sh|-sh; sid:5000006; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] make execution"; content:"make "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000007; program: bash|-bash|sh|-sh; sid:5000007; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /bin/sh command line call"; content:"/bin/sh"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000008; program: bash|-bash|sh|-sh; sid:5000008; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /bin/bash command line call"; content:"/bin/bash"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000009; program: bash|-bash|sh|-sh; sid:5000009; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] HISTORY=/dev/null"; content:"HISTORY=/dev/null"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000010; program: bash|-bash|sh|-sh; sid:5000010; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] .bash_history access"; content:".bash_history"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000011; program: bash|-bash|sh|-sh; sid:5000011; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /tmp/sh access"; content:"/tmp/sh"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000012; program: bash|-bash|sh|-sh; sid:5000012; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] suidperl access"; content:"suidperl"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000013; program: bash|-bash|sh|-sh; sid:5000013; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] histfile=/dev/null"; content:"histfile=/dev/null"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000014; program: bash|-bash|sh|-sh; sid:5000014; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] iptables command access"; content:"iptables"; content: "HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000385; program: bash|-bash|sh|-sh; sid:5000385; rev:5;) # CVS-2014-6271 (09/24/2014 - Champ Clark III) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; content: "HISTORY"; program: bash|-bash|sh|-sh; classtype: exploit-attempt; xbits: set, exploit_attempt, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002179; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002179; rev:3;) # Submitted by Aleksey Chudov (07/14/2015). alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] History hiding"; content:"HISTORY"; pcre:"/\s+(HISTFILE|HISTFILESIZE|HISTSIZE)/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002303; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] History hiding"; content:"HISTORY"; pcre:"/\s+history\s+(-\w+\s+)*-\w*(c|d|w)/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002304; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] .mysql_history access"; content:"HISTORY"; content:".mysql_history"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002305; rev:2;); alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Netcat execution"; content:"HISTORY"; pcre:"/\s+(nc|ncat|netcat)\s+/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002306; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Python socket execution"; content:"HISTORY"; content:"python"; content:"socket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002307; rev:2;); alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Python subproces execution"; content:"HISTORY"; content:"python"; content:"subproces"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002308; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] PHP socket execution"; content:"HISTORY"; content:"php"; content:"sock"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002309; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] PHP subproces execution"; content:"HISTORY"; content:"php"; content:"exec"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002310; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Perl socket execution"; content:"HISTORY"; content:"perl"; content:"ocket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002311; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Perl subproces execution"; content:"HISTORY"; content:"perl"; content:"fork"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002312; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Ruby socket execution"; content:"HISTORY"; content:"ruby"; content:"ocket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002313; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Ruby subproces execution"; content:"HISTORY"; content:"ruby"; content:"exec"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002314; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] mknod execution [XBIT SET]"; content:"HISTORY"; content:"mknod"; xbits:set,mknod_executed,60; xbits:nounified2; xbits:noeve; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002315; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] telnet reverse shell execution"; content:"HISTORY"; content:"telnet"; xbits:isset,by_src,mknod_executed; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002316; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /dev/tcp access"; content:"HISTORY"; content:"/dev/tcp"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002317; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /dev/udp access"; content:"HISTORY"; content:"/dev/udp"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002318; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] csh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?csh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002319; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] ksh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?ksh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002320; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] tcsh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?tcsh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002321; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] zsh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?zsh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002322; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] stunnel execution"; content:"HISTORY"; content:"stunnel"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002323; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH agent forwarding"; content:"HISTORY"; content:"ssh"; content:"-A "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002324; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH dynamic forwarding"; content:"HISTORY"; content:"ssh"; content:"-D "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002325; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH GSSAPI forwarding"; content:"HISTORY"; content:"ssh"; content:"-K "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002326; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH local forwarding"; content:"HISTORY"; content:"ssh"; content:"-L "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002327; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH remote forwarding"; content:"HISTORY"; content:"ssh"; content:"-R "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002328; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH input and output forwarding"; content:"HISTORY"; content:"ssh"; content:"-W "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002329; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH tunnel forwarding"; content:"HISTORY"; content:"ssh"; content:"-w "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002330; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 forwarding"; content:"HISTORY"; content:"ssh"; content:"-X "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002331; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 trusted forwarding"; content:"HISTORY"; content:"ssh"; content:"-Y "; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002332; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] LD_PRELOAD environment variable access"; content:"HISTORY"; content:"LD_PRELOAD"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002333; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] LD_LIBRARY_PATH environment variable access"; content:"HISTORY"; content:"LD_LIBRARY_PATH"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002334; rev:2;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] root password change attempt"; content:"passwd"; content:"root"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5002565; program: bash|-bash|sh|-sh; sid:5002565; rev:2;) sagan-1.2.0/rules/symantec-ems.rules0000644000175000017500000001402313310533411016352 0ustar champchamp# Sagan symantic-ems.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Successful login #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Authentication success"; content: "authenticated internal PGP Desktop"; parse_src_ip: 2; default_proto: tcp; default_dst_port: 389; classtype: successful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001675; sid: 5001675; rev:3;) # Unsuccessful login #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Authentication failure"; content: "failed authentication for internal PGP Desktop"; parse_src_ip: 2; default_proto: tcp; default_dst_port: 389; classtype: unsuccessful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001676; sid: 5001676; rev:3;) # Multiple login failures - Brute Force alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Multiple authentication failures"; content: "failed authentication for internal PGP Desktop"; content:!"null"; parse_src_ip: 2; default_proto: tcp; default_dst_port: 389; classtype: unsuccessful-user; program: pgp/client; threshold:type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001677; sid: 5001677; rev:4;) # Unsuccessful login #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Authorization failure"; content: "authorization failed for this operation"; parse_src_ip: 2; default_proto: tcp; default_dst_port: 389; classtype: unsuccessful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001678; sid: 5001678; rev:3;) # Multiple login failures - Brute Force #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Multiple authorization failures"; content: "authorization failed for this operation"; parse_src_ip: 2; default_proto: tcp; default_dst_port: 389; classtype: unsuccessful-user; program: pgp/client; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001679; sid: 5001679; rev:3;) # Encrypted Partition Mount Failure #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Encrypted partition mount failure"; content: "WDE Event"; content: "mount"; content: "failure"; default_proto: tcp; default_dst_port: 389; classtype: hardware-event; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001680; sid: 5001680; rev:3;) # Error-regrouping - expired key #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Error regrouping - expired key"; content: "error while regrouping consumer"; content: "key has expired"; default_proto: tcp; default_dst_port: 389; classtype: hardware-event; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001681; sid: 5001681; rev:3;) # Error-regrouping - cannot delete object #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Error regrouping - expired key"; content: "error while regrouping consumer"; content: "cannot delete derived object while source object"; default_proto: tcp; default_dst_port: 389; classtype: hardware-event; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001682; sid: 5001682; rev:3;) # Error-reqrouping - bad parameters #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Error regrouping - bad parameters"; content: "error while regrouping consumer"; content: "bad parameters"; default_proto: tcp; default_dst_port: 389; classtype: unsuccessful-user; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001683; sid: 5001683; rev:3;) # Failed to map user to a directory #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] Failed to map user to a directory"; content: "failed to map consumer"; content: "to a directory"; default_proto: tcp; default_dst_port: 389; classtype: unsuccessful-user; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001684; sid: 5001684; rev:3;) # LDAP key error - name lookup failed alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYMANTEC-EMS] LDAP key error - name lookup failed"; content: "error searching for key"; content: "LDAP"; content: "name lookup failed"; default_proto: tcp; default_dst_port: 389; classtype: unsuccessful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001685; sid: 5001685; rev:3;) sagan-1.2.0/rules/bro-ids.rules0000644000175000017500000002537313310533411015316 0ustar champchamp# Sagan bro-ids.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #***************************************************************************** # # Note: Your syslog daemon will need to forward Bro logs to your Sagan server. With syslog-ng, you would do # something like this: # # destination sagan_box { udp("10.10.10.10" port(514)); } ; # source s_bro_notice { file("/var/log/bro/log/current/notice.log" flags(no-parse) program_override("bro")); }; # log { source(s_bro_notice); destination(sagan_box); }; # # For rsyslog, see: http://www.rsyslog.com/doc/imfile.html # # The syslog "program" field will _need_ to be "bro"! # #***************************************************************************** # # Submitted by Brad Doctor (July 2nd, 2010). For more information see # http://www.bro-ids.org/ # # (Legacy Bro rules) - Now disbaled by default #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Successful Password Guessing [0/5]"; content: "SuccessfulPasswordGuessing"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000883; sid: 5000883; threshold: type limit, track by_src, count 5, seconds 120; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Protocol Violation [0/5]"; content: "ProtocolViolation"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000884; sid: 5000884; threshold: type limit, track by_src, count 5, seconds 120; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Login [0/5]"; content: "SensitiveLogin"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-login; reference: url,wiki.quadrantsec.com/bin/view/Main/5000885; sid: 5000885; threshold: type limit, track by_src, count 5, seconds 120; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Connection [0/5]"; content: "SensitiveConnection"; program: parse_src_ip: 1; parse_dst_ip: 2; bro; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000886; sid: 5000886; threshold: type limit, track by_src, count 5, seconds 120; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Username in password [0/5]"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; content: "SensitiveUsernameInPassword"; default_proto: tcp; classtype: successful-admin; url,wiki.quadrantsec.com/bin/view/Main/5000887; sid: 5000887; threshold: type limit, track by_src, count 5, seconds 120; rev:4;) # Robert Nunley & Champ Clark - 06/10/2014 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BRO] SSH Password_Guessing [0/5]"; content: "SSH|3a 3a|Password_Guessing"; program: bro; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: misc-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 120; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002063; sid: 5002063; rev:5;) # Note: You will need licensing to use the Team Cymru Malware Hash Registry for corporate use. See http://www.team-cymru.org/Services/MHR/ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] TeamCymruMalwareHashRegistry Match"; content: "TeamCymruMalwareHashRegistry|3a 3a|Match"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,www.team-cymru.org/Services/MHR/; classtype: trojan-activity; sid: 5002064; rev:3;) # Triggers many F/P #alert any $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] HTTP SQL_Injection_Attacker"; content: "HTTP|3a 3a|SQL_Injection_Attacker"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,wiki.quadrantsec.com/bin/view/Main/5002065; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; sid: 5002065; rev:4;) #alert any $EXTERNAL_NET any -> $HTTP_PORT any (msg: "[BRO] HTTP SQL_Injection_Victim"; content: "HTTP|3a 3a|SQL_Injection_Victim"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002066; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; sid: 5002066; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] SSH Login_By_Password_Guesser"; content: "SSH|3a 3a|Login_By_Password_Guesser"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002067; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; sid: 5002067; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] SSH Watched_Country_Login"; content: "SSH|3a 3a|Watched_Country_Login"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002068; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; sid: 5002068; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] 10+ SSL Invalid_Server_Cert in 30 seconds [10/5]"; content: "SSL|3a 3a|Invalid_Server_Cert"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002069; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; sid: 5002069; rev:5;) # Robert Nunley & Champ Clark - 06/11/2014 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] 10+ unable to get local issuer certificate in 30 seconds [10/5]"; content: "unable to get local issuer certificate"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; sid: 5002070; rev:4;) # These rules are based on Bro scripts from Liam Randall. They are located at: https://github.com/LiamRandall/BroMalware-Exercise. These will need to be loaded into Bro to trigger! # https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] ZeroAccess ZeroAccess_Client [0/5]"; content: "ZeroAccess|3a 3a|ZeroAccess_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess; sid: 5002071; rev:3;) # https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0 # Bitcoin mining detection alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Bitcoin Miner [0/10]"; content: "Bitcoin|3a 3a|Miner"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 10, seconds 300; default_proto: tcp; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002074; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002074; rev:4;) # https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0 # Lurk0 RAT ::Lurk0_Client alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Probable LURK0 RAT C&C Access"; content: "Lurk0|3a 3a|Lurk0_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_prot: tcp; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002072; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002072; rev:3;) # Sidejacking # Added in the main Bro repo. See http://matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro/ for more details. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sidejacking attach detected"; content: "Sidejacking"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002073; reference: url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro; sid: 5002073; rev:3;) # This rule detect internal (rfc1918) systems port scanning, but ignores everything else! # Example log: #1459283371.705967 - - - - - - - - - Scan::Port_Scan 10.1.0.34 scanned at least 15 unique ports of host 10.1.0.4 in 0m2s local 10.1.0.34 10.1.0.4 - - bro Notice::ACTION_LOG 3600.000000 F - - - - - alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] RFC1918 address scanning the network"; content: "Scan|3a 3a|Port_Scan"; pcre:"/((192)\.(168)\.(\d+)\.(\d+)|(10)\.(\d+)\.(\d+)\.(\d+)|(172)\.(1[6,7,8,9])\.(\d+)\.(\d+)|(172)\.(2[0,1,2,3,4,5,6,7,8,9])\.(\d+)\.(\d+)|(172)\.(3[0,1])\.(\d+)\.(\d+)) scanned at least \d+ unique ports/smi"; program: bro; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,recon,86400; classtype: attempted-recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5002798; sid:5002798; rev:4;) sagan-1.2.0/rules/hostapd.rules0000644000175000017500000001040613310533411015410 0ustar champchamp# Sagan hostapd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Possible downgrade attack"; program: hostapd; content: "downgrade attack"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001041; sid: 5001041; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Possible downgrade attack"; program: hostapd; content: "TLSv1"; content: "Failed to decrypt"; classtype: unsuccessful-user ; reference: url, wiki.quadrantsec.com/bin/view/Main/5001042; sid: 5001042; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] UPnP DoS excessive addresses [DoS]"; program: hostapd; content: "UPnP"; content: "Ignoring excessive addresses"; classtype: attempted-dos; reference: url, wiki.quadrantsec.com/bin/view/Main/5001043; sid: 5001043; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Radius - Starting accounting session"; program: hostapd; content: "RADIUS"; content: "starting accounting session"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001044; sid: 5001044; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] WPA pairwise key handshake complete"; program: hostapd; content: "WPA"; content: "pairwise key handshake completed"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001045; sid: 5001045; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - Disassociated"; program: hostapd; content: "IEEE 802.11"; content: "disassociated"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001046; sid: 5001046; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - Associated"; program: hostapd; content: "IEEE 802.11"; content: " associated"; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001047; sid: 5001047; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] WPA - group key handshake complete [RSN]"; program: hostapd; content: "WPA"; content: "group key handshake completed"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001048; sid: 5001048; rev: 2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - deauthenticated due to local deauth request"; program: hostapd; content: "IEEE 802.11"; content: "deauthenticated due to local deauth request"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001049; sid: 5001049; rev: 2;) sagan-1.2.0/rules/cisco-bluedot.rules0000644000175000017500000002051513310533411016504 0ustar champchamp# Sagan cisco-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious TCP connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " TCP "; content:!" bytes 0 "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002868; sid: 5002868; rev:7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious UDP connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " UDP "; content:!" bytes 0 "; content:!"|2f|123 "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002869; sid: 5002869; rev:9;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious ICMP connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " ICMP "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; default_proto: icmp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002879; sid:5002879; rev:8;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[CISCO-BLUEDOT] Suspicious GRE connection detected via Bluedot"; program: %ASA*-6-*|%ASA*-7-*; content: " GRE "; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; normalize; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 7200; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002880; sid:5002880; rev:8;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN Login from suspicious source"; program: %ASA*-6-716038; bluedot: type ip_reputation, track all, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002870; sid:5002870; rev: 5;) # %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] Console login from suspicious source"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002871; sid:5002871; rev: 4;) # 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA*-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] Login permitted from suspicious source"; program: %ASA*-6-605005; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002872; sid:5002872; rev: 4;) # WebVPN alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN login from suspicious source"; program: %ASA*-6-716001|%ASA*-6-716038; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002873; sid:5002873; rev: 4;) # Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN disconnect from suspicious source"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002874; sid:5002874; rev: 5;) # 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA*-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN/AnyConnect login from suspicious source"; program: %ASA*-6-734001; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002875; sid:5002875; rev: 4;) # Cisco ACS (via VPN) - authentication success # 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] ACS Login success from suspicious source"; program: CisACS_01_PassedAuth; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002876; sid:5002876; rev: 4;) # 2014-05-07 09:32:45|10.8.0.5|129815|local4|info|info|%ASA*-6-722022| Group User IP <10.10.102.102> UDP SVC connection established without compression alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] VPN login from suspicious source [2]"; program: %ASA*-6-722022|%ASA*-6-722023; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002877; sid:5002877; rev: 4;) # 2014-05-07 16:41:47|192.168.1.1|7050594|local0|info|info|%ASA*-6-303002| FTP connection from inside:10.20.11.20/2351 to dmz:192.168.1.1/21, user bob Stored file somefile alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLUEDOT] FTP file transfer from or to suspicious source"; program: %ASA*-6-303002; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002878; sid: 5002878; rev: 5;) sagan-1.2.0/rules/juniper.rules0000644000175000017500000005037413310533411015432 0ustar champchamp# Sagan juniper.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Submitted by Brad Doctor (July 2nd, 2010). alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] AS group missing"; content: "no group for"; content:"from AS"; default_proto: tcp; classtype: network-event; sid: 5000888; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Duplicate IP address"; content: "KERN_ARP_DUPLICATE_ADDR"; default_proto: tcp; classtype: network-event; sid: 5000889; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] BGP missing MD5 digest"; content: "missing MD5 digest"; default_proto: tcp; classtype: network-event; sid: 5000890; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] ARP address change"; content: "KERN_ARP_ADDR_CHANGE"; default_proto: tcp; classtype: network-event; sid: 5000891; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] BGP no route to host"; content: "bgp_connect_start"; content:"No route to host"; default_proto: tcp; classtype: network-event; sid: 5000892; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Login authentication error"; content: "LOGIN_PAM_AUTHENTICATION_ERROR"; content:"PAM authentication error for user"; default_proto: tcp; classtype: network-event; sid: 5000893; threshold:type limit, track by_src, count 5, seconds 120; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Possible authentication dictionary attack"; content: "LOGIN_INVALID_LOCAL_USER"; content:"No entry in local password"; default_proto: tcp; classtype: network-event; sid: 5000894; threshold:type limit, track by_src, count 5, seconds 120; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SONET Alarm"; content: "Asserting SONET alarm"; default_proto: tcp; classtype: network-event; sid: 5000895; threshold:type limit, track by_src, count 5, seconds 120; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Possible SONET ring failure"; content: "Major alarm set"; content:"SONET path remote failure indicator";default_proto: tcp; classtype: network-event; sid: 5000896; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SDH Alarm"; content: "Asserting SDH alarm"; default_proto: tcp; classtype: network-event; sid: 5000897; threshold:type limit, track by_src, count 5, seconds 120; rev:2;) # Champ Clark (03/01/2013) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_ATTEMPTS_THRESHOLD - Brute Force"; content: "SSHD_LOGIN_ATTEMPTS_THRESHOLD"; program: sshd; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; sid: 5001642; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001642; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED_LIMIT - Brute Force"; content: "SSHD_LOGIN_FAILED_LIMIT"; parse_src_ip: 1; program: sshd; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; sid: 5001643; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001643; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED"; content: "SSHD_LOGIN_FAILED"; program: sshd; parse_src_ip: 1; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; sid: 5001644; reference: url,wiki.quadrantsec.com/bin/view/Main/5001644; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED - Brute force [5/5]"; content: "SSHD_LOGIN_FAILED"; program: sshd; parse_src_ip: 1; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $DST_PORT; classtype: unsuccessful-user; sid: 5001645; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001645; rev:5;) # Juniper Netscreens alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Fragmented traffic"; program: Netscreen; content: "Fragmented traffic"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000396; sid: 5000396; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] FIN but no ACK bit"; program: Netscreen; content: "FIN but no ACK bit"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000397; sid: 5000397; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Port scan!"; program: Netscreen; content: "Port scan"; default_proto: tcp; classtype: network-scan; reference: url,wiki.quadrantsec.com/bin/view/Main/5000398; sid: 5000398; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] ICMP fragment"; program: Netscreen; content: "ICMP fragment"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000399; sid: 5000399; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Malicious URL"; program: Netscreen; content: "Malicious URL"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000400; sid: 5000400; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Large ICMP packet"; program: Netscreen; content: "Large ICMP packet"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000401; sid: 5000401; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] No tcp flag has been detected"; program: Netscreen; content: "No tcp flag has been detected"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000402; sid: 5000402; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Denied traffic"; program: Netscreen; content: "action=Deny"; default_proto: tcp; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000403; sid: 5000403; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Syslog enabled"; program: Netscreen; content: "Syslog has been enabled"; default_proto: tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000404; sid:5000404; rev:2;) # Juniper Intrusion Prevention System Signatures by Iman Khosravi #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] The scheduled IDP security package update failed to start"; content: "IDP_SCHEDULEDUPDATE_START_FAILED"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001129; sid: 5001129; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP daemon encountered an internal error"; content: "IDP_INTERNAL_ERROR"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001130; sid: 5001130; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] An attempt to start IDP policy daemon failed"; content: "IDP_DAEMON_INIT_FAILED"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001131; sid: 5001131; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP Attack log generated for attack"; content: "IDP_ATTACK_LOG_EVENT"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001132; sid: 5001132; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP Attack log generated for attack in a logical system"; content: "IDP_ATTACK_LOG_EVENT_LS"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001133; sid: 5001133; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP policy commit has completed"; content: "IDP_COMMIT_COMPLETED"; default_proto: tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001134; sid: 5001134; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] There was an error while trying to commit the active policy in IDPD"; content: "IDP_COMMIT_FAILED"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001135; sid: 5001135; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP IPv6 support is not enabled for the rulebase"; content: "IDP_IGNORED_IPV6_ADDRESSES"; default_proto: tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001136; sid: 5001136; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP policy compiler encountered an error while compiling or packaging the policy"; content: "IDP_POLICY_COMPILATION_FAILED"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001137; sid: 5001137; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A compiled and optimized IDP policy could not be loaded into IDP engine"; content: "IDP_POLICY_LOAD_FAILED"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001138; sid: 5001138; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A compiled and optimized IDP policy was loaded successfully into the IDP engine"; content: "IDP_POLICY_LOAD_SUCCEEDED"; default_proto: tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001139; sid: 5001139; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A running IDP policy could not be unloaded from IDP engine"; content: "IDP_POLICY_UNLOAD_FAILED"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001140; sid: 5001140; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A running IDP policy was unloaded successfully from the IDP engine"; content: "DP_POLICY_UNLOAD_SUCCEEDED"; default_proto: tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001141; sid: 5001141; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] The scheduled IDP security package update has started"; content: "IDP_SCHEDULED_UPDATE_STARTED"; default_proto: tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001142; sid: 5001142; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP background process has returned the security package install result"; content: "IDP_SECURITY_INSTALL_RESULT"; default_proto: tcp; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001143; sid: 5001143; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP session threshold crossing event"; content: "IDP_SESSION_LOG_EVENT"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001144; sid: 5001144; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP session threshold crossing event in a logical system"; content: "IDP_SESSION_LOG_EVENT_LS"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001145; sid: 5001145; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP signature update license key has expired"; content: "IDP_SIGNATURE_LICENSE_EXPIRED"; default_proto: tcp; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001146; sid: 5001146; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred"; content: "IDP_APPDDOS_APP_STATE_EVENT"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001147; sid: 5001147; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred in logical system"; content: "IDP_APPDDOS_APP_STATE_EVENT_LS"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001148; sid: 5001148; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack in a logical system"; content: "IDP_APPDDOS_APP_ATTACK_EVENT_LS"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001149; sid: 5001149; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack"; content: "IDP_APPDDOS_APP_ATTACK_EVENT"; default_proto: tcp; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001150; sid: 5001150; rev:2;) # Additional Juniper Netscreen rules by Adam Hall (ahall@quadrantsec.com) # 09/18/2012 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] SYN Flood"; program: Netscreen; content: "SYN flood"; default_proto: tcp; classtype: denial-of-service; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001611; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Teardrop attack"; program: Netscreen; content: "Teardrop Attack"; default_proto: tcp; classtype: denial-of-service; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001612; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] IP spoofing"; program: Netscreen; content: "IP spoofing"; default_proto: tcp; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001613; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] ICMP flood"; program: Netscreen; content: "ICMP flood"; default_proto: tcp; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001614; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] SYN fragment"; program: Netscreen; content: "SYN fragment"; default_proto: tcp; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001615; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Unknown protocol"; program: Netscreen; content: "Unknown protocol"; default_proto: tcp; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001616; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Bad IP option"; program: Netscreen; content: "Bad IP option"; default_proto: tcp; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001617; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] SYN-ACK-ACK"; program: Netscreen; content: "SYN-ACK-ACK"; default_proto: tcp; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001618; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Connection refused by the DNS"; program: Netscreen; content: "Connection refused by the DNS"; default_proto: tcp; classtype: suspicious-traffic; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001619; rev:2;) # Juniper VPN devices - Champ Clark (cclark@quadrantsec.com) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] VPN Login failed"; program: Juniper; pcre: "/ Login failed | authentication failed /"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002022; sid: 5002022; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] VPN Login failed - Brute Force [10/5]"; program: Juniper; pcre: "/ Login failed | authentication failed /i"; xbits: set,brute_force,21600; parse_src_ip: 1; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002023; sid: 5002023; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Possible VPN Login bypass attempt"; program: Juniper; content: "not authenticated yet"; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002024; sid: 5002024; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] VPN Unable to download virus signatures"; program: Juniper; content: "Unable to download current virus"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002025; sid: 5002025; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] VPN - Possible scan/probe"; program: Juniper; content: "SSL negotiation failed"; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002026; sid: 5002026; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] VPN - Policy violation"; program: Juniper; content: "Host Checker policy"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002027; sid: 5002027; rev:2;) # Juniper alerts for CVE 2015-7755 - Robert Nunley (rnunley@quadrantsec.com) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - system"; content: "Admin user system has logged on via"; nocase; content "00515"; parse_src_ip: 1; reference:cve,2015-7755; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; default_proto: tcp; default_dst_port: $SSH_PORT; classtype:successful-admin; sid: 5002771; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - username"; content "Admin user"; content:"username"; content:"has logged on via"; content: "00515"; parse_src_ip: 1; reference:cve,2015-7755; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; default_proto: tcp; default_dst_port: $SSH_PORT; classtype:successful-admin; sid: 5002772; rev:3;) sagan-1.2.0/rules/bro-intel.rules0000644000175000017500000000431313310533411015641 0ustar champchamp# Sagan bro-intel.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # These are CATCH ALL rules. This means it will parse _all_ logs. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO-INTEL] Suspicious communications detected via Bro-Intel"; bro-intel: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002270; sid: 5002270; rev:3;) sagan-1.2.0/rules/riverbed.rules0000644000175000017500000000653713310533411015562 0ustar champchamp# Sagan riverbed.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules # Champ Clark (04/15/2014) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED] Administrator Login"; content: "logged in"; content: "session count"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002030; program: webasd; sid: 5002030; rev:3;) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:42:55|webasd| [web.NOTICE]: web: User bob from 10.7.8.1 with the given password is not recognized: You must provide a valid account name and password. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED] Administrator Login Failure"; content: "password is not recognized"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002031; program: webasd; sid: 5002031; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED] Administrator Login Failure - Brute Force [5/5]"; content: "password is not recognized"; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-admin; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002033; program: webasd; sid: 5002033; rev:3;) sagan-1.2.0/rules/proftpd-bluedot.rules0000644000175000017500000000420713310533411017062 0ustar champchamp# Sagan proftpd-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD-BLUEDOT] Authentication success from suspicious source"; content: "Login successful"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; parse_src_ip: 3; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002908; sid:5002908; rev:4;) sagan-1.2.0/rules/pure-ftpd.rules0000644000175000017500000001112113310533411015647 0ustar champchamp# Sagan pure-ftpd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] New FTP connection"; content: "[INFO] New connection from"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000216; sid: 5000216; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Authentication failed"; content: "[WARNING] Authentication failed for user"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000217; sid: 5000217; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] FTP user logout or timeout"; pcre: "/[INFO] Logout|[INFO] Timeout/"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000219; sid: 5000219; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] FTP notice message"; content: "[NOTICE]"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000220; sid: 5000220; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Attempting to access invalid directory"; content: "[INFO] Can't change directory to"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-filename-detect; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000221; sid: 5000221; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] FTP Authentication successful"; pcre: "/[INFO] \S+ is now logged in/"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: pure-ftpd; reference : url,wiki.quadrantsec.com/bin/view/Main/5000222; sid: 5000222; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PUREFTPD] User logged into an disabled account"; pcre: "/[INFO] \S+ is now logged in/";; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000414; program: sshd; sid: 5000414; rev:3;) # Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PUREFTPD] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; program: pure-ftpd; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; reference: url,wiki.quadrantsec.com/bin/view/Main/5002952; sid:5002952; rev:3;) sagan-1.2.0/rules/asterisk.rules0000644000175000017500000001153313310533411015575 0ustar champchamp# Sagan asterisk.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Warning message"; content: "WARN"; classtype: program-error; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000176; sid:5000176; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Warning message"; content: "ERROR"; classtype: program-error; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000177; sid:5000177; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Notice message"; content: "NOTICE"; classtype: program-error; program: asterisk; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000178; sid:5000178; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [0/5]"; content: "Wrong password"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000179; threshold:type limit, track by_src, count 5, seconds 900; sid:5000179; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [invalid user] [0/5]"; content: "Username/auth name mismatch"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000180; threshold:type limit, track by_src, count 5, seconds 900; sid:5000180; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [invalid extension] [0/5]"; content: "No matching peer found"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000181; threshold:type limit, track by_src, count 5, seconds 900; sid:5000181; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Invalid to address"; content: "Invalid to address"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5001065; sid: 5001065; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Brute force login session failed [5/5]"; content: "Wrong password"; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5002942; after: track by_src, count 5, seconds 300; threshold:type limit, track by_src, count 5, seconds 900; sid:5002942; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Brute force login session failed [invalid user] [5/5]"; content: "Username/auth name mismatch"; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5002943; after: track by_src, count 5, seconds 300; threshold:type limit, track by_src, count 5, seconds 900; sid:5002943; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Brute force login session failed [invalid extension] [5/5]"; content: "No matching peer found"; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5002944; after: track by_src, count 5, seconds 300; threshold:type limit, track by_src, count 5, seconds 900; sid:5002944; rev:2;) sagan-1.2.0/rules/php.rules0000644000175000017500000000703713310533411014543 0ustar champchamp# Sagan php.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PHP] Fatal error"; content: "PHP Fatal error"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000236; sid: 5000236; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PHP] Warning message"; content: "PHP Warning"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000237; sid: 5000237; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PHP] Parse error"; content: "PHP Parse error"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000238; sid: 5000238; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PHP] Possible web attack"; content: "expects parameter 1 to be string, array given in"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000240; sid: 5000240; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PHP] Internal error [missing file]"; pcre: "/failed opening|failed to open stream/i"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000241; sid: 5000241; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PHP] Internal error [call to undefined function]"; pcre: "/failed opening required|call to undefined function/i"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000242; sid: 5000242; rev:3;) sagan-1.2.0/rules/milter.rules0000644000175000017500000000506113310533411015243 0ustar champchamp# Sagan milter.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] Milter error state"; content:"Milter"; classtype: program-error; program: sm-mta; reference: url,wiki.quadrantsec.com/bin/view/Main/5000038; sid: 5000038; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] Mimedefang - No response from slave"; content: "No response from slave"; classtype: program-error; program: mimedefang; reference: url,wiki.quadrantsec.com/bin/view/Main/5000039; sid: 5000039; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] SMF-SAV sendmail milter unable to verify"; pcre: "/sender check failed|sender check tempfailed/i"; classtype: program-error; program: smf-sav; reference: url,wiki.quadrantsec.com/bin/view/Main/5000143; sid: 5000143; rev:3;) sagan-1.2.0/rules/windows-auth.rules0000644000175000017500000016610413310533411016406 0ustar champchamp# Sagan windows-auth.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows authentication rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1]"; content: " 529|3a| "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001151; sid: 5001151; rev:26;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password"; content: " 529|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001531; sid: 5001531; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account login time restriction"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001152; sid: 5001152; rev:6;) # We only want disabled users that contain usernames, hence the content:! on sid 5001153. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account currently disabled [0/1]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001153; sid: 5001153; rev:21;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001154; sid: 5001154; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001155; sid: 5001155; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not granted login type"; content: " 534|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001156; sid: 5001156; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account password is expired"; content: " 535|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001157; sid: 5001157; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Internal error"; pcre: "/ 536: | 537: /"; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 2, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001158; sid: 5001158; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_port; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001159; sid: 5001159; rev:21;) # See 681 & 4769 for subcodes #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001160; sid: 5001160; rev:23;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account unlocked"; pcre: "/ 671: | 4767: /"; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001161; sid: 5001161; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group created"; pcre: "/ 631: | 635: | 658: | 4727: | 4731: | 4754: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001162; sid: 5001162; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group deleted"; pcre: "/ 634: | 638: | 662: | 4730: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001163; sid: 5001163; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account created"; pcre: "/ 631: | 4727: | 635: | 4731: | 658: | 4754: | 648: | 4744: | 653: | 4749: | 663: | 4759: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001164; sid: 5001164; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account deleted"; pcre: "/ 634: | 4730: | 638: | 4734: | 662: | 4758: | 652: | 4748: | 657: | 4753: | 667: | 4763: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001165; sid: 5001165; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account changed"; pcre: "/ 632: | 4728: | 633: | 4729: | 636: | 4732: | 637: | 4733: | 639: | 4735: | 641 | 4737: | 637: | 4733: | 659: | 4755: | 660: | 4766: | 668: | 4764: | 649: | 4745: | 650: | 4746: | 651: | 4747: | 654: | 4750: | 655: | 4751: | 656: | 4752: | 659: | 4755: | 660: | 4756: | 661: | 4757: | 664: | 4760: | 665: | 4761: | 666: | 4762: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001475; sid: 5001475; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member added"; pcre: "/ 632: | 4728: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001166; sid: 5001166; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member removed"; pcre: "/ 633: | 4729: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001167; sid: 5001167; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group deleted"; pcre: "/ 634: | 4730: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001168; sid: 5001168; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group created"; pcre: "/ 635: | 4731: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001169; sid: 5001169; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member added"; pcre: "/ 636: | 4732: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001170; sid: 5001170; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member removed"; pcre: "/ 637: | 4733: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001171; sid: 5001171; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group deleted"; pcre: "/ 638: | 4734: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001172; sid: 5001172; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group changed"; pcre: "/ 639: | 4735: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001173; sid: 5001173; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group changed"; pcre: "/ 641: | 4737: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001174; sid: 5001174; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group created"; pcre: "/ 658: | 4754: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001176; sid: 5001176; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group changed"; pcre: "/ 659: | 4755: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001177; sid: 5001177; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group member added"; pcre: "/ 660: | 4756: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001178; sid: 5001178; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member removed"; pcre: "/ 661: | 4757: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001179; sid: 5001179; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member deleted"; pcre: "/ 662: | 4758: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001180; sid: 5001180; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RDP maximum allowed failed logon attempts"; content: " 1012|3a| "; classtype: system-event; program: TermService; reference: url,wiki.quadrantsec.com/bin/view/Main/5001181; sid: 5001181; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows login attempt (ignored). Duplicated"; content: " 680|3a| "; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001186; sid: 5001186; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login failure"; pcre: "/ 20187: | 20014: | 20078: | 20050: | 20049: | 20189: /"; classtype: unsuccessful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001187; sid: 5001187; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login success"; content: " 20158|3a| "; classtype: successful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001188; sid: 5001188; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001189; sid: 5001189; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid: 5001190; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out [multiple login errors] [0/1]"; pcre: "/ 644: | 4740: /"; threshold: type limit, track by_src, count 1, seconds 300; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001192; sid: 5001192; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] General account database changed"; content: " 640|3a| "; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001193; sid: 5001193; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Integrity check on decrypted"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x1F"; classtype: exploit-attempt; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001195; sid: 5001195; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Possible replay attack"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x22"; classtype: exploit-attempt; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001196; sid: 5001196; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Clock skew too great"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x25"; threshold: type limit, track by_src, count 1, seconds 86400; classtype: exploit-attempt; parse_src_ip: 1; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001197; sid: 5001197; rev:8;) # Tied to SIDs. #if_sid 18207,18208 - see msauth rules. Sagan can do the same, rules just need to be written. # Same with "Kerberos failures that may indicate an attack" # #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Administrator group changed"; pcre: "/ ID:\s+\p*S-1-5-32-544\p*/"; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/XXXXXXX; sid: XXXXXXX; rev:4;) # 09/18/2012 Sniffty Dugen #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Attempted Password Reset"; pcre: "/ 628: | 4724: /"; classtype: configuration-change; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001620; sid:5001620; rev:6;) # Generic "catch all" for event ID 6273 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5]"; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001648; sid: 5001648; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1]"; content: " 6273|3a| "; content: "Reason Code: 16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001657; sid: 5001657; rev:20;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password"; content: "Reason Code|3a| 16 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001658; sid: 5001658; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account does not exist"; content: "Reason Code|3a| 8 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001659; sid: 5001659; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Domain does not exist"; content: "Reason Code|3a| 7 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001660; sid: 5001660; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] No matching newtork policy"; content: "Reason Code|3a| 48 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001661; sid: 5001661; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RADIUS Access-Request message is disabled"; content: "Reason Code|3a| 34 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001662; sid: 5001662; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User much change password"; content: "Reason Code|3a| 33 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001663; sid: 5001663; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote RADIUS did not process auth request"; content: "Reason Code|3a| 112 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001664; sid: 5001664; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Incomplete message. Signature not verified"; content: "Reason Code|3a| 262 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001665; sid: 5001665; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] EAP type cannot be processed by server"; content: "Reason Code|3a| 22 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001666; sid: 5001666; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Error occured with EAP"; content: "Reason Code|3a| 23 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001667; sid: 5001667; rev:6;) # Group change rules where typically to noisy and didn't supply the information # Needed. These rule detect "what" group a user was "added" to. This should # reduce the signal/noise ratio greatly. # # These where created by Robert Nunley (rnunley@quadrantsec.com) # Local group #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] Local Administrator account added to a local group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-500 /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001692; sid: 5001692; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Network Config Operator group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-556 /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001693; sid: 5001693; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to DNS Admins group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-1101 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001694; sid: 5001694; rev:6;) # Domain/global group alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Domain Administrators group"; pcre: "/ 632: | 4728: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-512 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001695; sid: 5001695; rev:8;) # Enterprise/universal group alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Enterprise Administrators group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-519 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001696; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Group Policy Creator Owner group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-520 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001697; rev:7;) # Schema Admins alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Schema Admins"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-518 /"; program: *Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5003104; sid:5003104; rev:2;) # User enabled alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account enabled"; pcre: "/ 626: | 4722: /"; content:!"$ Account Domain"; program: *Security*; xbits: isset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001687; sid: 5001687; rev:10;) # User created #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001786; sid: 5001791; rev:20;) # Windows 2008 rules submitted by Robert Nunley (rnunley@quadrantsec.com) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5001728; sid: 5001728; rev:27;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1]"; content:!"|24| Source Workstation|3a|"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"|24| Account Domain|3a| "; content:!"Source Network Address|3a| -"; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001729; sid: 5001729; rev:27;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001730; sid: 5001730; rev:22;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001731; sid: 5001731; rev:25;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001732; sid: 5001732; rev:23;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Account [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001733; sid: 5001733; rev:23;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Password [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001734; sid: 5001734; rev:23;) # Windows authentication rules by code type. Submitted by Brian Echeverry #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001740; sid: 5001740; rev:21;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001741; sid: 5001741; rev:20;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001742; sid: 5001742; rev:20;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001743; sid: 5001743; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001744; sid: 5001744; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001745; sid: 5001745; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001746; sid: 5001746; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001747; sid: 5001747; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001748; sid: 5001748; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001749; sid: 5001749; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001750; sid: 5001750; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001751; sid: 5001751; rev:9;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001752; sid: 5001752; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001753; sid: 5001753; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001754; sid: 5001754; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001755; sid: 5001755; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001756; sid: 5001756; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001757; sid: 5001757; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001758; sid: 5001758; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001759; sid: 5001759; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001760; sid: 5001760; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001761; sid: 5001761; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001762; sid: 5001762; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Kerberos password authentication failure [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: !"|24| Service Information|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001763; sid: 5001763; rev:23;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001764; sid: 5001764; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001765; sid: 5001765; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001766; sid: 5001766; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001767; sid: 5001767; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001768; sid: 5001768; rev:9;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001769; sid: 5001769; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001770; sid: 5001770; rev:9;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001771; sid: 5001771; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001772; sid: 5001772; rev:9;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001773; sid: 5001773; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001774; sid: 5001774; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001775; sid: 5001775; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001776; sid: 5001776; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001777; sid: 5001777; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001778; sid: 5001778; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001779; sid: 5001779; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001780; sid: 5001780; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001781; sid: 5001781; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001782; sid: 5001782; rev:9;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001783; sid: 5001783; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001784; sid: 5001784; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001785; sid: 5001785; rev:8;) # Account "re-enabled" via xbit (12/03/2013) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created [XBIT SET]"; pcre: "/ 624: | 4720: /"; program: *Security*; classtype: successful-user; xbits: set, created_enabled, 30; xbits:nounified2; xbits:noeve; reference: url,wiki.quadrantsec.com/bin/view/Main/5001880; sid: 5001880; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account re-enabled"; pcre: "/ 626: | 4722: /"; content:! "$" ;program: *Security*; xbits: isnotset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001881; sid: 5001881; rev:6;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 02/21/2014 # Disabled by default. Possible xbit rule canidate (?) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out (ADMINISTRATOR)"; pcre: "/ 644: | 4740: /"; content: "administrator"; nocase; classtype: unsuccessful-user; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001978; sid: 5001978; rev:4;) # You'll want to populate the "WINDOWS_DOMAINS" before enabling this rule. # Champ Clark - 03/03/2014 #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; pcre: "/ 4624: | 4625: /"; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| %sagan% ",$WINDOWS_DOMAINS; meta_nocase; program: *Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002017; reference: url, http://en.wikipedia.org/wiki/Pass_the_hash; sid: 5002017; rev:5;) # Records _all_ RDP sessions #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] RDP / Logon type 10"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002015; sid: 5002015; rev:4;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Logon attempt using explicit credentials"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002018; sid: 5002018; rev:5;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/08/2014 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account disabled"; pcre: "/ 629: | 4725: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002213; sid: 5002213; rev:5;) # Enabled by Brian Echeverry - 04/08/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account deleted"; pcre: "/ 630: | 4726: /"; program: *Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002335; sid: 5002335; rev:4;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group created"; pcre: "/ 631: | 4727: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002403; sid: 5002403; rev:3;) # Added by Adam Hall (Jan, 11th 2016). You'll need to make sure your audit policy/GPO have logging for this enabled! #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Domain policy was changed"; pcre: "/ 4739: | 643: /"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002775; sid: 5002775; rev:3;) # Steve Rawls (2016/12/22) - detect "administrator" logins. Disabled by default #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Successful Administrator Logon Detected"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: *Security*; content: "Account Name|58| Administrator"; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5003039; sid:5003039; rev:2;) # Steve Rawls (2017/03/27) - Split off from sid 5001763 which detects from _user_ brute force_. 5003101 & 5003102 detect "Broken Domain Trust". alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; content: " 4771|3a| "; content: "|24| Service Information|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003101; sid:5003101; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; content: " 4768|3a| "; content: "|24| Supplied Realm Name|3a|"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003102; sid:5003102; rev:2;) # Steve Rawls (2017/03/29) - Another Broken domain trust with event ID 4776. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1]"; content: "|24| Source Workstation|3a|"; content: "C000006A"; nocase; content: " 4776: "; content:!"|24| Account Domain|3a| "; content:!"Source Network Address|3a| -"; xbits: set,brute_force,21600;content:!"Account Name|3a| Account Domain|3a| Failure"; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003103; sid:5003103; rev:3;) # Steve Rawls (2017/04/13) - Broken domain trust (generic). alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible Windows Broken Domain Trust [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; content: "|24| Session ID|3a|"; content:!"access denied by ACL"; content:!"Kerberos"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5003107; sid:5003107; rev:2;) # Steve Rawls (2017/08/31) # 172.16.1.1|daemon|err|err|1b|2017-08-29|14:42:22|Directory-Services-SAM| 12294: The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] SAM Database Unable to Lock Account"; program: "Directory-Services-SAM"; content: "12294|3a| "; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003203; reference: url,technet.microsoft.com/en-us/library/cc733228(v=ws.10).aspx; sid:5003203; rev:1;) # 2017-02-22 - Rule create by Champ Clark III based off Jack Crook's work. See: # From Jack Crook via https://www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious network login"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; content:!"Workstation Name|3a| Source Network Address|3a|"; reference: url,indingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003376; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5003376; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious network login from non-RFC1918"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; parse_src_ip: 1; meta_content:!"Source Network Address|3a| %sagan%",10.,192.168.,-,|3a 3a|1,127.0.0.1,172.16.,172.17.,172.18.,172.19.,172.20.,172.21.,172.22.,172.23.,172.24.,172.25.,172.26.,172.27.,172.28.,172.29.,172.30.,172.31.; meta_nocase; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003377; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003377; classtype:suspicious-login; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious WMIC/Net/Powershell execution"; program: *Security*; content: " 4648|3a| "; content:!"Account Name|3a| -"; content:!"Target Server Name|3a| localhost"; pcre: "/Target Server Name: (.*)\$ /"; pcre: "/Process Name: (.*)(net\.exe|wmic\.exe|powershell\.exe)(.*)/i"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003387; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003387; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Suspicious Mount of a $ share"; program: *Security*; content: " 5140|3a| "; pcre: "/^((?!Account Name: (.*)\$ ).)*$/"; pcre: "/Share Name: (.*)\$/"; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003389; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003389; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account expired."; program: *System*; content: " 40960|3a| "; content: "0xc0000193"; reference: url,wiki.quadrantsec.com/bin/view/Main/5003786; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:suspicious-login; sid:5003786; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] LDAP authentication error - Account locked."; program: *System*; content: " 40960|3a| "; content: "0xc0000234"; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5003787; classtype: unsuccessful-user; sid:5003787; rev:1;) sagan-1.2.0/rules/apache.rules0000644000175000017500000005243513310533411015177 0ustar champchamp# Sagan apache.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # In order for you to receive Apache logs via syslog, you'll need change your "CustomLog" configuration # entry in your Apache config to something like: # # CustomLog "|/usr/bin/logger -i -p local0.info -t apache2" common # #alert any $EXTERNAL_NET any -> $HOME_NET any ( msg:"[APACHE] Segmentation fault"; content: "signal Segmentation Fault"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000155; sid:5000155; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden file or directory [0/5]"; content: "denied by server configuration"; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation ; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000156; parse_src_ip: 1; sid:5000156; rev:9;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden directory index"; content: "Directory index forbidden by rule [0/5]"; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000157; parse_src_ip: 1; sid:5000157; rev:10;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Client sent malformed Host header"; content: "Client sent malformed Host header"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: string-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000158; parse_src_ip: 1; sid:5000158; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] User authentication failed"; content: "authentication failed"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000159; parse_src_ip: 1; sid:5000159; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000160; parse_src_ip: 1; sid:5000160; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Rapid attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; content:!"favicon.ico"; threshold:type limit, track by_src, count 20, seconds 60; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000161; parse_src_ip: 1; sid:5000161; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000378; parse_src_ip: 1; sid:5000378; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI in request"; content: "Invalid URI in request"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000162; parse_src_ip: 1; sid:5000162; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000163; parse_src_ip: 1; sid:5000163; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Mod_Security Access denied"; pcre: "/modsecurity|mod_security|mod_security-message/i"; content: "access denied"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Resource temporarily unavailable"; content: "Resource temporarily unavailable"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000166; parse_src_ip: 1; sid:5000166; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Robots.txt access"; content: "robots.txt"; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000361; parse_src_ip: 1; sid: 5000361; rev:9;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] PHPinfo access attempt [0/5]"; content: "phpinfo"; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000362; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000362; rev:11;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Php-my-admin access attempt [0/5]"; content: "phpmyadmin"; nocase; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apachehttpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000364; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000364; rev:8;) # CVE-2014-6271 (09/24/2014 - Champ Clark III) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29 20 7b 20|"; program: apache|httpd; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:6;) # CVE-2014-6271 (09/30/2014 - Champ Clark III) - These are modified Emerging Threats rules alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; content:"%28%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002181; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; content:"%28%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002182; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; content:"%28%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002183; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; content:"%28%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002184; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; content:"%28%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002185; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; content:"%28%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002186; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; content:"%28%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002187; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; content:"%28%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002188; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; content:"%28|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002189; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; content:"%28|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002190; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; content:"%28|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002212; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; content:"%28|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002191; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; content:"%28%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002192; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; content:"%28%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002193; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; content:"%28%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002194; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; content:"%28%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002195; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; content:"|28|%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002196; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; content:"|28|%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002197; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; content:"|28|%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002198; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; content:"|28|%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002199; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; content:"|28|%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002200; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; content:"|28|%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002201; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; content:"|28|%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002202; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; content:"|28|%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002203; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; content:"|28 29 20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002204; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; content:"|28 29 20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002205; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; content:"|28 29 20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002206; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; content:"|29 29|%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002207; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; content:"|28 29|%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002208; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; content:"|28 29|%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002209; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; content:"|28 29 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002210; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; content:"|28 29 0d 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002211; rev:2;) sagan-1.2.0/rules/windows-owa-bluedot.rules0000644000175000017500000000424313310533411017662 0ustar champchamp# Sagan windows-owa-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-BLUEDOT] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002352; sid:5002352; rev:5;) sagan-1.2.0/rules/pptp.rules0000644000175000017500000000460113310533411014731 0ustar champchamp# Sagan pptp.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PPTP] Failed message [communications error]"; pcre: "/GRE: \S+ from \S+ failed: status = -1/"; default_proto: tcp; default_dst_port: $PPTP_PORT; classtype: network-event; program: pptpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000134; sid: 5000134; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PPTP] Connection established"; content: "control connection started"; default_proto: tcp; default_dst_port: $PPTP_PORT; classtype: successful-user; program: pptpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000135; sid:5000135; rev:3;) sagan-1.2.0/rules/watchguard.rules0000644000175000017500000004420413310533411016102 0ustar champchamp# Sagan watchguard.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Watchguard rules by Kenneth Comollo ; # 2017/03/08 # Example log. # 10.1.1.1|local1|warning|warning|8c|2016-12-13|14:03:58|WatchGuard*| (2016-12-13T19:03:58) firewall: msg_id="3000-0149" Allow 1-Trusted 0-External 413 tcp 20 121 10.2.2.2 12.11.111.8 52976 443 offset 5 A 3999914994 win 1 app_name="SSL/TLS" cat_name="Network protocols" app_beh_name="Connection" app_id="185" app_cat_id="20" app_ctl_disp="2" msg="Application identified" src_user="bob@example.com" (HTTPS-out-WG_GeneralUser-00) # IPv4 source route attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 source route attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0152|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: misc-attack; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003055; rev:2;) # IPv4 SYN flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 SYN flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0153|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003056; rev:2;) # IPv4 ICMP flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 ICMP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0154|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto: icmp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003057; rev:2;) # IPv4 UDP flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 UDP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0155|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto: udp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003058; rev:2;) # IPv4 IPSEC flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET 500 (msg: "[WATCHGUARD] IPv4 IPSEC flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0156|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:udp; default_dst_port: 500; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003059; rev:2;) # IPv4 IKE flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 IKE flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0157|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:udp; default_dst_port: 500; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003060; rev:2;) # IPv4 scan attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 scan attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0158|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-scan; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003061; rev:2;) # IPv4 port scan attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 port scan attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0159|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-scan; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003062; rev:2;) # IPv4 DDOS attack against a server was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 DDOS attack against a server was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0160|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003063; rev:2;) # IPv4 DDOS attack from a client was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 DDOS attack from a client was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0161|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003064; rev:2;) # IPv6 SYN flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 SYN flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0162|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003065; rev:2;) # IPv6 ICMP flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 ICMP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0163|22|"; default_proto: icmp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003066; rev:2;) # IPv6 UDP flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 UDP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0164|22|"; default_proto: udp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003067; rev:2;) # IPv6 IPSEC flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 IPSEC flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0165|22|"; parse_proto; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003068; rev:2;) # IPv6 IKE flood attack was detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 IKE flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0166|22|"; default_proto: udp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003069; rev:2;) # Traffic was detected to or from a blocked site alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Traffic was detected to or from a blocked site"; program: WatchGuard*; content: "msg_id=|22|3000-0168|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003070; rev:2;) # IP Spoofing Detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IP spoofing was detected from the IP address specified"; program: WatchGuard*; content: "msg_id=|22|3000-0169|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003071; rev:2;) # Possible loop or ARP spoofing detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Possible loop or ARP spoofing detected"; program: WatchGuard*; content: "msg_id=|22|3000-012E|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003072; rev:2;) # Firewall is shutting down #alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Firewall is shutting down"; program: WatchGuard*; content: "msg_id=|22|3000-0028|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003073; rev:2;) # Detected an ARP spoofing attack alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Detected an ARP spoofing attack"; program: WatchGuard*; content: "msg_id=|22|3000-012C|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003074; rev:2;) # Feature key for Application Control subscription has expired #alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Feature key for Application Control subscription has expired"; program: WatchGuard*; content: "msg_id=|22|3000-0004|22|"; classtype: system-event; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003075; rev:2;) # Feature key for Intrusion Prevention Services subscription has expired #alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Feature key for Intrusion Prevention Services subscription has expired"; program: WatchGuard*; content: "msg_id=|22|3000-0005|22|"; classtype: system-event; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003076; rev:2;) # Capture stopped due to the specified reason #alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Capture stopped due to the specified reason"; program: WatchGuard*; content: "msg_id=|22|3113-0001|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003077; rev:2;) # Starting wireless AP service #alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Starting wireless AP service"; program: WatchGuard*; content: "msg_id=|22|3100-0052|22|"; classtype: system-event; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003078; rev:2;) # Wireless access point model mismatch #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Wireless access point model mismatch"; program: WatchGuard*; content: "msg_id=|22|6100-0002|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003079; rev:2;) # Wireless access point activation failure alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Wireless access point activation failure"; program: WatchGuard*; content: "msg_id=|22|6100-0003|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003080; rev:2;) # APT threat identification and notification alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] APT threat identification and notification"; program: WatchGuard*; content: "msg_id=|22|0F00-0015|22|"; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003081; rev:2;) # Gateway AntiVirus (GAV) detected a virus or malware in an email attachment. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) detected a virus or malware in an email attachment."; program: WatchGuard*; content: "msg_id=|22|1BFF-000C|22|"; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003082; rev:2;) # Gateway AntiVirus (GAV) cannot perform scan alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) cannot perform scan"; program: WatchGuard*; content: "msg_id=|22|1BFF-000E|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003083; rev:2;) # APT threat detected alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] APT threat detected"; program: WatchGuard*; content: "msg_id=|22|1BFF-0028|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003084; rev:2;) # Gateway AntiVirus (GAV) virus found - FTP alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) virus found - FTP"; program: WatchGuard*; content: "msg_id=|22|1CFF-000E|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003085; rev:2;) # Gateway AntiVirus (GAV) scan error alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) scan error"; program: WatchGuard*; content: "msg_id=|22|1CFF-000F|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003086; rev:2;) # Gateway AntiVirus (GAV) virus found - POP3 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) virus found - POP3"; program: WatchGuard*; content: "msg_id=|22|21FF-000F|22|"; default_proto:tcp; default_dst_port: $POP3_PORT; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003087; rev:2;) # Administrative accounts reset to default alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Administrative accounts reset to default"; program: WatchGuard*; content: "msg_id=|22|0101-0002|22|"; classtype: configuration-change; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003088; rev:2;) # LIVESECURITY feature not found alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] LIVESECURITY feature not found"; program: WatchGuard*; content: "msg_id=|22|5501-0002|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003089; rev:2;) # Member promoted to master #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Member promoted to master"; program: WatchGuard*; content: "msg_id=|22|3900-0005|22|"; classtype: configuration-change; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003090; rev:2;) # Failed to start the signature update for the specified services alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Failed to start the signature update for the specified services"; program: WatchGuard*; content: "msg_id=|22|2E01-0018|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003091; rev:2;) # VPN (PPTP) - User login alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] VPN - User login"; program: WatchGuard*; content: "msg_id=|22|1400-0000|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $PPTP_PORT; classtype: successful-user; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003092; rev:2;) # VPN (SSL) - User login # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] VPN (SSL) - User login"; program: WatchGuard*; content: "msg_id=|22|2500-0000|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003093; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WATCHGUARD] Failed Login Attempt - Brute force [WATCHGUARD] [5/5]"; program: WatchGuard*; content: "msg_id=|22|1100-0005|22|" content: "Authentication of"; content "rejected"; parse_src_ip: 1; parse_dst_ip: 2; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003094; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WATCHGUARD] Signature update process for the specified version failed"; program: WatchGuard*; content: "msg_id=|22|2E02-0067|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003097; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IP spoofing was detected from the IP address specified"; program: WatchGuard*; content: "msg_id=|22|3000-0169|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003098; rev:2;) alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Wireless Access Point Model Mismatch"; program: WatchGuard*; content: "msg_id=|22|6100-0002|22|"; class-type: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003099; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPS detected an intrusion in the client request or server response content body"; program: WatchGuard*; content: "msg_id=|22|1AFF-0026|22|"; class-type: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003100; rev:2;) sagan-1.2.0/rules/snort.rules0000644000175000017500000002737313310533411015126 0ustar champchamp# Sagan snort.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Snort syslog message"; program: snort; content: "Classification"; content: "Priority"; classtype: suspicious-command; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000386; sid: 5000386; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Not Suspicious Traffic"; program: snort; content: "Classification|3a| Not Suspicious Traffic"; classtype: not-suspicious; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000976; sid: 5000976; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unknown Traffic"; program: snort; content: "Classification|3a| Unknown Traffic"; classtype: unknown; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000977; sid: 5000977; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Bad Traffic"; program: snort; content: "Classification|3a| Bad Traffic"; classtype: bad-unknown; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000978; sid: 5000978; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Information Leak"; program: snort; content: "Classification|3a| Attempted Information Leak"; classtype: attempted-recon; xbits: set, recon, 86400; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000979; sid: 5000979; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Information Leak"; program: snort; content: "Classification|3a| Information Leak"; classtype: successful-recon-limited; xbits: set, recon, 86400; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000980; sid: 5000980; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Large Scale Information Leak"; program: snort; content: "Classification|3a| Large Scale Information Leak"; classtype: successful-recon-largescale; xbits: set, recon, 86400; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000981; sid: 5000981; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Denial of Service"; program: snort; content: "Classification|3a| Attempted Denial of Service"; classtype: attempted-dos; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000982; sid: 5000982; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Denial of Service"; program: snort; content: "Classification|3a| Denial of Service"; classtype: successful-dos; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000983; sid: 5000983; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted User Privilege Gain"; program: snort; content: "Classification|3a| Attempted User Privilege Gain"; classtype: attempted-user; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000984; sid: 5000984; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unsuccessful User Privilege Gain"; program: snort; content: "Classification|3a| Unsuccessful User Privilege Gain"; classtype: unsuccessful-user; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000985; sid: 5000985; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful User Privilege Gain"; program: snort; content: "Classification|3a| Successful User Privilege Gain"; classtype: successful-user; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000986; sid: 5000986; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Administrator Privilege Gain"; program: snort; content: "Classification|3a| Attempted Administrator Privilege Gain"; classtype: attempted-admin; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000987; sid: 5000987; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful Administrator Privilege Gain"; program: snort; content: "Classification|3a| Successful Administrator Privilege Gain"; classtype: successful-admin; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000988; sid: 5000988; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Decode of an RPC Query"; program: snort; content: "Classification|3a| Decode of an RPC Query"; classtype: rpc-portmap-decode; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000989; sid: 5000989; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Executable code was detected"; program: snort; content: "Classification|3a| Executable code was detected"; classtype: shellcode-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000990; sid: 5000990; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious string was detected"; program: snort; content: "Classification|3a| A suspicious string was detected"; classtype: string-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000991; sid: 5000991; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious filename was detected"; program: snort; content: "Classification|3a| A suspicious filename was detected"; classtype: suspicious-filename-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000992; sid: 5000992; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] An attempted login using a suspicious username was detected"; program: snort; content: "Classification|3a| An attempted login using a suspicious username was detected"; classtype: suspicious-login; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000993; sid: 5000993; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A system call was detected"; program: snort; content: "Classification|3a| A system call was detected"; classtype: system-call-detect; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000995; sid: 5000995; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A TCP connection was detected"; program: snort; content: "Classification|3a| A TCP connection was detected"; classtype: tcp-connection; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000996; sid: 5000996; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A Network Trojan was detected"; program: snort; content: "Classification|3a| A Network Trojan was detected"; classtype: trojan-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000997; sid: 5000997; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A client was using an unusual port"; program: snort; content: "Classification|3a| A client was using an unusual port"; classtype: unusual-client-port-connection; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000998; sid: 5000998; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Network Scan"; program: snort; content: "Classification: Detection of a Network Scan"; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000999; sid: 5000999; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Denial of Service Attack"; program: snort; content: "Classification|3a| Detection of a Denial of Service Attack"; classtype: denial-of-service; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001000; sid: 5001000; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a non-standard protocol or event"; program: snort; content: "Classification|3a| Detection of a non-standard protocol or event"; classtype: non-standard-protocol; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001001; sid: 5001001; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic Protocol Command Decode"; program: snort; content: "Classification|3a| Generic Protocol Command Decode"; classtype: protocol-command-decode; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001002; sid: 5001002; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] access to a potentially vulnerable web application"; program: snort; content: "Classification|3a| access to a potentially vulnerable web application"; classtype: web-application-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001003; sid: 5001003; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Web Application Attack"; program: snort; content: "Classification|3a| Web Application Attack"; classtype: web-application-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001004; sid: 5001004; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc activity"; program: snort; content: "Classification|3a| Misc activity"; classtype: misc-activity; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001005; sid: 5001005; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc Attack"; program: snort; content: "Classification|3a| Misc Attack"; classtype: misc-attack; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001006; sid: 5001006; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic ICMP event"; program: snort; content: "Classification: Generic ICMP event"; classtype: icmp-event; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001007; sid: 5001007; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] SCORE! Get the lotion! [Porn]"; program: snort; content: "Classification|3a| SCORE! Get the lotion!"; classtype: kickass-porn; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001008; sid: 5001008; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Potential Corporate Privacy Violation"; program: snort; content: "Classification|3a| Potential Corporate Privacy Violation"; classtype: policy-violation; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001009; sid: 5001009; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempt to login by a default username and password"; program: snort; content: "Classification|3a| Attempt to login by a default username and password"; classtype: default-login-attempt; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001010; sid: 5001010; rev:5;) sagan-1.2.0/rules/fatpipe.rules0000644000175000017500000000672313310533411015405 0ustar champchamp# Sagan fatpipe.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE] Login Success"; content: "Login|3a| Success"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001955; sid: 5001955; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE] Login Success - ADMINISTRATOR"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001956; sid: 5001956; rev:2;) # 10.10.10.5|authpriv|info|info|56|2014-02-12|19:01:06|xtremed| UI Login: Attempt Failed, User Name: bob, Remote IP: 10.10.0.1 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE] Login Failed"; content: "Login|3a| Attempt Failed"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-admin; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001957; sid: 5001957; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE] Login Failed - Brute Force [5/5]"; content: "Login|3a| Attempt Failed"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-admin; xbits: set,brute_force,21600; program: xtremed; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001958; sid: 5001958; rev:4;) sagan-1.2.0/rules/f5-big-ip-bluedot.rules0000644000175000017500000001151413310533411017062 0ustar champchamp# Sagan F5-BIG-IP-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # F5 Big-IP alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-BLUEDOT] Command-line Login from suspicious source"; content: "start="; content: !"end="; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002889; sid:5002889; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-BLUEDOT] Command-line Logout from suspicious source"; content: "start="; content: "end="; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002890; sid:5002890; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source"; content: "failed to login after"; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002891; sid:5002891; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source"; content: "Authentication failure for root"; content: "sshd"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002892; sid:5002892; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-BLUEDOT] Successful Configuration Utility Login from suspicious source"; content: "mod_auth_pam"; content: "httpd"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002893; sid:5002893; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP-BLUEDOT] Unsuccessful Configuration Utility Login from suspicious source"; content: "failed to login after"; content: "httpd"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002894; sid:5002894; rev:4;) sagan-1.2.0/rules/fatpipe-geoip.rules0000644000175000017500000000534213310533411016502 0ustar champchamp# Sagan fatpipe-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-GEOIP] Login Success from outside HOME_COUNTRY"; content: "Login|3a| Success"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001959; sid: 5001959; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-GEOIP] Login Success - ADMINISTRATOR - from outside HOME_COUNTRY"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001960; sid: 5001960; rev:3;) sagan-1.2.0/rules/vpopmail.rules0000644000175000017500000000576413310533411015610 0ustar champchamp# Sagan vpopmail.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] Authentication failure for POP3 service"; content: "password fail"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000211; sid: 5000211; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] User not found/Invalid login for POP3 service"; content: "vpopmail user not found"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000212; sid: 5000212; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] Successful POP3 login"; content: "login success"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: successful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000213; sid: 5000213; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] Null password given for POP3 service"; content: "null password given"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000214; sid: 5000214; rev:4;) sagan-1.2.0/rules/cisco-geoip.rules0000644000175000017500000001513713310533411016155 0ustar champchamp# Sagan cisco-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN Login from outside HOME_COUNTRY"; program: %ASA*-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001868; sid: 5001868; rev: 2;) # %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] Console login from outside HOME_COUNTRY"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001869; sid: 5001869; rev: 2;) # 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA*-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] Login permitted from outside HOME_COUNTRY"; program: %ASA*-6-605005; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001879; sid: 5001879; rev: 1;) # WebVPN from outside HOME_COUNTRY alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA*-6-716001|%ASA*-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001950; sid: 5001950; rev: 3;) # Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN disconnect from outside HOME_COUNTRY"; program: %ASA*-4-113019|%ASA*-6-716002|%ASA*-6-721018; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001962; sid: 5001962; rev: 2;) # 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA*-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA*-6-734001; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001964; sid: 5001964; rev: 2;) # Cisco ACS (via VPN) - authentication success # 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] ACS Login success from outside HOME_COUNTRY"; program: CisACS_01_PassedAuth; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001977; sid: 5001977; rev: 3;) # 2014-05-07 09:32:45|10.8.0.5|129815|local4|info|info|%ASA*-6-722022| Group User IP <10.10.102.102> UDP SVC connection established without compression alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY [2]"; program: %ASA*-6-722022|%ASA*-6-722023; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002058; sid: 5002058; rev: 3;) # 2014-05-07 16:41:47|192.168.1.1|7050594|local0|info|info|%ASA*-6-303002| FTP connection from inside:10.20.11.20/2351 to dmz:192.168.1.1/21, user bob Stored file somefile # Track by source alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY"; program: %ASA*-6-303002; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; normalize; reference: url, wiki.quadrantsec.com/bin/view/Main/5002059; sid: 5002059; rev: 6;) # Track by dest alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer to outside HOME_COUNTRY"; program: %ASA*-6-303002; country_code: track by_dst, isnot $HOME_COUNTRY; default_proto: tcp; default_src_port: $HTTPS_PORT; classtype: successful-user; normalize; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002060; sid: 5002060; rev: 6;) sagan-1.2.0/rules/cisco-aetas.rules0000644000175000017500000001204213310533411016137 0ustar champchamp# Sagan cisco-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] VPN Login at suspicious time"; program: %ASA*-6-716038; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002034; sid: 5002034; rev: 3;) # %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] Console login at suspicious time"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002035; sid: 5002035; rev: 3;) # 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA*-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] Login permitted at suspicious time"; program: %ASA*-6-605005; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002036; sid: 5002036; rev: 3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] WebVPN login at suspicious time"; program: %ASA*-6-716001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002037; sid: 5002037; rev: 3;) # Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] VPN disconnect at suspicious time"; program: %ASA*-4-113019; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002038; sid: 5002038; rev: 3;) # 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA*-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] VPN login at suspicious time"; program: %ASA*-6-734001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002039; sid: 5002039; rev: 3;) # Cisco ACS (via VPN) - authentication success # 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] ACS Login success at suspicious time"; program: CisACS_01_PassedAuth; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002040; sid: 5002040; rev: 3;) sagan-1.2.0/rules/citrix-bluedot.rules0000644000175000017500000000660413310533411016711 0ustar champchamp# Sagan citrix-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from Bluedot listed IP (Champ Clark / 08/26/2015) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BLUEDOT] Login from Bluedot listed IP"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002341; sid:5002341; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002342; sid:5002342; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; content:!"Context anonymous"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; normalize; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:7;) sagan-1.2.0/rules/courier-bluedot.rules0000644000175000017500000000653113310533411017056 0ustar champchamp# Sagan courier-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] Authentication failure from suspicius source"; content: "LOGIN FAILED,"; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002885; sid:5002885; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] Logout/disconnect from suspicious source"; pcre: "/LOGOUT|DISCONNECTED/"; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002886; sid:5002886; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] User login from suspicious source"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002887; sid:5002887; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-BLUEDOT] Timeout from suspicious source"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002888; sid:5002888; rev:4;) sagan-1.2.0/rules/fortinet-malware.rules0000644000175000017500000001047413310533411017233 0ustar champchamp# Sagan fortinet-malware.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Added by Champ Clark - Theres detect ZeroAccess 11/12/2013 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16464 detected [5/5]"; content: "dst_port=16464"; content: "UDP"; default_proto: udp; default_dst_port: 16464; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001786; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001786; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16465 detected [5/5]"; content: "dst_port=16465"; content: "UDP"; default_proto: udp; default_dst_port: 16465; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001787; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001787; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16470 detected [5/5]"; content: "dst_port=16470"; content: "UDP"; default_proto: udp; default_dst_port: 16470; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001788; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001788; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16471 detected [5/5]"; content: "dst_port=16471"; content: "UDP"; default_proto: udp; default_dst_port: 16471; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001789; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001789; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FORTINET-MALWARE] Older ZeroAccess TCP port 13620 detected [5/5]"; content: "dst_port=13620"; content: "TCP"; default_proto: tcp; default_dst_port: 13620; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001867; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001867; rev: 3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FORTINET-MALWARE] Potential malware traffic detected"; content: "msg=|22|Botnet"; content: !"dtype|22|ip|2d|reputation"; classtype: trojan-activity; parse_src_ip: 1; parse_dst_ip: 2; sid: 5003025; rev:3;) sagan-1.2.0/rules/cisco-wlc.rules0000644000175000017500000003157613310533411015644 0ustar champchamp# Sagan cisco-wlc.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Rules for the Cisco WLC (Wireless LAN Controller) - The Cisco WLC doesn't always send everything via syslog. # For example, rogue AP detection can only be sent via snmptrap. You will need to setup SNMP-Trap on the # Cisco-WLC to point to the Sagan device. Setup snmptrapd on the Sagan device to receive the SNMP trap messages # and forward them to syslog. When snmptrapd is used, Sagan will look for the OID of the offending message. alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Rogue AP detected [0/5]"; program: snmptrapd; content: "14179.2.6.3.36"; classtype: suspicious-traffic; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001689; sid:5001689; rev:3;) # Champ Clark (cclark@quadrantsec.com) - 08/27/2014 # # WLC IDS signatures. # Reference: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html#para # Revision = 1.000 Name = "Bcast deauth", Ver = 0, Preced= 1, FrmType = mgmt, Pattern = 0:0x00C0:0x03FF, Pattern = 4:0x01:0x01, Freq=30, Quiet = 300, Action = report, Desc="Broadcast Deauthentication Frame" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Bcast Deauth"; program: snmptrapd; content: "signatureName=Bcast deauth"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002104; sid:5002104; rev:2;) # Name = "NULL probe resp 1", Ver = 0, Preced = 2, FrmType = mgmt, Pattern = 0:0x0050:0x03FF, Pattern = 36:0x0000:0xFFFF, Freq=1, Quiet = 300, Action = report, Desc = "NULL Probe Response - Zero length SSID element" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Null probe resp 1"; program: snmptrapd; content: "signatureName=NULL probe resp 1"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002105; sid:5002105; rev:2;) # Name = "NULL probe resp 2", Ver = 0, Preced = 3, FrmType = mgmt, Pattern = 0:0x0050:0x03FF, Pattern = !36:0x00:0xFF, Freq=1, Quiet = 300, Action = report, Desc = "NULL Probe Response - No SSID element" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Null probe resp 2"; program: snmptrapd; content: "signatureName=NULL probe resp 2"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002106; sid:5002106; rev:2;) # Name = "Assoc flood", Ver = 0, Preced= 4, FrmType = mgmt, Pattern = 0:0x0000:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Association Request flood" Name = "Auth Flood", Ver = 0, Preced= 5, FrmType = mgmt, Pattern = 0: 0x00b0: 0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Authentication Request flood" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Assoc Flood"; program: snmptrapd; content: "signatureName=Assoc flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002107; sid:5002107; rev:2;) # Name = "Reassoc flood", Ver = 0, Preced= 5, FrmType = mgmt, Pattern = 0:0x0020:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Reassociation Request flood" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Reassoc Flood"; program: snmptrapd; content: "signatureName=Reassoc flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002108; sid:5002108; rev:2;) # Name = "Broadcast Probe flood", Ver = 0, Preced= 6, FrmType = mgmt, Pattern = 0:0x0040:0x03FF, Pattern = 4:0x01:0x01, Pattern = 24:0x0000:0xFFFF, Freq=50, Quiet = 600, Action = report, Desc="Broadcast Probe Request flood" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Broadcast Probe flood"; program: snmptrapd; content: "signatureName=Broadcast Probe flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002109; sid:5002109; rev:2;) # Name = "Disassoc flood", Ver = 0, Preced= 7, FrmType = mgmt, Pattern = 0:0x00A0:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Disassociation flood" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Disassoc flood"; program: snmptrapd; content: "signatureName=Disassoc flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002110; sid:5002110; rev:2;) # Name = "Deauth flood", Ver = 0, Preced= 8, FrmType = mgmt, Pattern = 0:0x00C0:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Deauthentication flood" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Deauth flood"; program: snmptrapd; content: "signatureName=Deauth flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002111; sid:5002111; rev:2;) # Name = "Res mgmt 6 & 7", Ver = 0, Preced= 9, FrmType = mgmt, Pattern = 0:0x0060:0x03EF, Freq=5, Quiet = 600, Action = report, Desc="Reserved management sub-types 6 and 7" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Res mgmt 6 & 7"; program: snmptrapd; content: "signatureName=Res mgmt 6 & 7"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002112; sid:5002112; rev:2;) # Name = "Res mgmt D", Ver = 0, Preced= 10, FrmType = mgmt, Pattern = 0:0x00D0:0x03FF, Freq=5, Quiet = 600, Action = report, Desc="Reserved management sub-type D" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Res mgmt D"; program: snmptrapd; content: "signatureName=Res mgmt D"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002113; sid:5002113; rev:2;) # Name = "Res mgmt E & F", Ver = 0, Preced= 11, FrmType = mgmt, Pattern = 0:0x00E0:0x03EF, Freq=5, Quiet = 600, Action = report, Desc="Reserved management sub-types E and F" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Res mgmt E & F"; program: snmptrapd; content: "signatureName=Res mgmt E & F"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002114; sid:5002114; rev:2;) # Name = "EAPOL flood", Ver = 0, Preced= 12, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 30:0x888E:0xFFFF, Freq=50, Quiet = 300, Action = report, Desc="EAPOL Flood Attack" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] EAPOL flood"; program: snmptrapd; content: "signatureName=EAPOL flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002115; sid:5002115; rev:2;) # Name = "NetStumbler 3.2.0", Ver = 0, Preced= 13, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Pattern = 36:0x466c7572:0xFFFFFFFF, Freq = 1, Quiet = 300, Action = report, Desc="NetStumbler 3.2.0" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler 3.2.0 detected"; program: snmptrapd; content: "signatureName=NetStumbler 3.2.0"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002116; sid:5002116; rev:2;) # Name = "NetStumbler 3.2.3", Ver = 0, Preced= 14, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Pattern = 36:0x416C6C20:0xFFFFFFFF, Freq = 1, Quiet = 600, Action = report, Desc="NetStumbler 3.2.3" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler 3.2.3 detected"; program: snmptrapd; content: "signatureName=NetStumbler 3.2.3"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002117; sid:5002117; rev:2;) # Name = "NetStumbler 3.3.0", Ver = 0, Preced= 15, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Pattern = 36:0x20202020:0xFFFFFFFF, Freq = 1, Quiet = 600, Action = report, Desc="NetStumbler 3.3.0" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler 3.3.0 detected"; program: snmptrapd; content: "signatureName=NetStumbler 3.3.0"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002118; sid:5002118; rev:2;) # Name = "NetStumbler generic", Ver = 0, Preced= 16, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Freq = 1, Quiet = 600, Action = report, Desc="NetStumbler" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler generic detected"; program: snmptrapd; content: "signatureName=NetStumbler generic"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002119; sid:5002119; rev:2;) # Name = "Wellenreiter", Ver = 0, Preced= 17, FrmType = mgmt, Pattern = 0:0x0040:0x03FF, Pattern = 24:0x001d746869735f69735f757365645f666f725f77656c6c656e726569: 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffff, Freq = 1, Quiet = 600, Action = report, Desc="Wellenreiter" alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Wellenreiter detected"; program: snmptrapd; content: "signatureName=Wellenreiter"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002120; sid:5002120; rev:2;) # Big NAV Dos attack from AP with Base Radio MAC 00:0f:23:xx:xx:xx, Slot ID 0 and Source MAC 00:00:00:00:00:00 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Big NAV Dos attack"; program: snmptrapd; content: "Big NAV Dos attack"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002121; sid:5002121; rev:2;) sagan-1.2.0/rules/windows-owa-correlated.rules0000644000175000017500000000646013310533411020353 0ustar champchamp# Sagan windows-owa-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after recon activity"; content: "/ews/exchange.asmx"; nocase; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,recon; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003336; sid:5003337; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after honeypot activity"; content: "/ews/exchange.asmx"; nocase; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,honeypot; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003338; sid:5003338; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after exploit attempt"; content: "/ews/exchange.asmx"; nocase; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003339; sid:5003339; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-CORRELATED] Login failure after brute force activity"; content: "/ews/exchange.asmx"; nocase; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; xbits: isset,by_src,brute_force; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5003340; sid:5003340; rev:1;) sagan-1.2.0/rules/fatpipe-correlated.rules0000644000175000017500000001176613310533411017532 0ustar champchamp# Sagan fatpipe-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success after recon activity"; content: "Login|3a| Success"; xbits: isset,by_src,recon; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003257; sid:5003257; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success after honeypot activity"; content: "Login|3a| Success"; xbits: isset,by_src,honeypot; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003258; sid:5003258; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success after exploit attempt"; content: "Login|3a| Success"; xbits: isset,by_src,exploit_attempt; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003259; sid:5003259; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success after brute force activity"; content: "Login|3a| Success"; xbits: isset,by_src,brute_force; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003260; sid:5003260; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after recon activity"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; xbits: isset,by_src,recon; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003261; sid:5003261; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after honeypot activity"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; xbits: isset,by_src,honeypot; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003262; sid:5003262; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after exploit attempt"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; xbits: isset,by_src,exploit_attempt; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003263; sid:5003263; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after brute force activity"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; xbits: isset,by_src,brute_force; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5003264; sid:5003264; rev:1;) sagan-1.2.0/rules/solaris.rules0000644000175000017500000000445413310533411015430 0ustar champchamp# Sagan solaris.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] kcfd - Unable to open certificate file"; program: kcfd; content: "unable to open certificate file"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000393; sid: 5000393; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] rmclomv - Power Supply FAULT!"; program: rmclomv; content: "PSU"; content: "has FAULTED"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000405; sid: 5000405; rev:2;) sagan-1.2.0/rules/tripwire.rules0000644000175000017500000000405613310533411015617 0ustar champchamp# Sagan tripwire.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TRIPWIRE] Integrity Check failed"; content: "Integrity Check failed"; content: "File could not"; classtype: system-event; program: tripwire; reference: url,wiki.quadrantsec.com/bin/view/Main/5000129; sid: 5000129; rev:2;) sagan-1.2.0/rules/roundcube.rules0000644000175000017500000000457513310533411015746 0ustar champchamp# Sagan roundcube.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication failed"; content: "failed"; content: "LOGIN"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: roundcube; reference: url,wiki.quadrantsec.com/bin/view/Main/5000277; sid: 5000277; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication success"; content: "Successful login"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: successful-user; program: roundcube; reference: url,wiki.quadrantsec.com/bin/view/Main/5000278; sid: 5000278; rev:2;) sagan-1.2.0/rules/bro-bluedot.rules0000644000175000017500000000377613310533411016200 0ustar champchamp# Sagan bro-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious file hash detected"; content: " files: "; bluedot: type: file_hash, Malicious; classtype: suspicious-traffic; normalize; parse_proto; reference: url,wiki.quadrantsec.com/bin/view/Main/5002940; sid:5002940; rev:3;) sagan-1.2.0/rules/sonicwall.rules0000644000175000017500000013054713310533411015752 0ustar champchamp# Sagan sonicwall.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible TCP Port Scan"; content: "Possible port scan detected"; content: "TCP scanned port list"; default_proto: tcp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001083; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible UDP Port Scan"; content: "Possible port scan detected"; content: "UDP scanned port list"; default_proto: udp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001085; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; content: "ICMP PING"; default_proto: icmp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001084; sid: 5001084; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; default_proto: icmp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001090; sid: 5001090; rev:4;) # These where created by Kevin Gross (kgross@quadrantsec.com) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible restart for system maintenance"; content: "As per Diagnostic Auto-restart configuration request, restarting system"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002601; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Auto-Dial Failure"; content: "auto-dial failed: Current Connection Model is configured as Ethernet Only"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002602; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Down"; content: "Ethernet Port Down"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002603; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Up"; content: "Ethernet Port Up"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002604; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Registration Update Needed"; content: "Registration Update Needed"; content: "Restore your existing security service subscRIPtions by clicking"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002605; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Device Detected"; content: "3G"; content: "device detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002606; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Data Limit Reached"; content: "3G"; content: "data usage limit reached"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002607; rev:3; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No 3G Sim Card Detected"; content: "3G"; content: "No SIM detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002608; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Preferences File Inaccessable"; content: "A prior version of preferences was loaded because the most recent preferences file was inaccessible"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002609; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] OS Upgrade Performed"; content: "A SonicOS Standard to Enhanced Upgrade was performed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002610; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Attempted access from host out of compliance with GSC policy"; content: "Access attempt from host out of compliance with GSC policy"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002611; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Access attempt from host without Anti-Virus agent installed"; content: "Access attempt from host without Anti-Virus agent installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002612; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Security Services"; content: "Access attempt from host without GSC installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002613; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Added"; content: "Access rule added"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002614; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Deleted"; content: "Access rule deleted"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002615; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Modified"; content: "Access rule modified"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002616; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule reset to defaults"; content: "Access rules restored to defaults"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002617; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Network Access to proxy server denied"; content: "Access to proxy server denied"; classtype: permissions-violation; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002618; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX access denied"; content: "ActiveX access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002619; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX or Java archive access denied"; content: "ActiveX or Java archive access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002620; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Successful Administrator Access"; content: "Administrator login allowed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002621; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Access denied due to bad credentials"; content: "Administrator login denied due to bad credentials"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002622; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Access not allowed on this interface"; content: "Administrator login denied from"; content: "logins disabled from this interface"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002623; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Account Name Changed"; content: "Administrator name changed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002624; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall preferences reset to factory defaults"; content: "All preference values have been set to factory default values"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002625; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Allowed LDAP server certificate with wrong host name"; content: "Allowed LDAP server certificate with wrong host name"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002626; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible Intrusion detection - Anti-Spyware detected"; content: "Anti-Spyware Detection Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002627; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible Intrusion detection - Anti-Spyware detected"; content: "Anti-Spyware Prevention Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002628; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Suspicious Application detected"; content: "Application Filter Detection Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002629; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Suspicious Application detected"; content: "Application Filters Block Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002630; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ASOC Flood detected from WLAN station"; content: "Association Flood from WLAN station"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002631; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Back Orifice Attack Dropped"; content: "Back Orifice attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002632; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup active"; content: "Backup active"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002633; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability/Failover - Backup Firewall Active"; content: "Backup firewall has transitioned to Active"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002634; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability/Failover - Backup Firewall transitioned to idle"; content: "Backup firewall has transitioned to Idle"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002635; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup Firewall Rebooting"; content: "Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002636; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup WAN link down"; content: "Backup WAN link down, Primary going Active"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002637; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN PKI - Bad CRL format"; content: "Bad CRL format"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002638; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN PKI - Blacklisted Certificate"; content: "Certificate on Revoked list(CRL)"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002639; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Login - Commandline login successful"; content: "CLI administrator login allowed"; classtype: successful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002640; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator login failed due to bad credentials"; content: "CLI administrator login denied due to bad credentials"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002641; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall event - Diagnostic Reboot"; content: "Diagnostic Auto-restart scheduled for"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002642; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code A"; content: "Diagnostic Code A"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002643; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code B"; content: "Diagnostic Code B"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002644; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code C"; content: "Diagnostic Code C"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002645; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code D"; content: "Diagnostic Code D"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002646; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code E"; content: "Diagnostic Code E"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002647; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code F"; content: "Diagnostic Code F"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002648; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code G"; content: "Diagnostic Code G"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002649; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code H"; content: "Diagnostic Code H"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002650; rev:4; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code I"; content: "Diagnostic Code I"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002651; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code J"; content: "Diagnostic Code J"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002652; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection Non-Sonicpoint WLAN traffic dropped"; content: "Drop WLAN traffic from nonSonicPoint devices"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002653; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Error initializing Hardware acceleration for VPN"; content: "Error initializing Hardware acceleration for VPN"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002654; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Error rebooting peer firewall"; content: "Error Rebooting HA Peer Firewall"; classtype: system-hardware; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002655; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Error setting up IP address of the backup"; content: "Error setting the IP address of the backup, please manually set to backup LAN IP"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002656; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Security Services - License Sync Failed"; content: "Failed to synchronize license information with Licensing Server"; classtype: system-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002657; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "FIN Flood Blacklist on"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002658; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "FIN-Flooding machine"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002659; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN IDS - Rouge Access Point"; content: "Found Rogue Access Point"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002660; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Fraudulent Microsoft Certificate"; content: "Fraudulent Microsoft certificate found"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002661; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] FTP - Login Failed"; content: "FTP client user logged in failed"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002662; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Network Access - Dropped access from non-default port"; content: "Data connection from non default port dropped"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002663; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Bounce attack dropped"; content: "PASV response bounce attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002664; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Spoof attack dropped"; content: "PASV response spoof attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002665; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account created"; content: "Guest account"; content: "created"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002666; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account deleted"; content: "Guest account"; content: "deleted"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002667; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account disabled"; content: "Guest account"; content: "disabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002668; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account pruned"; content: "Guest account"; content: "pruned"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002669; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account re-enabled"; content: "Guest account"; content: "re-enabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002670; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account re-generated"; content: "Guest account"; content: "re-generated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002671; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Heartbeat detected from incompatable source"; content: "Heartbeat received from incompatible source"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002672; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] HTTP management port has changed"; content: "HTTP management port has changed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002673; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wireless - Unauthorized user"; content: "Internet Access restricted to authorized users"; classtype: permissions-violation; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002674; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible IP spoof detected"; content: "IP spoof detected on packet to Central Gateway"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002675; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible IP spoof dropped"; content: "IP spoof dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002676; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002677; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] IPS Prevention Alert"; content: "IPS Prevention Alert"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002678; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Land attack dropped"; content: "Land attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002679; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from FIN flood blacklist"; content: "removed from FIN flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002680; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from RST flood blacklist"; content: "removed from RST flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002681; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from SYN flood blacklist"; content: "removed from SYN flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002682; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall logging - Maximum events per second threshold exceeded"; content: "Maximum events per second threshold exceeded"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002683; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] PPP dialup - Maximum sequential failed dial attempts"; content: "Maximum sequential failed dial attempts"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002684; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall logging - Maximum syslog data per second threshold exceeded"; content: "Maximum syslog data per second threshold exceeded"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002685; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Multiple DHCP servers detected on network"; content: "Multiple DHCP Servers are detected on network"; classtype: network-event; parse_src_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002686; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Net Spy attack dropped"; content: "Net Spy attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002687; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - NetBus attack dropped"; content: "NetBus attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002688; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wireless - Packet dropped by WLAN"; content: "Packet dropped by WLAN"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002689; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No firewall rule exists for VPN policy"; content: " No firewall rule associated with VPN policy"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002690; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Ping of Death dropped"; content: "Ping of death dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002691; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible DNS rebind attack detected"; content: "Possible DNS rebind attack detected"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002692; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "Possible FIN Flood"; classtype: attempted-dos; parse_src_ip: 2; parse_dst_ip: 3; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002693; rev:4;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible port scan detected"; content: "Possible port scan detected"; classtype: network-scan ; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002694; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible RST Flood"; content: "Possible RST Flood"; classtype: attempted-dos; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002695; rev:4; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible SYN Flood"; content: "Possible SYN Flood"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002696; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Priority attack dropped"; content: "Priority attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002697; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable port scan detected"; content: "Probable port scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002698; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP FIN scan detected"; content: "Probable TCP FIN scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002699; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP NULL scan detected"; content: "Probable TCP NULL scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002700; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP XMAS scan detected"; content: "Probable TCP XMAS scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002701; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Possible recon attempt"; content: "Probing failure on"; classtype: attempted-recon; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002702; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Recon attempt"; content: "Probing suceeded on"; classtype: successful-recon-limited; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002703; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware - Clock battery has failed"; content: "Real time clock battery failure Time values may be incorrect"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002704; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Possible recon"; content: "Probing suceeded on"; classtype: successful-recon-limited; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002705; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Sonicwall License Expired"; content: "SonicWALL"; content: "expired"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002706; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall rebooting"; content: "Restarting SonicWALL"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002707; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RIPper attack dropped"; content: "RIPper attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002708; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RST Flood Blacklist"; content: "RST Flood Blacklist on IF"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002709; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RST Flood"; content: "RST"; content: "Flooding machine"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002710; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Senna Spy attack dropped"; content: "Senna Spy attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002711; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall activated"; content: "SonicWALL activated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002712; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall starting up"; content: "SonicWALL initializing"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002713; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SonicWALL SSO agent is down"; content: "SonicWALL SSO agent is down"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002714; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SonicWALL SSO agent is up"; content: "SonicWALL SSO agent is up"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002715; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Domain name too long"; content: "SonicWALL SSO agent returned domain name too long"; classtype: system-event; normalize; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002716; rev:3; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SSO agent returned error"; content: "SonicWALL SSO agent returned error"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002717; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] User name too long"; content: "SonicWALL SSO agent returned user name too long"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002718; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Source routed IP packet dropped"; content: "Source routed IP packet dropped"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002719; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Spank attack dropped"; content: "Spank attack multicast packet dropped"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002720; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN policy enforced"; content: "VPN enforcement"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002721; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Striker attack dropped"; content: "Striker attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002722; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Sub Seven attack dropped"; content: "Sub Seven attack dropped"; classtype: exploit-attempt; normalize; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002723; rev:4; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN Flood blacklisting enabled by user"; content: "SYN Flood blacklisting enabled by user"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002724; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN flood ceased or flooding machines blacklisted"; content: "SYN flood ceased or flooding machines blacklisted"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002725; rev:3; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN Flood Mode changed by user"; content: "SYN Flood Mode changed by user to"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002726; rev:3; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] System clock manually updated"; content: "System clock manually updated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002727; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - TCP Xmas Tree dropped"; content: "TCP Xmas Tree dropped"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002728; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Virtual Access Point is disabled"; content: "Virtual Access Point is disabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002729; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Virtual Access Point is enabled"; content: "Virtual Access Point is enabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002730; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Hardware failure - Voltages Out of Tolerance"; content: "Voltages Out of Tolerance"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002731; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN firmware image has been updated"; content: "WLAN firmware image has been updated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002732; rev:2; ) alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Radio frequency threat detected"; content: "WLAN radio frequency threat detected"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002733; rev:2; ) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN sequence number out of order - sequencing error/EMF interference/rogue AP"; content: "WLAN sequence number out of order"; classtype: network-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002734; rev:2; ) sagan-1.2.0/rules/windows-correlated.rules0000644000175000017500000001633513310533411017571 0ustar champchamp# Sagan windows-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after brute force activity"; pcre: "/ 528: | 4624: /";content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits:isset,by_src,brute_force; parse_src_ip: 1; default proto: tcp; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002336; sid:5002336; rev:7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after recon activity"; pcre: "/ 528: | 4624: /";content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits:isset,by_src,recon; parse_src_ip: 1; default proto: tcp; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002957; sid:5002957; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after exploit attempt"; pcre: "/ 528: | 4624: /";content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits:isset,by_src,exploit_attempt; parse_src_ip: 1; default proto: tcp; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002958; sid:5002958; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login after honeypot activity"; pcre: "/ 528: | 4624: /";content: "Logon Type|3a| 10 ";content:!"Source Network Address|3a| 0.0.0.0"; program: *Security*; xbits:isset,by_src,honeypot; parse_src_ip: 1; default proto: tcp; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003341; sid:5003341; rev:1;) # 2017-02-22 - Rule create by Champ Clark III based off Jack Crook's work. See: # From Jack Crook via https://www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan/ # -- dst -> src alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [dst -> src]"; program: *Security*; content: " 5145|3a| "; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ /"; meta_content: "Access Mask|3a| %sagan%",0x100180,0x80,0x130197; xbits: isset,by_src,dst_src_suscopy; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003381; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003381; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [XBIT SET]"; program: *Security*; content: " 5145|3a| "; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ /"; meta_content: "Access Mask|3a| %sagan%",0x100180,0x80,0x130197; xbits: set,dst_src_suscopy,1; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003382; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003382; rev:1;) # -- src -> dst alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [src -> dst]"; program: *Security*; content: " 5145|3a| "; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ /"; meta_content: "Access Mask|3a| %sagan%",0x100181,0x80,0x120089; xbits: isset,none,src_dst_suscopy;reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003383; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003383; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Suspicious file copy to a share [XBIT SET]"; program: *Security*; content: " 5145|3a| "; content: "Object Type|3a| File"; pcre: "/Share Name: (.*)\$ /"; meta_content: "Access Mask|3a| %sagan%",0x100181,0x80,0x120089; xbits: set,src_dst_suscopy,1; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003384; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; classtype:misc-attack; sid:5003384; rev:1;) # -- WMIC commands/execution across a network alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-CORRELATED] wmiprvse.exe [XBIT SET]"; content: " 4688|3a| "; pcre: "/Process Name: (.*)wmiprvse\.exe(.*)/i"; xbits: set,wmiprvse,1; xbits:nounified2; xbits:noeve; classtype: suspicious-command; program: *Security*; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003385; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003385; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-CORRELATED] Possible remote WMIC command execution"; program: *Security*; content: " 4624|3a| "; content: "Logon Type|3a| 3"; content:!"Source Network Address|3a| -"; xbits: isset,src_xbitdst,wmiprvse; parse_src_ip: 1; parse_port; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003386; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003386; classtype:suspicious-login; rev:1;) sagan-1.2.0/rules/zimbra.rules0000644000175000017500000001774313310533411015245 0ustar champchamp# Sagan zimbra.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Zimbra rules require that you are sending over the Zimbra data. We use rsyslog, and this is what we did: # # #module(load="imfile" PollingInterval="10") #input(type="imfile" File="/opt/zimbra/log/gc.log" Tag="gc" StateFile="gc" Severity="info" Facility="local7") #input(type="imfile" File="/opt/zimbra/log/audit.log" Tag="audit" StateFile="audit" Severity="info" Facility="local7") #input(type="imfile" File="/opt/zimbra/log/nginx.log" Tag="nginx" StateFile="nginx" Severity="info" Facility="local7") #input(type="imfile" File="/opt/zimbra/log/clamd.log" Tag="clamd" StateFile="clamd" Severity="info" Facility="local7") #input(type="imfile" File="/opt/zimbra/log/sync.log" Tag="sync" StateFile="sync" Severity="info" Facility="local7") #input(type="imfile" File="/opt/zimbra/log/ews.log" Tag="ews" StateFile="ews" Severity="info" Facility="local7") #input(type="imfile" File="/opt/zimbra/log/mailbox.log" Tag="mailbox" StateFile="mailbox" Severity="info" Facility="local7") # For /var/log/zimbra.log # Dec 7 06:51:58 a postfix/smtps/smtpd[25583]: warning: unknown[88.85.171.103]: SASL PLAIN authentication failed: authentication failure alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] Postfix/SMTPS/SMTPD - Brute force [5/3]"; content: "authentication failed"; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: 465; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003027; parse_src_ip: 1; program: zimbra; after: track by_src, count 5, seconds 900; threshold: type limit, track by_src, count 3, seconds 900; fwsam: src, 1 day; sid:5003027; rev:2;) # * Dec 7 07:58:40 a saslauthd[18200]: do_auth : auth failure: [user=frank] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown] alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] SASLAUTHD - Brute force [5/3]"; content: "auth failure"; content: "saslauthd"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003028; program: zimbra; after: track by_src, count 5, seconds 900; threshold: type limit, track by_src, count 3, seconds 900; sid:5003028; rev:2;) # For /opt/zimbra/log/mailbox.log # 2016-12-07 14:29:28,990 INFO [qtp1684106402-2039242:http://localhost:8080/service/soap/AuthRequest] [oip=10.10.10.5;ua=zclient/8.7.0_GA_1659;] SoapEngine - handler exception: authentication failed for [oggie], account not found alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] SOAP Invalid user - Brute force account not found [5/3]"; content: "authentication failed"; conent: "account not found"; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003029; parse_src_ip: 1; program: mailbox; after: track by_src, count 5, seconds 900; threshold: type limit, track by_src, count 3, seconds 900; fwsam: src, 1 day; sid:5003029; rev:2;) # 2016-12-07 14:30:45,802 INFO [qtp1684106402-2039253:http://localhost:8080/service/soap/AuthRequest] [name=frank@example.com;oip=10.10.10.5;ua=zclient/8.7.0_GA_1659;] SoapEngine - handler exception: authentication failed for [frank@example.com], invalid password alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] SOAP Invalid user - Brute force invalid password [5/3]"; content: "authentication failed"; content: "invalid password"; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003030; parse_src_ip: 1; program: mailbox; after: track by_src, count 5, seconds 900; threshold: type limit, track by_src, count 3, seconds 900; fwsam: src, 1 day; sid:5003030; rev:2;) # For /opt/zimbra/log/audit.log # 2016-12-07 00:00:00,128 WARN [qtp1684106402-2033684:https:https://webmail.example.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=frank%40example.com&DeviceId=android55555555&DeviceType=Android] [ip=10.10.10.5;] security - cmd=Auth; account=frank@example.com; protocol=zsync; error=authentication failed for [frank@example.com], invalid password; alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] MS ActiveSync - Brute force invalid password [5/3]"; content: "error=authentication failed"; content: "invalid password"; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003031; parse_src_ip: 1; program: audit; after: track by_src, count 5, seconds 900; threshold: type limit, track by_src, count 3, seconds 900; fwsam: src, 1 day; sid:5003031; rev:2;) # For /opt/zimbra/log/clamd.log # Tue Dec 6 09:48:39 2016 -> /opt/zimbra/data/amavisd/tmp/amavis-20161206T092039-20531-7XZZrPHk/parts/p005: Heuristics.Phishing.Email.SSL-Spoof FOUND alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] Clamd - Threat Detected"; content: "FOUND"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003038; program: misc-activity; sid:5003038; rev:2;) # For /opt/zimbra/log/sync.log # 2016-12-07 00:00:00,425 INFO [qtp1684106402-2033672:https:https://webmail.example.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=frank%40example.com&DeviceId=android555555 60&DeviceType=Android] [ip=10.10.10.5;] sync - HTTP/1.1 401 Invalid username or password # 2016-12-07 00:00:05,536 INFO [qtp1684106402-2033684:https:https://webmail.example.com/Microsoft-Server-ActiveSync?Cmd=Ping&User=frank%40quadrantsec.com&DeviceId=android555555&DeviceType=Android] [ip=10.10.10.5;] sync - User password mismatch; name=frank@example.com alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] SYNC - Brute force invalid username or password [5/3]"; content: "Invalid username or password"; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003033; parse_src_ip: 1; program: sync; after: track by_src, count 5, seconds 900; threshold: type limit, track by_src, count 3, seconds 900; fwsam: src, 1 day; sid:5003033; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ZIMBRA] SYNC - User password mismatch [5/3]"; content: "User password mismatch"; xbits: set,brute_force,21600; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5003037; parse_src_ip: 1; program: sync; after: track by_src, count 5, seconds 900; threshold: type limit, track by_src, count 3, seconds 900; fwsam: src, 1 day; sid:5003037; rev:2;) sagan-1.2.0/rules/palo-alto-geoip.rules0000644000175000017500000001247113310533411016743 0ustar champchamp# palo-alto-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Accepted SSH Connection From Outside Home Country"; content: "Accepted keyboard-interactive/pam for "; content: "ssh2"; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002581; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Successful NTLM Authentication From Outside Home Country"; content: "NTLM authentication succeeded for user"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002589; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] User Authenticated From Outside Home Country"; content: "User"; content: "authenticated"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002590; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] GlobalProtect Portal Authentication From Outside Home Country"; content: "GlobalProtect portal user authentication succeeded"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002593; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] PPPoE Session Connected For User Outside Home Country; content: "PPPoE session was connected for user"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002594; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN Authentication From Outside Home Country"; content: "SSL VPN user authentication succeeded"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002597; rev:3;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN Login From Outside Home Country"; content: "SSL VPN user login succeeded"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002599; rev:2;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Foreign URL of unknown category"; content:"THREAT,url"; content:",unknown,"; normalize; parse_port;threshold: type limit, count 1, seconds 3600, track by_dst; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_dst, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid:5002753; pri: 3;rev:2;) sagan-1.2.0/rules/attack.rules0000644000175000017500000000771113310533411015222 0ustar champchamp# Sagan attack.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Buffer overflow attempt on rpc.statd"; pcre: "/gethostbyname error for \W+/"; classtype: exploit-attempt; program: rpc.statd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000095; sid:5000095; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Buffer overflow attempt on WU-FTPD version prior to 2.6" ; pcre: "/\S+ FTP LOGIN FROM \.+ 0bin0sh/"; classtype: exploit-attempt; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000096; sid:5000096; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt"; content: "?????????????????????"; threshold: type limit, track by_src, count 3, seconds 300; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000097; sid:5000097; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] 'Null' user change some information"; content: "changed by"; content: "null"; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000098; sid:5000098; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt [yppasswd?]" ; content: "@@@@@@@@@@@@@@@@@@@@@@@@@"; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000356; sid:5000365; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Heap overflow in the Solaris cachefsd service" ; content: "Segmentation Fault"; content: "core dumped"; program: cachefsd; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000366; sid:5000366; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Stack overflow attempt with SEGV [Solaris]"; content: "attempt to execute code on stack by"; nocase; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000099; sid:5000099; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt [NOOP]" ; content: "AAAAAAAAAAAAAAAAAAAAAAAAA"; threshold: type limit, track by_src, count 3, seconds 300; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000100; sid:5000100; rev:3;) sagan-1.2.0/rules/deleted.rules0000644000175000017500000002345713310533411015366 0ustar champchamp# Sagan deleted.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Where rules go to die & why. #************************************************************* # Champ Clark - 09/17/2014 - Would be better for meta_content, if we event want to do this! #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [a]"; pcre: "/invalid user|illegal user/i"; content: "user a "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001106; sid: 5001106; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [admin]"; pcre: "/invalid user|illegal user/i"; content: "user admin "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001107; sid: 5001107; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [ftp]"; pcre: "/invalid user|illegal user/i"; content: "user ftp "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001108; sid: 5001108; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [guest]"; pcre: "/invalid user|illegal user/i"; content: "user guest "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001109; sid: 5001109; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [info]"; pcre: "/invalid user|illegal user/i"; content: "user info "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001110; sid: 5001110; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [mysql]"; pcre: "/invalid user|illegal user/i"; content: "user mysql "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001111; sid: 5001111; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [nagios]"; pcre: "/invalid user|illegal user/i"; content: "user nagios "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001112; sid: 5001112; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [oracle]"; pcre: "/invalid user|illegal user/i"; content: "user oracle "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001113; sid: 5001113; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [postgres]"; pcre: "/invalid user|illegal user/i"; content: "user postgres "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001114; sid: 5001114; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [test]"; pcre: "/invalid user|illegal user/i"; content: "user test "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001115; sid: 5001115; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [user]"; pcre: "/invalid user|illegal user/i"; content: "user user "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001116; sid: 5001116; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [web]"; pcre: "/invalid user|illegal user/i"; content: "user web "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001117; sid: 5001117; rev:5;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [webmaster]"; pcre: "/invalid user|illegal user/i"; content: "user webmaster "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001118; sid: 5001118; rev:6;) #drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Invalid or illegal user [apache]"; pcre: "/invalid user|illegal user/i"; content: "user apache "; xbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001119; sid: 5001119; rev:6;) # Champ Clark - 09/17/2014 - Never used. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Accepted publickey"; content: "Accepted publickey" ; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000406; sid:5000406; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Session closed"; content: "session closed for" ; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: not-suspicious; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000407; sid:5000407; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Received disconnect"; content: "Received disconnect from"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: not-suspicious; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000408; sid:5000408; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Authentication success"; pcre: "/accepted|authenticated/i"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; normalize; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000075; sid: 5000075; rev:5;) sagan-1.2.0/rules/snort-bluedot.rules0000644000175000017500000000773113310533411016556 0ustar champchamp# Sagan snort-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # These detect where certain types of files are accessed from outside your HOME_COUNTRY. # They require that: # # 1. Snort logs to syslog: # output alert_syslog: LOG_AUTH LOG_ALERT # Example SNORT config # 2. Snort "file-identify.rules" rules are enabled # # Concept by Robert Nunley (rnunley@quadrantsec.com) - 02/21/2014 # THIS RULES ARE HIGHLY EXPERIMENTAL! alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Executable Downloaded from a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; content: "FILE-IDENTIFY"; content: "Exe"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002910;sid:5002910; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Java Downloaded from a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; content: "FILE-IDENTIFY"; content: "Java"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002911; sid:5002911; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Jar/Zip Downloaded a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; content: "FILE-IDENTIFY"; content: "Jar"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002912; sid:5002912; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] PDF Downloaded a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; content: "FILE-IDENTIFY"; content: "PDF"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002913; sid:5002913; rev:4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-BLUEDOT] Flash Downloaded a suspicious source"; program: snort; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; content: "FILE-IDENTIFY"; content: "Flash"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002914; sid:5002914; rev:4;) sagan-1.2.0/rules/ftpd.rules0000644000175000017500000001563513310533411014714 0ustar champchamp# Sagan ftpd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] FTP Login refused"; content: "FTP LOGIN REFUSED"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000182; sid:5000182; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] File created"; content: " created "; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000183; sid:5000183; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] File deleted"; content: " deleted "; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000184; sid:5000184; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] User uploaded a file to server"; content: "IMPORT file"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000185; sid:5000185; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] User downloaded a file to server"; content: "EXPORT file"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000186; sid:5000186; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] Remote host connected to FTP server"; pcre: "/FTP LOGIN FROM|connection from|connect from/"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: successful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000187; sid:5000187; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] Connection blocked by TCP Wrappers"; content: "refused connect from"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: tcp-connection; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000188; sid:5000188; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] Reverse lookup failure"; pcre: "/can't verify hostname|gethostbyaddr/"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000189; sid:5000189; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] Multiple failed login attempts"; content: "repeated login failures"; xbits: set,brute_force,21600; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: misc-attack; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000190; sid:5000190; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] User disconnected due to time out"; content: "timed out after"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: not-suspicious; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000191; sid:5000191; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] Attempted access to a disabled account"; content: "Account is disabled"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5000192; sid:5000192; rev:5;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] Failed authentication"; content: "failed authentication from"; nocase; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; reference: url,wiki.quadrantsec.com/bin/view/Main/5001522; sid:5001522; rev:5;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FTPD] Failed authentication - Brute force [5/5]"; content: "failed authentication from"; nocase; xbits: set,brute_force,21600; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: unsuccessful-user; program: ftpd|ftp|FTP|FTPD; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000193; sid:5000193; rev:9;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FTPD] User logged into an disabled account"; content: "FTP LOGIN FROM"; pcre: "/ apachei | mysql | www | nobody | nogroup | portmap | named | rpc | mail | ftp | shutdown | halt | daemon | bin | postfix | shell | info | guest | psql | user | users | console | uucp | lp | sync | sshd | cdrom | ossec | sagan /"; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: successful-user; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000412; program: ftpd|ftp|FTP|FTPD; sid: 5000412; rev:7;) # Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FTPD] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i"; parse_src_ip: 2; parse_dst_ip: 1; parse_port; program: ftp|ftpd|FTP|FTPD; default_prot: tcp; default_dst_port: $FTP_PORT: classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002950; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; sid:5002950; rev: 3;) sagan-1.2.0/rules/gen-msg.map0000644000175000017500000000036113310533411014725 0ustar champchamp# GENERATORS -> msg map # Format: generatorid || alertid || MSG 1 || 1 || Sagan general alert 100 || 100 || sagan_track_clients: No log activity from remote agent in timeout period! 100 || 101 || sagan_track_clients: Log activity resumed. sagan-1.2.0/rules/windows-owa-brointel.rules0000644000175000017500000000415313310533411020042 0ustar champchamp# Sagan windows-owa-brointel.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-BROINTEL] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; bro-intel: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002266; sid: 5002266; rev:2;) sagan-1.2.0/rules/courier.rules0000644000175000017500000001032213310533411015413 0ustar champchamp# Sagan courier.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Connection established"; content: "Connection,"; classtype: not-suspicious; program: courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000258; sid:5000258; rev:1;) # Sep 24 12:29:52 bundy imapd: LOGIN FAILED, user=champtest, ip=[::ffff:10.0.0.1] alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Authentication failure"; content: "LOGIN FAILED,"; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000259; sid:5000259; rev:4;) # Sep 23 07:29:40 bundy imapd-ssl: DISCONNECTED, user=champ, ip=[::ffff:10.0.0.1], headers=0, body=0, rcvd=70, sent=576, time=4, starttls=1 # Sep 24 07:14:17 bundy imapd-ssl: LOGOUT, user=champ, ip=[::ffff:10.0.0.1], headers=0, body=0, rcvd=1011, sent=9534, time=5, starttls=1 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Logout/disconnect"; pcre: "/LOGOUT|DISCONNECTED/"; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000260; sid:5000260; rev:4;) # May 24 16:03:15 bundy imapd-ssl: LOGIN, user=champ, ip=[::ffff:10.0.0.1], port=[45018], protocol=IMAP #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] User login"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000261; sid:5000261; rev:3;) # May 24 16:44:21 bundy imapd-ssl: TIMEOUT, user=champ, ip=[::ffff:10.0.0.1], headers=104, body=19823, rcvd=474, sent=22380, time=2466, starttls=1 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Timeout"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5002393; sid:5002393; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Authentication failure - Brute Force [5/5]"; content: "LOGIN FAILED,"; parse_src_ip: 1; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; default_proto: tcp; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5002398; sid:5002398; rev:3;) sagan-1.2.0/rules/bluedot-categories.conf0000644000175000017500000000021113310533411017313 0ustar champchamp0 || Neutral 1 || Whitelisted 2 || Client 3 || Malicious 4 || Honeypot 7 || Advisory 8 || Scanners 9 || Tor 10 || Proxy sagan-1.2.0/rules/windows-owa-geoip.rules0000644000175000017500000000451413310533411017330 0ustar champchamp# Sagan windows-owa-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:33 10.1.2.1 POST /ews/exchange.asmx - 443 - 12.12.12.12 MS-WebServices/1.0 - - 401 0 0 0 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-GEOIP] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002265; sid: 5002265; rev:3;) sagan-1.2.0/rules/citrix-correlated.rules0000644000175000017500000001604413310533411017376 0ustar champchamp# Sagan citrix-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login/login attempt after recon/honeypot/exploit_attempt/brute_force (Champ Clark / 09/18/2015) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after recon activity"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,recon; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003228; sid:5003228; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after honeypot activity"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003229; sid:5003229; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after exploit attempt"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003230; sid:5003230; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] Login after brute force attempt"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; xbits: isset,by_src,brute_force; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003231; sid:5003231; rev:1;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon|honeypot|exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002358; sid:5002358; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after recon activity"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003238; sid:5003238; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after honeypot activity"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003239; sid:5003239; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after exploit attempt"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003240; sid:5003240; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after recon activity"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,recon; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003241; sid:5003241; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after honeypot activity"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003242; sid:5003242; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after exploit attempt"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,exploit_attempt; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003243; sid:5003243; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after brute force activity"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: correlated-attack; parse_src_ip: 1; normalize; xbits: isset,by_src,brute_force; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5003244; sid:5003244; rev:1;) sagan-1.2.0/rules/windows.rules0000644000175000017500000000057313310533411015444 0ustar champchamp# Sagan windows.rules # README * README * README * README * README * README * README * README # ---------------------------------------------------------------------------- # # The "windows.rules" has been broken up into multiple rule sets. Please # see the windows*.rules for more information # # ---------------------------------------------------------------------------- sagan-1.2.0/rules/postfix.rules0000644000175000017500000000552213310533411015445 0ustar champchamp# Sagan postfix.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[POSTFIX] IP Address black-listed by anti-spam [blocked]"; content: "blocked using"; default_proto: tcp; default_dst_port: $SMTP_PORT; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: spam; program: postfix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000225; sid: 5000225; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[POSTFIX] Processing error"; pcre: "/defer service failure|resource temporarily unavailable/i"; default_proto: tcp; default_dst_port: $SMTP_PORT; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: program-error; program: postfix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000226; sid: 5000226; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[POSTFIX] SASL authentication failure"; content: "authentication failed"; default_proto: tcp; default_dst_port: $SMTP_PORT; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: unsuccessful-user; program: postfix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000227; sid: 5000227; rev:3;) sagan-1.2.0/rules/riverbed-bluedot.rules0000644000175000017500000000450213310533411017204 0ustar champchamp# Sagan riverbed-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED-BLUEDOT] Administrator Login a suspicious source"; content: "logged in"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002909; program: webasd; sid:5002909; rev:4;) sagan-1.2.0/rules/bonding.rules0000644000175000017500000001000413310533411015360 0ustar champchamp# Sagan bonding.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Interface is up"; content: "is now up"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001066; sid: 5001066; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Interface is down"; content: "is now down"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001067; sid: 5001067; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Link status down for active interface"; content: "link status down for"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001069; sid: 5001069; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Making interface the new active one"; content: "making interface"; content: "the new active one"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001070; sid: 5001070; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Interface is up and now the active interface"; content: "is up and now the active interface"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001071; sid: 5001071; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] ARP monitoring enabled"; content: "ARP monitoring set to"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001072; sid: 5001072; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Enslaving interface"; content: "enslaving"; content: "with an up link"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001073; sid: 5001073; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Released all slaves"; content: "released all slaves"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001074; sid: 5001074; rev:3;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Failed to get speed or duplex"; content: "failed to get speed/duplex"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001075; sid: 5001075; rev:3;) sagan-1.2.0/rules/cisco-malware.rules0000644000175000017500000002313713310533411016501 0ustar champchamp# Sagan cisco-malware.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Added by Champ Clark - # These rules trigger if you are dropping (denying) traffic to zeroaccess already. alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16464 by access-group"; content: "Deny udp src inside"; default_proto: udp; default_dst_port: 16464; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001724; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001724; rev: 7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16465 by access-group"; content: "Deny udp src inside"; default_proto: udp; default_dst_port: 16465; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001725; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001725; rev: 7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16470 by access-group"; content: "Deny udp src inside"; default_proto: udp; default_dst_port: 16470; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001726; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001726; rev: 7;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/16471 by access-group"; content: "Deny udp src inside"; default_proto: udp; default_dst_port: 16471; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001727; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001727; rev: 7;) # Older TCP port 13620 (pre-Q2 2012) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess pre-2012 TCP port 13620 detected [denied] [5/5]"; program: %ASA*-4-106023|%PIX-4-106023; content: "/13620 by access-group"; content: "Deny tcp src inside"; default_proto: tcp; default_dst_port: 13620; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001790; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001790; rev: 8;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16464 "; content: "outbound UDP"; default_proto: udp; default_dst_port: 16464; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001858; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001858; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16465 "; content: "outbound UDP"; default_proto: udp; default_dst_port: 16465; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001859; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001859; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; default_proto: udp; default_dst_port: 16470; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001860; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001860; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [allowed] [5/5]"; program: %ASA*-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; default_proto: udp; default_dst_port: 16470; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001861; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001861; rev: 4;) # Older TCP port 13620 (pre-Q2 2012) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ZeroAccess TCP port 13620 detected [allowed] [5/5]"; program: %ASA*-6-302013|%PIX-6-302013; content: "/13620 "; content: "outbound TCP"; default_proto: tcp; default_dst_port: 13620; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001862; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001862; rev: 4;) # 10.20.1.7|local7|info|info|be|2014-02-19|20:25:11|344306| Feb 19 15:25:11.570: %SEC-6-IPACCESSLOGP: list control_outbound denied tcp 10.3.2.3(4343) -> 10.99.0.7(50122), 2 packets alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16464 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16464|29|"; content: " udp "; default_proto: udp; default_dst_port: 16464; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001965; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001965; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16465 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16465|29|"; content: " udp "; default_proto: udp; default_dst_port: 16465; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001966; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001966; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16470 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16470|29|"; content: " udp "; default_proto: udp; default_dst_port: 16470; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001967; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001967; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16471 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16471|29|"; content: " udp "; default_proto: udp; default_dst_port: 16471; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001968; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001968; rev: 4;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-MALWARE] ACE ZeroAccess pre-2012 TCP port 13620 [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|13620|29|"; content: " tcp "; default_proto: tcp; default_dst_port: 13620; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001969; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001969; rev: 4;) sagan-1.2.0/rules/mongodb.rules0000644000175000017500000001443613310533411015402 0ustar champchamp# Sagan mongodb.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # MongoDB rules. Created by Robert Nunley (rnunley@quadrantsec.com) # 09/13/2012 #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] replSet is going into maintenance mode"; content: "going"; content: "maintenance"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001609; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] replSet is leaving maintenance mode"; content: "leaving"; content: "maintenance"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001610; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] DBException causing immediate shutdown"; content: "dbexception"; content: "shutdown"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001595; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] IOS_Base exception causing immediate shutdown"; content: "ios_base"; content: "shutdown"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001596; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Bad allocation exception causing immediate shutdown"; content: "bad_alloc"; content: "shutdown"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001597; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Shutting down"; content: "shutdown"; content: "listening"; content: !"immediate"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001598; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Clock skew detected"; content: "clock skew"; content: !"large"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001599; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Large clock skew detected"; content: "clock skew"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001600; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Clock skew exception - shutting down"; content: "ClockSkew"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001601; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Terminating- Shutdown command received"; content: "terminating"; content: "command"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001602; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Handshake detected"; content: "handshake between"; default_proto: tcp; default_dst_port: 27017; classtype: tcp-connection; program: mongod; parse_src_ip: 1; reference: url,www.mongodb.org; sid: 5001603; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Auth: Could not find user"; content: "auth"; content: "couldn't"; content: "user"; default_proto: tcp; default_dst_port: 27017; classtype: unsuccessful-user; program: mongod; reference: url,www.mongodb.org; sid: 5001604; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Admin command received from client"; content: "admin"; content: "received"; content: "client"; default_proto: tcp; default_dst_port: 27017; classtype: successful-admin; program: mongod; reference: url,www.mongodb.org; sid: 5001605; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Attempting to sync"; content: "attempting"; content: "sync"; default_proto: tcp; default_dst_port: 27017; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001606; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Replauthenticate failed: Requires Admin permissions"; content: "requires admin"; content: "failing"; default_proto: tcp; default_dst_port: 27017; classtype: unsuccessful-admin; program: mongod; reference: url,www.mongodb.org; sid: 5001607; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MONGODB] Cannot authenticate to master server"; content: "can't authenticate"; content: "master server"; default_proto: tcp; default_dst_port: 27017; classtype: unsuccessful-user; program: mongod; reference: url,www.mongodb.org; sid: 5001608; rev:2;) sagan-1.2.0/rules/openssh-correlated.rules0000644000175000017500000001642413310533411017555 0ustar champchamp# Sagan openssh-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via password after recon activity"; content: "Accepted password"; xbits: isset,by_src,recon; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003301; normalize; program: sshd; sid:5003301; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via password after honeypot activity"; content: "Accepted password"; xbits: isset,by_src,honeypot; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003302; normalize; program: sshd; sid:5003302; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via password after exploit attempt"; content: "Accepted password"; xbits: isset,by_src,exploit_attempt; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003303; normalize; program: sshd; sid:5003303; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via password after brute force activity"; content: "Accepted password"; xbits: isset,by_src,brute_force; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003304; normalize; program: sshd; sid:5003304; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via public key after recon activity"; content: "Accepted publickey"; xbits: isset,by_src,recon; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003305; normalize; program: sshd; sid:5003305; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via public key after honeypot activity"; content: "Accepted publickey"; xbits: isset,by_src,honeypot; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003306; normalize; program: sshd; sid:5003306; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via public key after exploit attempt"; content: "Accepted publickey"; xbits: isset,by_src,exploit_attempt; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003307; normalize; program: sshd; sid:5003307; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via public key after brute force"; content: "Accepted publickey"; xbits: isset,by_src,brute_force; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003308; normalize; program: sshd; sid:5003308; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via keyboard-interactive after recon activity"; content: "Accepted keyboard-interactive"; xbits: isset,by_src,recon; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003309; normalize; program: sshd; sid:5003309; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via keyboard-interactive after honeypot activity"; content: "Accepted keyboard-interactive"; xbits: isset,by_src,honeypot; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003310; normalize; program: sshd; sid:5003310; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via keyboard-interactive after exploit attempt"; content: "Accepted keyboard-interactive"; xbits: isset,by_src,exploit_attempt; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003311; normalize; program: sshd; sid:5003311; rev:1;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Authentication success via keyboard-interactive after brute force activity"; content: "Accepted keyboard-interactive"; xbits: isset,by_src,brute_force; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5003312; normalize; program: sshd; sid:5003312; rev:1;) # Added by Champ Clark - 09/17/2014 - Required xbit. Valid login _after_ brute force. #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] SSH login success after brute force attack!"; pcre: "/accepted|authenticated/i"; xbits: isset,by_src,brute_force; xbits: set,attacker,86400; normalize; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002177; rev:8;) # We could later use "attacker" xbit to "track" the attacker! #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH-CORRELATED] Accepted publickey after brute force attack!"; content: "Accepted publickey" ; xbits: isset,by_src,brute_force; xbits: set,attacker,86400; normalize; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002178; sid:5002178; rev:7;) sagan-1.2.0/rules/su.rules0000644000175000017500000001124413310533411014376 0ustar champchamp# Sagan su.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # This is for both "su" and "sudo" alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] SUDO user NOT in sudoers"; content:"user NOT in sudoers"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000024; sid: 5000024; rev:2;) drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure - Brute force [3/5]"; content: "authentication failure"; classtype: unsuccessful-admin; normalize; program: sudo; after: track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000025; sid: 5000025; rev:6;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure"; content: "authentication failure"; classtype: unsuccessful-admin; normalize; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5001526; sid: 5001526; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root"; content:"Successful su for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000027; normalize; sid: 5000027; rev:4;) drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su - Brute force [5/5]"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000028; sid: 5000028; rev:4;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5001527; sid: 5001527; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000132; sid: 5000132; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; classtype: successful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize; sid: 5000409; rev:4;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] root password change attempt"; content:"passwd"; content: "root"; content:"HISTORY"; classtype: suspicious-command; program: -su|su; reference: url,wiki.quadrantsec.com/bin/view/Main/5002566; sid: 5002566; rev:3;) sagan-1.2.0/rules/imapd-correlated.rules0000644000175000017500000002132113310533411017160 0ustar champchamp# Sagan imapd-correlated.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Login after recon activity"; program: imapd*; content: "LOGIN,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,recon; reference: url, wiki.quadrantsec.com/bin/view/Main/5003281; sid:5003281; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Login after honeypot activity"; program: imapd*; content: "LOGIN,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5003282; sid:5003282; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Login after exploit attempt"; program: imapd*; content: "LOGIN,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5003283; sid:5003283; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Login after brute force activity"; program: imapd*; content: "LOGIN,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,brute_force; reference: url, wiki.quadrantsec.com/bin/view/Main/5003284; sid:5003284; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Logout after recon activity"; program: imapd*; content: "LOGOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,recon; reference: url, wiki.quadrantsec.com/bin/view/Main/5003285; sid:5003285; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Logout after honeypot activity"; program: imapd*; content: "LOGOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5003286; sid:5003286; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Logout after exploit attempt"; program: imapd*; content: "LOGOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5003287; sid:5003287; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Logout after brute force activity"; program: imapd*; content: "LOGOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,brute_force; reference: url, wiki.quadrantsec.com/bin/view/Main/5003288; sid:5003288; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Timeout after recon activity"; program: imapd*; content: "TIMEOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,recon; reference: url, wiki.quadrantsec.com/bin/view/Main/5003289; sid:5003289; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Timeout after honeypot activity"; program: imapd*; content: "TIMEOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5003290; sid:5003290; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Timeout after exploit attempt"; program: imapd*; content: "TIMEOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5003291; sid:5003291; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Timeout after brute force activity"; program: imapd*; content: "TIMEOUT,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,brute_force; reference: url, wiki.quadrantsec.com/bin/view/Main/5003292; sid:5003292; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Disconnect after recon activity"; program: imapd*; content: "DISCONNECTED,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,recon; reference: url, wiki.quadrantsec.com/bin/view/Main/5003293; sid:5003293; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Disconnect after honeypot activity"; program: imapd*; content: "DISCONNECTED,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5003294; sid:5003294; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Disconnect after exploit attempt"; program: imapd*; content: "DISCONNECTED,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5003295; sid:5003295; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Disconnect after brute force activity"; program: imapd*; content: "DISCONNECTED,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,brute_force; reference: url, wiki.quadrantsec.com/bin/view/Main/5003296; sid:5003296; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Connection after recon activity"; program: imapd*; content: "Connection,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,recon; reference: url, wiki.quadrantsec.com/bin/view/Main/5003297; sid:5003297; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Connection after honeypot activity"; program: imapd*; content: "Connection,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5003298; sid:5003298; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Connection after exploit attempt"; program: imapd*; content: "Connection,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,exploit_attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5003299; sid:5003299; rev:1;) alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-CORRELATED] Connection after brute force activity"; program: imapd*; content: "Connection,"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: correlated-attack; parse_src_ip: 1; xbits: isset,by_src,brute_force; reference: url, wiki.quadrantsec.com/bin/view/Main/5003300; sid:5003300; rev:1;) sagan-1.2.0/rules/ipop3d.rules0000644000175000017500000000425113310533411015145 0ustar champchamp# Sagan ipop3d.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[IPOP3D] Excessive login failures"; content:"Login excessive login failures"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: misc-attack; program: ipop3d|ipop3d-ssl; threshold:type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000032; sid:5000032; rev:6;) sagan-1.2.0/rules/carbonblack.rules0000644000175000017500000001541513310533411016214 0ustar champchamp# Sagan carbonblack.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # rules by "Corey Fisher" # 07/26/2016 alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Agent blocked an attempt to create file"; content: "Agent blocked an attempt to create"; content: "because of tamper protection"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002928; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Agent blocked an attempt to delete file"; content: "Agent blocked an attempt to delete"; content: "because of tamper protection"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002929; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Permission change was blocked"; content: "Permission change on"; content: "was blocked"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002930; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Modification of registry was blocked"; content: "of registry"; content: "was blocked because of tamper protection"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002931; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Agent failed a health check"; content: "Agent failed a health check"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002932; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] File was identified by Software Reputation Service as a potential risk"; content: "Software Reputation Service as a potential risk"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002933; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Server detected revocation of certificate"; content: "Server detected revocation of certificate"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002934; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Agent detected a problem"; content: "Agent detected a problem"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002935; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Exclusive access to a file was blocked because of tamper protection"; content: "Exclusive access to"; content: "was blocked because of tamper protection"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002936; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Agent had to rebuild its primary database cache and now has to re-initialize"; content: "Agent had to rebuild its primary database cache and now has to re-initialize"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002937; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Computer failed to receive Notifier Logo"; content: "Computer failed to receive Notifier Logo"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002938; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Agent had to restore its primary database cache"; content: "Agent had to restore its primary database cache"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002939; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Non-System Filemods to system32"; content: "Carbon Black process watchlist |27|Non-System Filemods to system32|27|"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002921; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Newly Loaded Modules"; content: "Carbon Black binary watchlist |27|Newly Loaded Modules|27|"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002922; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] A new device was mounted"; content: "A new device"; content: "was mounted as drive"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002923; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] File was executed for the first time"; content: "File"; content: "was executed for the first time"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002924; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Computer reported that signature on file is invalid"; content: "reported that signature on file"; content: "is invalid"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002925; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Server discovered new certificate"; content: "Server discovered new certificate"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002926; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK] Disk configuration change detected"; content: "Disk configuration change detected"; content: "event"; parse_src_ip: 1; program: 1|bit9; classtype: system-event; sid: 5002927; rev:2;) sagan-1.2.0/rules/imapd.rules0000644000175000017500000000675613310533411015055 0ustar champchamp# Sagan imapd*.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[IMAPD] User login failed"; pcre: "/Login failed user=|AUTHENTICATE LOGIN failure/i"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: unsuccessful-user; parse_src_ip: 1; program: imapd*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000367; sid: 5000367; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[IMAPD] Successful login"; content: "Authenticated user="; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; program: imapd*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000262; sid: 5000262; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[IMAPD] User logout"; content: "Logout user="; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: not-suspicious; program: imapd*; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000276; sid:5000276; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[IMAPD] Exessive login failures"; content: "Login excessive login"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: unsuccessful-user; program: imapd*; normalize; parse_src_ip: 1; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001078; sid: 5001078; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[IMAPD] Brute force attack [5/1]"; pcre: "/Login failed user=|AUTHENTICATE LOGIN failure/i"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: unsuccessful-user; parse_src_ip: 1; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; program: imapd*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002947; sid:5002947; rev:2;) sagan-1.2.0/rules/proxy-malware.rules0000644000175000017500000005310313310533411016556 0ustar champchamp# Sagan proxy-malware.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These rules can be used to detect malware connections from generic proxy devices. For example, Squid, Apache, # Fortigate firewalls, Bluecoat proxies, etc. They are generic rules meant to look for indications of malware # within a network based on "access" type logs. #************************************************************* #alert any $HOME_NET any -> $EXTERNAL_NET $HTTP_PORT (msg: "[PROXY-MALWARE] Pony Trojan"; content: "ponyb/gate.php"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5001739; sid: 5001739; rev:1;) # Rules create by Robert Nunley (rnunley@quadrantsec.com) - 01/08/2013 #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 1"; content: "/Gallery/IMAG0081.GIF"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001882; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 2"; content: "/btn001/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001883; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 3"; content: "/bugzy/i.cfg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001884; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 4"; content: "/cfg2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001885; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 5"; content: "/cfg3.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001886; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 6"; content: "/cnf/trl.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001887; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 7"; content: "/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001888; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 8"; content: "/dzen/misc.inc.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001889; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 9"; content: "/film/video.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001890; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 10"; content: "/ftr/vosmoipoint.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001891; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 11"; content: "/ftr/vosmoipont.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001892; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 12"; content: "/gkt/gld44.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001893; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 13"; content: "/good/tlz/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001894; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 14"; content: "/gus/pool.doc"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001895; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 15"; content: "/ii1IGh.aeL8uf"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001896; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 16"; content: "/im/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001897; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 17"; content: "/img/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001898; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 18"; content: "/index_files/4jpg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001899; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 19"; content: "/inmake/lds/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001900; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 20"; content: "/kartos/kartos.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001901; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 21"; content: "/ldr/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001902; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 22"; content: "/n2.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001903; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 23"; content: "/norma/cf5.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001904; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 24"; content: "/ribbn.tar"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001905; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 25"; content: "/s2/non.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001906; rev:3;) # Triggers to much on valid sites - 04/12/2014 - Champ Clark III ##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 26"; content: "/sell.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001907; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 27"; content: "/test/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001908; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 28"; content: "/ukk/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001909; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 29"; content: "/web/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001910; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 30"; content: "/z/config1.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001911; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 31"; content: "/z_bot/what.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001912; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 32"; content: "/zend/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001913; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 33"; content: "/zeus/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001914; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 34"; content: "/zs/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001915; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 35"; content: "/~am/szkolapanel/zs/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001916; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 36"; content: "/~update/serv/updtsys.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001917; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 1"; content: "/4vnrye74mugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001918; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 2"; content: "/4vnrye74vmugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001919; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 3"; content: "/DZ3LOrAFpl.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001920; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 4"; content: "/back11/stat1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001921; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 5"; content: "/btn001/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001922; rev:3;) # Triggers to much on valid sites - 04/12/2014 - Champ Clark III ##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 6"; content: "/buy.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001923; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 7"; content: "/dd7ejr8ehd8jrf.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001924; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 8"; content: "/dzen/as9965767.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001925; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 9"; content: "/free/wthong.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001926; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 10"; content: "/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001927; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 11"; content: "/good/socialnetworks/all4love/peage.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001928; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 12"; content: "/iXeij7Ai.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001929; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 13"; content: "/im/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001930; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 14"; content: "/img/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001931; rev:3;) # Triggers to much on valid sites - 04/12/2014 - Champ Clark III ##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 15"; content: "/index1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001932; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 16"; content: "/inmake/page/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001933; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 17"; content: "/kartos/youyou.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001934; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 18"; content: "/test/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001935; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 19"; content: "/trl/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001936; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 20"; content: "/vvn/ci_g.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001937; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 21"; content: "/web/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001938; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 22"; content: "/z/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001939; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 23"; content: "/z_bot/bot_adented.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001940; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 24"; content: "/zend/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001941; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 25"; content: "/zs/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001942; rev:3;) # Triggers on tor2web services - 06/09/2014 - Champ Clark III alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Tor2www Request"; content: ".tor2www."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2www.com; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002061; rev:3;) #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Tor2web Request"; content: ".tor2web."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2web.org; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002062; rev:3;) # https://isc.sans.edu/forums/diary/PCRE+for+malware+audits/18949 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Fiesta malware request"; pcre: "/(http:\/\/[^\x2f]+\/[a-z0-9]{6,}_[0-9]+_[a-f0-9]{32}\.html|\/[a-f0-9]{60,66}(?:\x3b\d+){1,4}|\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}|\/[0-9a-z]{32}.php\?[a-z]{1,3}=[0-9a-z]{32})/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,wiki.quadrantsec.com/bin/view/Main/5002214; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002214; rev:3;) sagan-1.2.0/rules/yubikey.rules0000644000175000017500000000421513310533411015430 0ustar champchamp# Sagan yubikey.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[YUBIKEY] Invalid OTP"; program: yk_chkpwd; content: "password check failed for user"; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; default_proto: tcp; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002735; sid:5002735; rev:2;) sagan-1.2.0/rules/riverbed-geoip.rules0000644000175000017500000000462513310533411016657 0ustar champchamp# Sagan riverbed-geoip.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules # Champ Clark (04/15/2014) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED-GEOIP] Administrator Login outside of HOME_COUNTRY"; content: "logged in"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002032; program: webasd; sid: 5002032; rev:3;) sagan-1.2.0/rules/web-attack.rules0000644000175000017500000007620313310533411015777 0ustar champchamp# Sagan web-attack.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These are used to identify web attacks from Apache, IIS and other "access" logs. # Added by Robert Nunley (rnunley@quadantsec.com) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Havij SQL Injection Tool Identified"; content: "0x31303235343830303536"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001699; sid: 5001699; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] UNION ALL SELECT in URL - Possible SQL Injection"; content: "0%27%20union%20all%20select%20"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001700; sid: 5001700; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - x=x"; content: "%20and%20%27x%27%3D%27x"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001701; sid: 5001701; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - 1=1"; content: "%20and%20%271%27%3D%271"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001702; sid: 5001702; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Using Hex Encoding"; content: "concat"; content: "unhex"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001703; sid: 5001703; rev:2;) # Added by Robert Nunley (Nov272013) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Absinthe SQL Injection Tool HTTP Header Detected"; content:"User-Agent"; content: "Absinthe"; parse_src_ip: 1; parse_dst_ip: 2; nocase; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001864; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] bsqlbf Brute Force SQL Injection"; content:"User-Agent"; content: "bsqlbf"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-activity; sid:5001792; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Cisco Torch IOS HTTP Scan"; content:"User-Agent"; content: "Cisco-torch"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001793; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Core-Project Scanning Bot UA Detected"; content:"User-Agent"; content: "core-project/1.0"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-activity; sid:5001794; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] crimscanner User-Agent detected"; content:"GET"; nocase; content:"User-Agent"; content: "crimscanner"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010954; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:network-scan; sid:5001795; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] DavTest WebDav Vulnerability Scanner Default User Agent Detected"; content:"User-Agent"; content: "DAV.pm"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001796; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] DirBuster Web App Scan in Progress"; content:"User-Agent"; content: "DirBuster"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001797; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible Fast-Track Tool Spidering User-Agent Detected"; content:"User-Agent"; content: "pymills-spider"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001798; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent - get-minimal - Possible Vuln Scan"; content:"User-Agent"; content: "get-minimal"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2003634; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5001799; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Grabber.py Web Scan Detected"; content:"User-Agent"; content: "Grabber"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001800; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected [0/5]"; content:"User-Agent"; content: "Mozilla/5.0"; content: "Grendel-Scan"; nocase; content:"http://www.grendel-scan.com"; nocase; threshold: type threshold, track by_dst, count 50, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001801; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected"; content:"User-Agent"; content: "Mozilla/5.0"; content: "Grendel-Scan"; nocase; content:"http://www.grendel-scan.com"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001863; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Hmap Webserver Fingerprint Scan"; content:"GET"; nocase; content:"HTTP/1.0"; content: "User-Agent"; content: "Mozilla"; content: "4.75 [en] |28|Windows NT 5.0"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001802; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Mini MySqlatOr SQL Injection Scanner"; content:"User-Agent"; content: "prog.CustomCrawler"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001803; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; content: "User-Agent"; content: "Mysqloit"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009882; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001804; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap NSE"; content: "User-Agent"; content: "Nmap NSE"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009359; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001805; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap Scripting Engine"; content: "User-Agent"; content: "Mozilla/5.0"; content: "Nmap Scripting Engine"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009358; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001806; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nessus User Agent"; content:"User-Agent"; nocase; content:"Nessus"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001807; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nessus User Agent"; content: "User-Agent"; nocase; content: "Nessus"; nocase; content: !"www.nessus.org"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001865; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Netsparker Default User-Agent"; content: "User-Agent"; content: " Netsparker"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.mavitunasecurity.com/communityedition/; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001808; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content:"User-Agent"; content: "Mozilla/4.75 (Nikto"; threshold: type both, count 5, seconds 60, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001809; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content: "User-Agent"; content: "Nikto"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001866; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Paros Proxy Scanner Detected"; content: "User-Agent"; content: "Paros"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001810; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Injection Attempt (Agent uil2pn)"; content: "User-Agent"; content: "uil2pn"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001811; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] SQL Power Injector SQL Injection User Agent Detected"; content: "User-Agent"; content: "SQL Power Injector"; content:"Security tool (Make sure it is used with the administrator consent)"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001812; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Sqlmap SQL Injection Scan"; content: "User-Agent"; content: "sqlmap"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001813; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected"; content: "User-Agent"; content: "Mozilla/5.0 SF"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001814; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected (2)"; content: "GET"; content: ".old"; content: "User-Agent"; content: "Mozilla/5.0 SF/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001815; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Springenwerk XSS Scanner User-Agent Detected"; content:"User-Agent"; content: "Springenwerk"; nocase; reference:url,springenwerk.org/; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010508; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001816; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent inbound (bot)"; content: "User-Agent"; content: "bot/"; nocase; threshold: type limit, count 3, seconds 300, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001817; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Toata Scanner User-Agent Detected"; content: "User-Agent"; content: "Toata dragostea"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001818; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Tomcat Web Application Manager scanning"; content: "GET"; nocase; content: "/manager/html"; nocase; content: "User-Agent"; content: "Mozilla/3.0"; content: "Indy Library)"; content: "Authorization"; content: "Basic"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010019; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001819; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner"; content: "User-Agent"; content: "SQL"; nocase; content: "Inject"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001820; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner"; content: "User-Agent"; content: "web"; nocase; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010088; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001821; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Security Scan/ner, Likely Scan"; content: "User-Agent"; content: "security"; nocase; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010089; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001822; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] w3af User Agent"; content: "User-Agent"; content: "w3af.sourceforge.net"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001823; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WSFuzzer Web Application Fuzzing"; content: "/ServiceDefinition"; content: "User-Agent"; content: "Python-urllib"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001824; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Wapiti Web Server Vulnerability Scan"; content: "GET"; content: "?http"; content: "//www.google."; nocase; content: "User-Agent"; content: "Python-httplib2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001825; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WebHack Control Center User-Agent Inbound (WHCC/)"; content: "User-Agent"; content: "WHCC"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001826; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Open-Proxy ScannerBot (webcollage-UA) "; content:"User-Agent"; content: "webcollage/1.135a"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:bad-unknown; sid:5001827; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WebShag Web Application Scan Detected"; content: "User-Agent"; content: "webshag"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.scrt.ch/pages_en/outils.html; reference:url,doc.emergingthreats.net/2009158; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001828; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; content: "User-Agent"; content: "WhatWeb"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001829; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] WITOOL SQL Injection Scan"; content: "union+select"; content: "select+user"; content: "User-Agent"; content: "Mozilla/4.0 (compatible"; content: "MSIE 6.0"; content: "Windows NT 5.0"; content: "MyIE2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001830; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] ZmEu exploit scanner"; content: "User-Agent"; content: "Made by ZmEu"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010715; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001831; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible jBroFuzz Fuzzer Detected"; content: "Host"; content: "localhost"; content:"User-Agent"; content: "Mozilla/5.0 (Windows"; content: "Windows NT 5.1"; content: "en-GB"; content: "Gecko/20061204 Firefox/2.0.0.1"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001832; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Hydra User-Agent"; content: "User-Agent"; content: "Mozilla/4.0 (Hydra)"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,freeworld.thc.org/thc-hydra; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001833; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Inspathx Path Disclosure Scanner User-Agent Detected"; content: "User-Agent"; content: "inspath [path disclosure finder"; threshold:type limit, count 1, seconds 30, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001834; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Medusa User-Agent"; content: "User-Agent"; content: "Teh Forest Lobster"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.foofus.net/~jmk/medusa/medusa.html; xbits: set, recon, 86400;default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001835; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] DotDotPwn User-Agent"; content: "User-Agent"; content: "DotDotPwn"; nocase; threshold:type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,dotdotpwn.sectester.net; xbits: set, recon, 86400;default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001836; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Havij SQL Injection Tool User-Agent Inbound"; content: "User-Agent"; content: " Havij"; content: "Connection: "; parse_src_ip: 1; parse_dst_ip: 2; reference:url,itsecteam.com/en/projects/project1.htm; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001838; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] OpenVAS User-Agent Inbound"; content: "User-Agent"; content: "OpenVAS"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,openvas.org; xbits: set, recon, 86400;default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001839; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] ZmEu Scanner User-Agent Inbound"; content: "User-Agent"; content: "ZmEu"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001840; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Internal Dummy Connection User-Agent Inbound"; content: "User-Agent"; content:"(internal dummy connection)"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid:5001841; rev:2;) alert any any any -> $HOME_NET any (msg: "[WEB-ATTACKS] DominoHunter Security Scan in Progress"; content: "User-Agent"; content: "DominoHunter"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:web-application-attack; sid:5001842; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Vega Web Application Scan"; content: !"Vegas"; content: "Vega"; content: "User-Agent"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001843; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] FHScan core User-Agent Detect"; content: "FHScan Core "; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001844; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] w3af User-Agent 2"; content: "User-Agent"; content:"w3af.sf.net"; parse_src_ip: 1; parse_dst_ip: 2; xbits: set, recon, 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-recon; sid:5001845; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] RFI Attempt"; content: "index.php?cmd="; content: "page="; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid:5002736; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible LFI Attempt"; content:"index.php?system=" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002737; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default WordPress Login Page"; content:"/wp-login.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002738; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access a Webshell via WordPress"; content:"/wp-login.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002739; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default Cacti Login Page"; content:"/include/config.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002740; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access PHPMyAdmin Changelog Page"; content:"/changelog.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002741; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access robots.txt File"; content:"robots.txt" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002742; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Possible SQL Injection"; content:"|3b|--" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002743; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default Drupal DB Config File"; content:"/sites/default/settings.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002744; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access Default Joomla Page"; content:"/configuration.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002745; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access PHP Timeclock Page"; content:"/db.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002746; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access default DeV!L`s ClanPortal Page"; content:"/inc/mysql.php" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002747; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Attempt to Access IISamples Page"; content:"/iisamples" default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; parse_src_ip: 1; reference: url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html; sid: 5002748; rev:2;) sagan-1.2.0/rules/xinetd.rules0000644000175000017500000001352213310533411015243 0ustar champchamp# Sagan xinetd.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Removing service"; content: "removing; classtype: system-event; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000256; sid: 5000256; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Starting service"; content: "Started working"; classtype: system-event; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000257; sid: 5000257; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Excessive number connections to a service"; content: "deactivating service"; nocase; classtype: attempted-dos; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000379; sid: 5000379; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Telnet connection from remote host"; content: "START"; content: "telnet"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000247; sid: 5000247; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Telnet connection exit"; content: "EXIT"; content: "telnet"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000248; sid: 5000248; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] POP3 connection from remote host"; content: "START"; content: "pop-3"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000249; sid: 5000249; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] POP3 connection exit"; content: "EXIT"; content: "pop-3"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000250; sid: 5000250; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] IMAP2 connection from remote host"; content: "START"; content: "imap2"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000251; sid: 5000251; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] IMAP2 connection exit"; content: "EXIT"; content: "imap2"; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000252; sid: 5000252; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] POP3S [SSL] connection from remote host"; content: "START"; content: "pop3s"; default_proto: tcp; default_dst_port: 993; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000253; sid: 5000253; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] POP3S [SSL] connection exit"; content: "EXIT"; content: "pop3s"; default_proto: tcp; default_dst_port: 993; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000254; sid: 5000254; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] POP3S [SSL] User login "; content: "USERID"; content: "pop3s"; default_proto: tcp; default_dst_port: 993; classtype: successful-user; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000255; sid: 5000255; rev:3;) # courierpassd rules 10/11/2011 - Champ Clark alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Courierpassd|Poppassd - Old password is incorrect"; content: "old password"; classtype: unsuccessful-user; program: courierpassd|poppassd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001102; sid: 5001102; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Courierpassd|Poppassd - Changed user password"; content: "changed POP3"; classtype: successful-user; program: courierpassd|poppassd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001103; sid: 5001103; rev:2;) sagan-1.2.0/rules/tcp.rules0000644000175000017500000000403313310533411014533 0ustar champchamp# Sagan tcp.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP Treason uncloaked"; content: "Treason uncloaked"; default_proto: tcp; classtype: bad-unknown; program: TCP; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000031; sid: 5000031; rev:4;) sagan-1.2.0/rules/protocol.map0000644000175000017500000000060613310533411015233 0ustar champchamp message || 17 || nocase ||UDP message || 1 || nocase ||ICMP message || 6 || nocase ||TCP program || 17 || nocase || named program || 6 || nocase || ssh program || 6 || nocase || sshd program || 6 || nocase || rsync program || 17 || nocase || bind program || 6 || nocase || http program || 6 || nocase || httpd program || 6 || nocase || apache program || 6 || nocase || apache2 sagan-1.2.0/rules/bind.rules0000644000175000017500000001414013310533411014661 0ustar champchamp# Sagan bind.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Invalid DNS packet. Possible attack" ; content: "dropping source port zero packet from"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: exploit-attempt; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000101; sid:5000101; rev:5;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Denied zone transfer attempt"; content: "denied AXFR from"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000102; sid:5000102; rev:7;) drop any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] DNS update denied"; pcre: "/denied update from|unapproved update from/"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000103; sid:5000103; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Log permission misconfiguration"; content: "unable to rename log file"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: program-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000104; sid:5000104; rev:6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Unexpected error [RCODE] while resolving domain"; content: "unexpected RCODE"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; program: named; normalize; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000164; sid:5000164; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Refused notify from non-master"; content: "refused notify from non-master"; parse_port; default_proto: udp; default_dst_port: $DNS_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000105; sid:5000105; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] DNS update using RFC2136 Dynamic protocol denied"; pcre: "/update \S+ denied/"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: suspicious-traffic; program: named; normalize; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000106; sid:5000106; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Query cache denied"; content: "query"; content: "cache"; content: "denied"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: named; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000107; sid:5000107; rev:8;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Named fatal error. DNS service is going down"; content: "exiting"; content: "due to fatal error"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: program-error; program: named; reference: url,wiki.quadrantsec.com/bin/view/Main/5000108; sid:5000108; rev: 5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Serial number from master is lower than stored"; pcre: "/^zone \S+ serial number \S+ received from master \S+ \S ours/"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: configuration-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000109; sid:5000109; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Zone transfer error"; pcre: "/^zone \S+: expired/"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: configuration-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000110; sid:5000110; rev: 6;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BIND] Version attempt"; content: "version.bind CH TXT"; default_proto: udp; default_dst_port: $DNS_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001706; sid:5001706; rev: 3;) sagan-1.2.0/rules/squid.rules0000644000175000017500000001110313310533411015066 0ustar champchamp# Sagan squid.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # In order for these rules to function with Squid, you'll need: # "access_log syslog" in your squid.conf . alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] TCP_DENIED"; content: "TCP_DENIED"; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: suspicious-traffic; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000043; sid: 5000043; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] TCP_DENIED unsupported-request-method"; content: "TCP_DENIED"; content: "unsupported-request-method"; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: suspicious-traffic; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000044; sid: 5000044; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] TCP_DENIED invalid-request"; content: "TCP_DENIED"; content: "invalid-request"; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: suspicious-traffic; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000045; sid: 5000045; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] @CGIDIRScgiwrap attempt"; content: "@CGIDIRScgiwrap"; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: web-application-activity; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000046; sid: 5000046; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] Directory traversal attempt"; content: "../.."; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: web-application-attack; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000047; sid: 5000047; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SQUID] XSS attempt"; content: ""; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: suspicious-traffic; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000048; sid: 5000048; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] 'passwd' access attempt"; content: "passwd"; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: web-application-attack; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000049; sid: 5000049; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] Directory traversal attempt"; content: "///"; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: web-application-attack; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000050; sid: 5000050; rev:3;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SQUID] MSG Messenger access"; content: "x-msn-messenger"; default_proto: tcp; default_dst_port: $SQUID_PORT; classtype: policy-violation; program: squid; reference: url,wiki.quadrantsec.com/bin/view/Main/5000387; sid: 5000387; rev:3;) sagan-1.2.0/rules/imapd-geoip.rules0000644000175000017500000001063713310533411016147 0ustar champchamp# Sagan imapd-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGIN, user=bob, ip=[192.168.8.1], port=[36938], protocol=IMAP alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Login from suspicious source"; program: imapd*; content: "LOGIN,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002897; sid:5002897; rev:3;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGOUT, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=96, sent=470, time=0, starttls=1 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Logout from suspicious source"; program: imapd*; content: "LOGOUT,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002898; sid:5002898; rev:3;) # 10.1.1.1|mail|info|info|16|2014-06-12|04:06:34|imapd-ssl| TIMEOUT, user=bob, ip=[192.168.8.1], headers=714, body=8944, rcvd=1050, sent=15577, time=2701, starttls=1 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Timeout from suspicious source"; program: imapd*; content: "TIMEOUT,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002899; sid:5002899; rev:3;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:53:51|imapd-ssl| DISCONNECTED, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=357, sent=981, time=10511, starttls=1 alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Disconnect from suspicious source"; program: imapd*; content: "DISCONNECTED,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002900; sid:5002900; rev:3;) # 10.7.1.71|mail|debug|debug|17|2014-06-11|23:53:52|imapd-ssl| Connection, ip=[192.168.8.1] alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[IMAPD-BLUEDOT] Connection from suspicious source"; program: imapd*; content: "Connection,"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $IMAP_PORT; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002901; sid:5002901; rev:3;) sagan-1.2.0/rules/reference.config0000644000175000017500000000453313310533411016023 0ustar champchamp# Sagan reference.config # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The following defines URLs for the references found in the rules # config reference: system URL. Most of these are from Sourcefire's # 'Snort'. config reference: bugtraq,http://www.securityfocus.com/bid/ config reference: cve,http://cve.mitre.org/cgi-bin/cvename.cgi?name= config reference: arachNIDS,http://www.whitehats.com/info/IDS config reference: McAfee,http://vil.nai.com/vil/content/v_ config reference: nessus,http://cgi.nessus.org/plugins/dump.php3?id= config reference: url,http:// #config reference: quadrantsec,https://wiki.quadrantsec.com/bin/view/Main/ sagan-1.2.0/rules/sagan-sid-msg.map0000644000175000017500000307635513310533411016045 0ustar champchamp5000000 || [BASH] ./a.out execution attempt || url,wiki.quadrantsec.com/bin/view/Main/5000000 5000001 || [BASH] gcc execution || url,wiki.quadrantsec.com/bin/view/Main/5000001 5000002 || [BASH] telnet execution || url,wiki.quadrantsec.com/bin/view/Main/5000002 5000003 || [BASH] nmap execution || url,wiki.quadrantsec.com/bin/view/Main/5000003 5000004 || [BASH] /etc/passwd access || url,wiki.quadrantsec.com/bin/view/Main/5000004 5000005 || [BASH] /etc/shadow access || url,wiki.quadrantsec.com/bin/view/Main/5000005 5000006 || [BASH] make execution || url,wiki.quadrantsec.com/bin/view/Main/5000006 5000007 || [BASH] make execution || url,wiki.quadrantsec.com/bin/view/Main/5000007 5000008 || [BASH] /bin/sh command line call || url,wiki.quadrantsec.com/bin/view/Main/5000008 5000009 || [BASH] /bin/bash command line call || url,wiki.quadrantsec.com/bin/view/Main/5000009 5000010 || [BASH] HISTORY=/dev/null || url,wiki.quadrantsec.com/bin/view/Main/5000010 5000011 || [BASH] .bash_history access || url,wiki.quadrantsec.com/bin/view/Main/5000011 5000012 || [BASH] /tmp/sh access || url,wiki.quadrantsec.com/bin/view/Main/5000012 5000013 || [BASH] suidperl access || url,wiki.quadrantsec.com/bin/view/Main/5000013 5000014 || [BASH] histfile=/dev/null || url,wiki.quadrantsec.com/bin/view/Main/5000014 5000015 || [OPENSSH] PAM Authentication failure - Brute force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000015 5000016 || [OPENSSH] Authentication failure - Brute force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000016 5000017 || [OPENSSH] Authentication failure for root - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000017 5000018 || [OPENSSH] Possible break-in attempt || url,wiki.quadrantsec.com/bin/view/Main/5000018 5000020 || [OPENSSH] Not executable shell - login attempt || url,wiki.quadrantsec.com/bin/view/Main/5000020 5000021 || [OPENSSH] Message send write error || url,wiki.quadrantsec.com/bin/view/Main/5000021 5000022 || [OPENSSH] Invalid or illegal user [Brute Force] [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000022 5000023 || [OPENSSH] Out-of-Band challenge failure || url,wiki.quadrantsec.com/bin/view/Main/5000023 5000024 || [SU] SUDO user NOT in sudoers || url,wiki.quadrantsec.com/bin/view/Main/5000024 5000025 || [SU] SUDO authentication failure - Brute force [3/5] || url,wiki.quadrantsec.com/bin/view/Main/5000025 5000027 || [SU] Successful su as root || url,wiki.quadrantsec.com/bin/view/Main/5000027 5000028 || [SU] FAILED su - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000028 5000029 || [GRSEC] Time set || url,wiki.quadrantsec.com/bin/view/Main/5000029 5000030 || [GRSEC] Signal 11 sent || url,wiki.quadrantsec.com/bin/view/Main/5000030 5000031 || TCP Treason uncloaked || url,wiki.quadrantsec.com/bin/view/Main/5000031 5000032 || [IPOP3D] Excessive login failures || url,wiki.quadrantsec.com/bin/view/Main/5000032 5000034 || [SENDMAIL] VRFY or EXPN root attempt || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000034 5000035 || [SENDMAIL] EXPN command - rejected || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000035 5000036 || [SENDMAIL] VRFY command - rejected || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000036 5000037 || [SENDMAIL] Relaying denied || url,wiki.quadrantsec.com/bin/view/Main/5000037 5000038 || [MILTER] Milter error state || url,wiki.quadrantsec.com/bin/view/Main/5000038 5000039 || [MILTER] Mimedefang - No response from slave || url,wiki.quadrantsec.com/bin/view/Main/5000039 5000041 || [NTP] Permission denied error || url,wiki.quadrantsec.com/bin/view/Main/5000041 5000042 || [GRSEC] Denied resource overstep || url,wiki.quadrantsec.com/bin/view/Main/5000042 5000043 || [SQUID] TCP_DENIED || url,wiki.quadrantsec.com/bin/view/Main/5000043 5000044 || [SQUID] TCP_DENIED unsupported-request-method || url,wiki.quadrantsec.com/bin/view/Main/5000044 5000045 || [SQUID] TCP_DENIED invalid-request || url,wiki.quadrantsec.com/bin/view/Main/5000045 5000046 || [SQUID] @CGIDIRScgiwrap attempt || url,wiki.quadrantsec.com/bin/view/Main/5000046 5000047 || [SQUID] Directory traversal attempt || url,wiki.quadrantsec.com/bin/view/Main/5000047 5000048 || [SQUID] XSS attempt || url,wiki.quadrantsec.com/bin/view/Main/5000048 5000049 || [SQUID] 'passwd' access attempt || url,wiki.quadrantsec.com/bin/view/Main/5000049 5000050 || [SQUID] Directory traversal attempt || url,wiki.quadrantsec.com/bin/view/Main/5000050 5000051 || [CISCO-IOS] SNMP Authentication Failure [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000051 5000052 || [CISCO-IOS] Attempted RSHELL connection || url,wiki.quadrantsec.com/bin/view/Main/5000052 5000053 || [CISCO-IOS] Line protocol changed state up/down || url,wiki.quadrantsec.com/bin/view/Main/5000053 5000054 || [CISCO-IOS] Line protocol changed state up/down || url,wiki.quadrantsec.com/bin/view/Main/5000054 5000055 || [CISCO-IOS] Configuration from console || url,wiki.quadrantsec.com/bin/view/Main/5000055 5000056 || [SYSLOG] Kernel TCP/IP redirect attempt || url,wiki.quadrantsec.com/bin/view/Main/5000056 5000057 || [SYSLOG] Kernel TCP/IP redirect attempt || url,wiki.quadrantsec.com/bin/view/Main/5000057 5000058 || [SYSLOG] init respawning to fast || url,wiki.quadrantsec.com/bin/view/Main/5000058 5000059 || [SYSLOG] Martian source packet || url,wiki.quadrantsec.com/bin/view/Main/5000059 5000060 || [ARP] arpalert - Detected new machine on the network || url,wiki.quadrantsec.com/bin/view/Main/5000060 5000061 || [ARP] arpalert - Detected ip change || url,wiki.quadrantsec.com/bin/view/Main/5000061 5000062 || [ARP] arpwatch - Detected new machine on the network 5000063 || [ARP] arpwatch - 'flip flop' message. || url,wiki.quadrantsec.com/bin/view/Main/5000063 5000064 || [ARP] arpwatch - Exiting || url,wiki.quadrantsec.com/bin/view/Main/5000064 5000065 || [ARP] arpwatch - Changed network interface for IP address || url,wiki.quadrantsec.com/bin/view/Main/5000065 5000066 || [ARP] arpwatch - Startup/Exiting message || url,wiki.quadrantsec.com/bin/view/Main/5000066 5000067 || [ARP] arpwatch - Detected bad address len - ignored || url,wiki.quadrantsec.com/bin/view/Main/5000067 5000068 || [OPENSSH] Bad protocol version - network scan or possible attack [0/3] || url,wiki.quadrantsec.com/bin/view/Main/5000068 5000069 || [OPENSSH] Timeout while logging in || url,wiki.quadrantsec.com/bin/view/Main/5000069 5000070 || [OPENSSH] No identification string - possible scan || url,wiki.quadrantsec.com/bin/view/Main/5000070 5000071 || [OPENSSH] OpenSSH challenge-response exploit || url,wiki.quadrantsec.com/bin/view/Main/5000071 5000072 || [OPENSSH] Message without user-IP and context || url,wiki.quadrantsec.com/bin/view/Main/5000072 5000073 || [OPENSSH] Corrupted traffic || url,wiki.quadrantsec.com/bin/view/Main/5000073 5000074 || [OPENSSH] CRC32 compensation attack || url, http://www.securityfocus.com/bid/2347/info/ || url,wiki.quadrantsec.com/bin/view/Main/5000074 5000076 || [OPENSSH] configuration error [moduli] || url,wiki.quadrantsec.com/bin/view/Main/5000076 5000077 || [OPENSSH] Attempt to login using a denied user || url,wiki.quadrantsec.com/bin/view/Main/5000077 5000078 || [PROFTPD] Session opened || url,wiki.quadrantsec.com/bin/view/Main/5000078 5000079 || [PROFTPD] Session closed || url,wiki.quadrantsec.com/bin/view/Main/5000079 5000080 || [PROFTPD] Attempt to login as a non-existent user [Brute Force] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000080 5000081 || [PROFTPD] Login failed accessing the FTP server [Brute Force] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000081 5000082 || [PROFTPD] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000082 5000083 || [PROFTPD] Connection refused by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000083 5000084 || [PROFTPD] Small PassivePorts range in config file || url,wiki.quadrantsec.com/bin/view/Main/5000084 5000085 || [PROFTPD] Attempt to bypass firewall - cannot keep state of FTP traffic || url,wiki.quadrantsec.com/bin/view/Main/5000085 5000086 || [PROFTPD] Maximum login attempts reached [DoS?] || url,wiki.quadrantsec.com/bin/view/Main/5000086 5000087 || [PROFTPD] Host name or host address mismatch || url,wiki.quadrantsec.com/bin/view/Main/5000087 5000088 || [PROFTPD] Reverse lookup failure || url,wiki.quadrantsec.com/bin/view/Main/5000088 5000089 || [PROFTPD] Remote host connected to FTP server || url,wiki.quadrantsec.com/bin/view/Main/5000089 5000090 || [PROFTPD] Remote host disconnected due to inactivity || url,wiki.quadrantsec.com/bin/view/Main/5000090 5000091 || [PROFTPD] Remote host disconnected due to login time out || url,wiki.quadrantsec.com/bin/view/Main/5000091 5000092 || [PROFTPD] Data transfer stall timeout || url,wiki.quadrantsec.com/bin/view/Main/5000092 5000093 || [PROFTPD] terminated [crash] || url,wiki.quadrantsec.com/bin/view/Main/5000093 5000094 || [PROFTPD] Unable to bind to address || url,wiki.quadrantsec.com/bin/view/Main/5000094 5000095 || [ATTACK] Buffer overflow attempt on rpc.statd || url,wiki.quadrantsec.com/bin/view/Main/5000095 5000096 || [ATTACK] Buffer overflow attempt on WU-FTPD version prior to 2.6 || url,wiki.quadrantsec.com/bin/view/Main/5000096 5000097 || [ATTACK] Possible buffer overflow attempt || url,wiki.quadrantsec.com/bin/view/Main/5000097 5000098 || [ATTACK] 'Null' user change some information || url,wiki.quadrantsec.com/bin/view/Main/5000098 5000099 || [ATTACK] Stack overflow attempt with SEGV [Solaris] || url,wiki.quadrantsec.com/bin/view/Main/5000099 5000100 || [ATTACK] Possible buffer overflow attempt [NOOP] || url,wiki.quadrantsec.com/bin/view/Main/5000100 5000101 || [BIND] Invalid DNS packet. Possible attack || url,wiki.quadrantsec.com/bin/view/Main/5000101 5000102 || [BIND] Denied zone transfer attempt || url,wiki.quadrantsec.com/bin/view/Main/5000102 5000103 || [BIND] DNS update denied || url,wiki.quadrantsec.com/bin/view/Main/5000103 5000104 || [BIND] Log permission misconfiguration || url,wiki.quadrantsec.com/bin/view/Main/5000104 5000105 || [BIND] Refused notify from non-master || url,wiki.quadrantsec.com/bin/view/Main/5000105 5000106 || [BIND] DNS update using RFC2136 Dynamic protocol denied || url,wiki.quadrantsec.com/bin/view/Main/5000106 5000107 || [BIND] Query cache denied || url,wiki.quadrantsec.com/bin/view/Main/5000107 5000108 || [BIND] Named fatal error. DNS service is going down || url,wiki.quadrantsec.com/bin/view/Main/5000108 5000109 || [BIND] Serial number from master is lower than stored || url,wiki.quadrantsec.com/bin/view/Main/5000109 5000110 || [BIND] Zone transfer error || url,wiki.quadrantsec.com/bin/view/Main/5000110 5000111 || [CISCO-IOS] IOS configuration changed || url,wiki.quadrantsec.com/bin/view/Main/5000111 5000112 || [CISCO-IOS] Successful login || url,wiki.quadrantsec.com/bin/view/Main/5000112 5000113 || [CISCO-IOS] Failed login - Brute Force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000113 5000114 || [SYSLOG] Possible unknown problem on a system || url,wiki.quadrantsec.com/bin/view/Main/5000114 5000115 || [SYSLOG] /etc/securetty missing, root access unrestricted || url,wiki.quadrantsec.com/bin/view/Main/5000115 5000116 || [SYSLOG] System out of disk space || url,wiki.quadrantsec.com/bin/view/Main/5000116 5000117 || [SYSLOG] Unable to mount NFS share || url,wiki.quadrantsec.com/bin/view/Main/5000117 5000118 || [SYSLOG] Unable to mount the NFS directory || url,wiki.quadrantsec.com/bin/view/Main/5000118 5000119 || [SYSLOG] Authentication failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5000119 5000120 || [SYSLOG] Illegal root login || url,wiki.quadrantsec.com/bin/view/Main/5000120 5000121 || [SYSLOG] Connection blocked by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000121 5000122 || [SYSLOG] Physical root login || url,wiki.quadrantsec.com/bin/view/Main/5000122 5000123 || [SYSLOG] Oversized packet - ping of death? || url,wiki.quadrantsec.com/bin/view/Main/5000123 5000124 || [SYSLOG] Interface entered promiscuous mode || url,wiki.quadrantsec.com/bin/view/Main/5000124 5000125 || [SYSLOG] System out of memory! || url,wiki.quadrantsec.com/bin/view/Main/5000125 5000126 || [SYSLOG] Kernel log daemon terminating || url,wiki.quadrantsec.com/bin/view/Main/5000126 5000127 || [SYSLOG] ADSL line is up || url,wiki.quadrantsec.com/bin/view/Main/5000127 5000128 || [SYSLOG] ADSL line is down || url,wiki.quadrantsec.com/bin/view/Main/5000128 5000129 || [TRIPWIRE] Integrity Check failed || url,wiki.quadrantsec.com/bin/view/Main/5000129 5000130 || [SYSLOG] New group added to the system || url,wiki.quadrantsec.com/bin/view/Main/5000130 5000131 || [SYSLOG] New user added to the system || url,wiki.quadrantsec.com/bin/view/Main/5000131 5000132 || [SU] Three failed attempts to run sudo || url,wiki.quadrantsec.com/bin/view/Main/5000132 5000133 || [SU] Successful sudo to ROOT executed || url,wiki.quadrantsec.com/bin/view/Main/5000133 5000134 || [PPTP] Failed message [communications error] || url,wiki.quadrantsec.com/bin/view/Main/5000134 5000135 || [PPTP] Connection established || url,wiki.quadrantsec.com/bin/view/Main/5000135 5000136 || [SENDMAIL] Domain of sender does not resolve || url,wiki.quadrantsec.com/bin/view/Main/5000136 5000137 || [SENDMAIL] Rejected by access list || url,wiki.quadrantsec.com/bin/view/Main/5000137 5000138 || [SENDMAIL] Sender address does not have domain || url,wiki.quadrantsec.com/bin/view/Main/5000138 5000139 || [SENDMAIL] Rejecting due to pre-greet || url,wiki.quadrantsec.com/bin/view/Main/5000139 5000140 || [SENDMAIL] Save mail panic || url,wiki.quadrantsec.com/bin/view/Main/5000140 5000141 || [SENDMAIL] Sendmail Spamassassin X-Spam-Score || url,wiki.quadrantsec.com/bin/view/Main/5000141 5000142 || [SENDMAIL] Possible SMTP RCPT flood, throttling || url,wiki.quadrantsec.com/bin/view/Main/5000142 5000143 || [MILTER] SMF-SAV sendmail milter unable to verify || url,wiki.quadrantsec.com/bin/view/Main/5000143 5000144 || [SENDMAIL] Relaying denied [reject=550 5.7.1] || url,wiki.quadrantsec.com/bin/view/Main/5000144 5000145 || [SAMBA] Startup network problem || url,wiki.quadrantsec.com/bin/view/Main/5000145 5000146 || [SAMBA] Connection denied || url,wiki.quadrantsec.com/bin/view/Main/5000146 5000147 || [SAMBA] Connection reset by peer || url,wiki.quadrantsec.com/bin/view/Main/5000147 5000148 || [SAMBA] Unable to connect to CUPS server || url,wiki.quadrantsec.com/bin/view/Main/5000148 5000149 || [MYSQL] Access denied for user || url,wiki.quadrantsec.com/bin/view/Main/5000149 5000150 || [MYSQL] Access denied for user || url,wiki.quadrantsec.com/bin/view/Main/5000150 5000151 || [MYSQL] User disconnected from database || url,wiki.quadrantsec.com/bin/view/Main/5000151 5000152 || [MYSQL] Database startup or restart || quadrantsec,5000152 5000153 || [MYSQL] Database error || url,wiki.quadrantsec.com/bin/view/Main/5000153 5000154 || [MYSQL] Database fatal error || url,wiki.quadrantsec.com/bin/view/Main/5000154 5000155 || [APACHE] Segmentation fault || url,wiki.quadrantsec.com/bin/view/Main/5000155 5000156 || [APACHE] Attempt to access forbidden file or directory [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000156 5000157 || [APACHE] Attempt to access forbidden directory index || url,wiki.quadrantsec.com/bin/view/Main/5000157 5000158 || [APACHE] Client sent malformed Host header || url,wiki.quadrantsec.com/bin/view/Main/5000158 5000159 || [APACHE] User authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000159 5000160 || [APACHE] Attempt to login using a non-existent user || url,wiki.quadrantsec.com/bin/view/Main/5000160 5000161 || [APACHE] Rapid attempt to access a non-existent file or directory || url,wiki.quadrantsec.com/bin/view/Main/5000161 5000162 || [APACHE] Invalid URI in request || url,wiki.quadrantsec.com/bin/view/Main/5000162 5000163 || [APACHE] Invalid URI, file name too long || url,wiki.quadrantsec.com/bin/view/Main/5000163 5000164 || [BIND] Unexpected error [RCODE] while resolving domain || url,wiki.quadrantsec.com/bin/view/Main/5000164 5000165 || [APACHE] Mod_Security Access denied || url,wiki.quadrantsec.com/bin/view/Main/5000165 5000166 || [APACHE] Resource temporarily unavailable || url,wiki.quadrantsec.com/bin/view/Main/5000166 5000168 || [NGINX] Nginx error message || url,wiki.quadrantsec.com/bin/view/Main/5000168 5000169 || [NGINX] Nginx warning message || url,wiki.quadrantsec.com/bin/view/Main/5000169 5000170 || [NGINX] Nginx critical message || url,wiki.quadrantsec.com/bin/view/Main/5000170 5000171 || [NGINX] Nginx 404 error || url,wiki.quadrantsec.com/bin/view/Main/5000171 5000172 || [NGINX] Nginx Incomplete client request || url,wiki.quadrantsec.com/bin/view/Main/5000172 5000173 || [NGINX] Nginx Initial 401 authentication request || url,wiki.quadrantsec.com/bin/view/Main/5000173 5000174 || [NGINX] Nginx Web authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000174 5000175 || [NGINX] Nginx Invalid URI, file name too long || url,wiki.quadrantsec.com/bin/view/Main/5000175 5000176 || [ASTERISK] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000176 5000177 || [ASTERISK] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000177 5000178 || [ASTERISK] Notice message || url,wiki.quadrantsec.com/bin/view/Main/5000178 5000179 || [ASTERISK] Login session failed [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000179 5000180 || [ASTERISK] Login session failed [invalid user] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000180 5000181 || [ASTERISK] Login session failed [invalid extension] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000181 5000182 || [FTPD] FTP Login refused || url,wiki.quadrantsec.com/bin/view/Main/5000182 5000183 || [FTPD] File created || url,wiki.quadrantsec.com/bin/view/Main/5000183 5000184 || [FTPD] File deleted || url,wiki.quadrantsec.com/bin/view/Main/5000184 5000185 || [FTPD] User uploaded a file to server || url,wiki.quadrantsec.com/bin/view/Main/5000185 5000186 || [FTPD] User downloaded a file to server || url,wiki.quadrantsec.com/bin/view/Main/5000186 5000187 || [FTPD] Remote host connected to FTP server || url,wiki.quadrantsec.com/bin/view/Main/5000187 5000188 || [FTPD] Connection blocked by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000188 5000189 || [FTPD] Reverse lookup failure || url,wiki.quadrantsec.com/bin/view/Main/5000189 5000190 || [FTPD] Multiple failed login attempts || url,wiki.quadrantsec.com/bin/view/Main/5000190 5000191 || [FTPD] User disconnected due to time out || url,wiki.quadrantsec.com/bin/view/Main/5000191 5000192 || [FTPD] Attempted access to a disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000192 5000193 || [FTPD] Failed authentication - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000193 5000194 || [VSFTPD] Session opened || url,wiki.quadrantsec.com/bin/view/Main/5000194 5000195 || [VSFTPD] Authentication successful || url,wiki.quadrantsec.com/bin/view/Main/5000195 5000196 || [VSFTPD] Login failed - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000196 5000197 || [VSFTPD] File uploaded || url,wiki.quadrantsec.com/bin/view/Main/5000197 5000198 || [WORDPRESS] - Wordpress authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000198 5000199 || [WORDPRESS] - Wordpress authentication succeeded || url,wiki.quadrantsec.com/bin/view/Main/5000199 5000200 || [WORDPRESS] - Wordpress WPsyslog was successfully initialized || url,wiki.quadrantsec.com/bin/view/Main/5000200 5000201 || [WORDPRESS] - Wordpress WPsyslog Plugin deactivated || url,wiki.quadrantsec.com/bin/view/Main/5000201 5000202 || [WORDPRESS] - Wordpress Wordpress Comment Flood Attempt || url,wiki.quadrantsec.com/bin/view/Main/5000202 5000203 || [WORDPRESS] - Attack against Wordpress detected || url,wiki.quadrantsec.com/bin/view/Main/5000203 5000204 || [VMWARE] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5000204 5000206 || [VMWARE] User authentication failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000206 5000208 || [VMWARE] Virtual machine state change to OFF || url,wiki.quadrantsec.com/bin/view/Main/5000208 5000209 || [VMWARE] Virtual machine state change to ON || url,wiki.quadrantsec.com/bin/view/Main/5000209 5000210 || [VMWARE] Virtual machine being reconfigured || url,wiki.quadrantsec.com/bin/view/Main/5000210 5000211 || [VPOPMAIL] Authentication failure for POP3 service || url,wiki.quadrantsec.com/bin/view/Main/5000211 5000212 || [VPOPMAIL] User not found/Invalid login for POP3 service || url,wiki.quadrantsec.com/bin/view/Main/5000212 5000213 || [VPOPMAIL] Successful POP3 login || url,wiki.quadrantsec.com/bin/view/Main/5000213 5000214 || [VPOPMAIL] Null password given for POP3 service || url,wiki.quadrantsec.com/bin/view/Main/5000214 5000215 || [VMPOP3D] Authentication failure for POP3 || url,wiki.quadrantsec.com/bin/view/Main/5000215 5000216 || [PUREFTPD] New FTP connection || url,wiki.quadrantsec.com/bin/view/Main/5000216 5000217 || [PUREFTPD] Authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000217 5000219 || [PUREFTPD] FTP user logout or timeout || url,wiki.quadrantsec.com/bin/view/Main/5000219 5000220 || [PUREFTPD] FTP notice message || url,wiki.quadrantsec.com/bin/view/Main/5000220 5000221 || [PUREFTPD] Attempting to access invalid directory || url,wiki.quadrantsec.com/bin/view/Main/5000221 5000222 || [PUREFTPD] FTP Authentication successful || url,wiki.quadrantsec.com/bin/view/Main/5000222 5000223 || [SENDMAIL] EXPN command - [not rejected] || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000035 5000224 || [SENDMAIL] VRFY command - [not rejected] || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000036 5000225 || [POSTFIX] IP Address black-listed by anti-spam [blocked] || url,wiki.quadrantsec.com/bin/view/Main/5000225 5000226 || [POSTFIX] Processing error || url,wiki.quadrantsec.com/bin/view/Main/5000226 5000227 || [POSTFIX] SASL authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000227 5000229 || [POSTGRESQL] Log message || url,wiki.quadrantsec.com/bin/view/Main/5000229 5000230 || [POSTGRESQL] Error message || url,wiki.quadrantsec.com/bin/view/Main/5000230 5000231 || [POSTGRESQL] Fatal error message || url,wiki.quadrantsec.com/bin/view/Main/5000231 5000232 || [POSTGRESQL] Debug message || url,wiki.quadrantsec.com/bin/view/Main/5000232 5000233 || [POSTGRESQL] Database authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000233 5000234 || [POSTGRESQL] Database authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000234 5000235 || [POSTGRESQL] Database shutdown message || url,wiki.quadrantsec.com/bin/view/Main/5000235 5000236 || [PHP] Fatal error || url,wiki.quadrantsec.com/bin/view/Main/5000236 5000237 || [PHP] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000237 5000238 || [PHP] Parse error || url,wiki.quadrantsec.com/bin/view/Main/5000238 5000240 || [PHP] Possible web attack || url,wiki.quadrantsec.com/bin/view/Main/5000240 5000241 || [PHP] Internal error [missing file] || url,wiki.quadrantsec.com/bin/view/Main/5000241 5000242 || [PHP] Internal error [call to undefined function] || url,wiki.quadrantsec.com/bin/view/Main/5000242 5000243 || [TELNET] Connection refused by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000243 5000244 || [TELNET] Remote host established a telnet connection || url,wiki.quadrantsec.com/bin/view/Main/5000244 5000245 || [TELNET] Remote host invalid connection || url,wiki.quadrantsec.com/bin/view/Main/5000245 5000246 || [TELNET] Reverse lookup error || url,wiki.quadrantsec.com/bin/view/Main/5000246 5000247 || [XINETD] Telnet connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000247 5000248 || [XINETD] Telnet connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000248 5000249 || [XINETD] POP3 connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000249 5000250 || [XINETD] POP3 connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000250 5000251 || [XINETD] IMAP2 connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000251 5000252 || [XINETD] IMAP2 connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000252 5000253 || [XINETD] POP3S [SSL] connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000253 5000254 || [XINETD] POP3S [SSL] connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000254 5000255 || [XINETD] POP3S [SSL] User login || url,wiki.quadrantsec.com/bin/view/Main/5000255 5000256 || [XINETD] Removing service || url,wiki.quadrantsec.com/bin/view/Main/5000256 5000257 || [XINETD] Starting service || url,wiki.quadrantsec.com/bin/view/Main/5000257 5000258 || [COURIER] Connection established || url,wiki.quadrantsec.com/bin/view/Main/5000258 5000259 || [COURIER] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000259 5000260 || [COURIER] Logout/disconnect || url,wiki.quadrantsec.com/bin/view/Main/5000260 5000261 || [COURIER] User login || url,wiki.quadrantsec.com/bin/view/Main/5000261 5000262 || [IMAPD] Successful login || url,wiki.quadrantsec.com/bin/view/Main/5000262 5000263 || [HORDEIMP] Notice message || url,wiki.quadrantsec.com/bin/view/Main/5000263 5000264 || [DOVECOT] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000264 5000265 || [DOVECOT] Failed login || url,wiki.quadrantsec.com/bin/view/Main/5000265 5000266 || [DOVECOT] Starting up || url,wiki.quadrantsec.com/bin/view/Main/5000266 5000267 || [DOVECOT] Fatal error || url,wiki.quadrantsec.com/bin/view/Main/5000267 5000268 || [DOVECOT] Invalid username || url,wiki.quadrantsec.com/bin/view/Main/5000268 5000269 || [RACOON] - Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000269 5000270 || [RACOON] - Error message || url,wiki.quadrantsec.com/bin/view/Main/5000270 5000271 || [RACOON] - Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000271 5000272 || [RACOON] - ISAKMP-SA - VPN established || url,wiki.quadrantsec.com/bin/view/Main/5000272 5000273 || [RACOON] - Roadwarrior configuration error [ignored error] || url,wiki.quadrantsec.com/bin/view/Main/5000273 5000274 || [RACOON] - Roadwarrior configuration error [ignored warning] || url,wiki.quadrantsec.com/bin/view/Main/5000274 5000275 || [RACOON] - Invalid configuration settings [ignored error] || url,wiki.quadrantsec.com/bin/view/Main/5000275 5000276 || [IMAPD] User logout || url,wiki.quadrantsec.com/bin/view/Main/5000276 5000277 || [ROUNDCUBE] - Authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000277 5000278 || [ROUNDCUBE] - Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000278 5000279 || [ZEUS] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000279 5000280 || [ZEUS] Configuration warning [ignored] || url,wiki.quadrantsec.com/bin/view/Main/5000280 5000281 || [ZEUS] Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000281 5000282 || [ZEUS] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000282 5000283 || [ZEUS] Serious message || url,wiki.quadrantsec.com/bin/view/Main/5000283 5000284 || [ZEUS] Fatal message || url,wiki.quadrantsec.com/bin/view/Main/5000284 5000285 || [OSSEC] Agent started || url,wiki.quadrantsec.com/bin/view/Main/5000285 5000287 || [OSSEC] Ossec started || url,wiki.quadrantsec.com/bin/view/Main/5000287 5000288 || [OSSEC] Agent disconnect || url,wiki.quadrantsec.com/bin/view/Main/5000288 5000289 || [OSSEC] Ignored common NTFS ADS entries || url,wiki.quadrantsec.com/bin/view/Main/5000289 5000290 || [OSSEC] Windows Audit || url,wiki.quadrantsec.com/bin/view/Main/5000290 5000291 || [OSSEC] Windows Malware || url,wiki.quadrantsec.com/bin/view/Main/5000291 5000292 || [OSSEC] Windows application monitor event || url,wiki.quadrantsec.com/bin/view/Main/5000292 5000293 || [OSSEC] Ignoring rootcheck/syscheck scan messages || url,wiki.quadrantsec.com/bin/view/Main/5000293 5000294 || [OSSEC] System Audit || url,wiki.quadrantsec.com/bin/view/Main/5000294 5000295 || [OSSEC] Windows Adware/Spyware application found || url,wiki.quadrantsec.com/bin/view/Main/5000295 5000296 || [OSSEC] Partition usage reached 100% [disk space monitor] || url,wiki.quadrantsec.com/bin/view/Main/5000296 5000297 || [OSSEC] Ignoring external medias || url,wiki.quadrantsec.com/bin/view/Main/5000297 5000298 || [OSSEC] Integrity checksum for agentless device changed || url,wiki.quadrantsec.com/bin/view/Main/5000298 5000299 || [OSSEC] Log file rotated || url,wiki.quadrantsec.com/bin/view/Main/5000299 5000300 || [OSSEC] File size reduced || url,wiki.quadrantsec.com/bin/view/Main/5000300 5000301 || [OSSEC] Microsoft event log cleared || url,wiki.quadrantsec.com/bin/view/Main/5000301 5000306 || [WINDOWS-MISC] Detection of net listening application [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000306 5000307 || [WINDOWS-MISC] Privileged Service Called || url,wiki.quadrantsec.com/bin/view/Main/5000307 5000308 || [WINDOWS-MISC] Apple Bonjour service detect [iTunes installed?] || url,wiki.quadrantsec.com/bin/view/Main/5000308 5000309 || [WINDOWS-MISC] Application error || url,wiki.quadrantsec.com/bin/view/Main/5000309 5000310 || [WINDOWS-MISC] Application hang || url,wiki.quadrantsec.com/bin/view/Main/5000310 5000311 || [WINDOWS-MISC] Application popup || url,wiki.quadrantsec.com/bin/view/Main/5000311 5000312 || [WINDOWS-MISC] Backup Exec - Job completed with exceptions || url,wiki.quadrantsec.com/bin/view/Main/5000312 5000313 || [WINDOWS-MISC] Backup Exec - Job cancellation || url,wiki.quadrantsec.com/bin/view/Main/5000313 5000314 || [WINDOWS-MISC] Backup Exec - Alert - insert media || url,wiki.quadrantsec.com/bin/view/Main/5000314 5000315 || [WINDOWS-MISC] Backup Exec - Service started || url,wiki.quadrantsec.com/bin/view/Main/5000315 5000316 || [WINDOWS-MISC] SCSI bug fault occurred || url,wiki.quadrantsec.com/bin/view/Main/5000316 5000317 || [WINDOWS-MISC] Citrix message || url,wiki.quadrantsec.com/bin/view/Main/5000317 5000318 || [WINDOWS-MISC] Trusted Platform Module [TPM] Error. User name not found || url,wiki.quadrantsec.com/bin/view/Main/5000318 5000319 || [WINDOWS-MISC] Eventlog service was corrupted || url,wiki.quadrantsec.com/bin/view/Main/5000319 5000320 || [WINDOWS-MISC] Eventlog service was stopped || url,wiki.quadrantsec.com/bin/view/Main/5000320 5000322 || [WINDOWS-MISC] Eventlog service returned error || url,wiki.quadrantsec.com/bin/view/Main/5000322 5000323 || [WINDOWS-MISC] Eventlog service reporting uptime [in seconds] || url,wiki.quadrantsec.com/bin/view/Main/5000323 5000324 || [WINDOWS-MISC] IPSec message || url,wiki.quadrantsec.com/bin/view/Main/5000324 5000325 || [WINDOWS-MISC] MS-SQL - Server started || url,wiki.quadrantsec.com/bin/view/Main/5000325 5000326 || [WINDOWS-MISC] MS-SQL - Server listening on network || url,wiki.quadrantsec.com/bin/view/Main/5000326 5000327 || [WINDOWS-MISC] MsiInstaller - Client successfully installed software || url,wiki.quadrantsec.com/bin/view/Main/5000327 5000328 || [WINDOWS-MISC] MsiInstaller - Google Toolbar installed || url,wiki.quadrantsec.com/bin/view/Main/5000328 5000329 || [WINDOWS-MISC] MsiInstaller - Google Toolbar updated || url,wiki.quadrantsec.com/bin/view/Main/5000329 5000330 || [WINDOWS-MISC] MsiInstaller - RegWork - Registry clearner || url,wiki.quadrantsec.com/bin/view/Main/5000330 5000331 || [WINDOWS-MISC] MsiInstaller - Google Toolbar updated || url,wiki.quadrantsec.com/bin/view/Main/5000331 5000332 || [WINDOWS-MISC] MsiInstaller - Client successfully updated software || url,wiki.quadrantsec.com/bin/view/Main/5000332 5000334 || [WINDOWS-MISC] NtServicePack messsage - package or hotfix installed || url,wiki.quadrantsec.com/bin/view/Main/5000334 5000335 || [WINDOWS-MISC] SNMP Service has started successfully || url,wiki.quadrantsec.com/bin/view/Main/5000335 5000336 || [WINDOWS-MISC] Google Software Updater service is active || url,wiki.quadrantsec.com/bin/view/Main/5000336 5000337 || [WINDOWS-MISC] Google update service is active || url,wiki.quadrantsec.com/bin/view/Main/5000337 5000338 || [WINDOWS-MISC] Google update service is active || url,wiki.quadrantsec.com/bin/view/Main/5000338 5000339 || [WINDOWS-MISC] Tenable Nessus service is active [pen-test tool] || url,wiki.quadrantsec.com/bin/view/Main/5000339 5000340 || [WINDOWS-MISC] Remote Access Connection Manager service is active || url,wiki.quadrantsec.com/bin/view/Main/5000340 5000341 || [WINDOWS-MISC] Symantec AntiVirus startup successful || url,wiki.quadrantsec.com/bin/view/Main/5000341 5000342 || [WINDOWS-MISC] Symantec AntiVirus couldn't scan some files or directories || url,wiki.quadrantsec.com/bin/view/Main/5000342 5000343 || [WINDOWS-MISC] Symantec AntiVirus New virus definition file loaded || url,wiki.quadrantsec.com/bin/view/Main/5000343 5000344 || [WINDOWS-MISC] Symantec AntiVirus Successful remote connect by administrator || url,wiki.quadrantsec.com/bin/view/Main/5000344 5000345 || [WINDOWS-MISC] Tenable Nessus started [pen-test tool] || url,wiki.quadrantsec.com/bin/view/Main/5000345 5000346 || [WINDOWS-MISC] WinRM [Windows Remote Management] is started and listening || url,wiki.quadrantsec.com/bin/view/Main/5000346 5000347 || [WINDOWS-MISC] WinVNC4 Connection accepted || url,wiki.quadrantsec.com/bin/view/Main/5000347 5000348 || [WINDOWS-MISC] WinVNC4 Connection closed - Requested security type not available || url,wiki.quadrantsec.com/bin/view/Main/5000348 5000349 || [WINDOWS-MISC] WinVNC4 Connection blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5000349 5000350 || [WINDOWS-MISC] WinVNC4 Connection Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000350 5000351 || [WINDOWS-MISC] WinVNC4 Connection close - reset by peer || url,wiki.quadrantsec.com/bin/view/Main/5000351 5000352 || [WINDOWS-MISC] WinVNC4 Connection close - reset by peer [Non-shared] || url,wiki.quadrantsec.com/bin/view/Main/5000352 5000353 || [WINDOWS-MISC] WinVNC4 Connection close - reading version failed || url,wiki.quadrantsec.com/bin/view/Main/5000353 5000354 || [WINDOWS-MISC] WinVNC4 Connection closed || url,wiki.quadrantsec.com/bin/view/Main/5000354 5000355 || [WINDOWS-MISC] WinVNC4 HTTPServer event || url,wiki.quadrantsec.com/bin/view/Main/5000355 5000356 || [WINDOWS-MISC] Crypt32 Failed to extract third-party root list || url,wiki.quadrantsec.com/bin/view/Main/5000356 5000357 || [SENDMAIL] Username with pipe symbol || url,wiki.quadrantsec.com/bin/view/Main/5000357 5000359 || [APACHE] Directory traversal attempt - 1 || url,wiki.quadrantsec.com/bin/view/Main/5000359 5000360 || [APACHE] Directory traversal attempt - 2 || url,wiki.quadrantsec.com/bin/view/Main/5000360 5000361 || [APACHE] Robots.txt access || url,wiki.quadrantsec.com/bin/view/Main/5000361 5000362 || [APACHE] PHPinfo access attempt [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000362 5000364 || [APACHE] Php-my-admin access attempt [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000364 5000365 || [ATTACK] Possible buffer overflow attempt [yppasswd?] || url,wiki.quadrantsec.com/bin/view/Main/5000356 5000366 || [ATTACK] Heap overflow in the Solaris cachefsd service || url,wiki.quadrantsec.com/bin/view/Main/5000366 5000367 || [IMAPD] User login failed || url,wiki.quadrantsec.com/bin/view/Main/5000367 5000368 || [HORDEIMP] Failed login || url,wiki.quadrantsec.com/bin/view/Main/5000368 5000369 || [HORDEIMP] Emergency message || url,wiki.quadrantsec.com/bin/view/Main/5000369 5000370 || [HORDEIMP] IMP successful login || url,wiki.quadrantsec.com/bin/view/Main/5000370 5000371 || [HORDEIMP] Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000371 5000372 || [HORDEIMP] Error message || url,wiki.quadrantsec.com/bin/view/Main/5000372 5000373 || [POSTGRESQL] Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000373 5000374 || [PROFTPD] Remote host disconnected due to time out || url,wiki.quadrantsec.com/bin/view/Main/5000374 5000375 || [SAMBA] User action denied by configuration || url,wiki.quadrantsec.com/bin/view/Main/5000375 5000376 || [SYSLOG] User or group was deleted from the system || url,wiki.quadrantsec.com/bin/view/Main/5000376 5000377 || [SYSLOG] Information for a user was changed || url,wiki.quadrantsec.com/bin/view/Main/5000377 5000378 || [APACHE] Attempt to access a non-existent file or stream || url,wiki.quadrantsec.com/bin/view/Main/5000378 5000379 || [XINETD] Excessive number connections to a service || url,wiki.quadrantsec.com/bin/view/Main/5000379 5000380 || [VMWARE] Virtual machine being turned ON || url,wiki.quadrantsec.com/bin/view/Main/5000380 5000381 || [WINDOWS-MISC] LSASRV - Could not establish a secure connection || url,wiki.quadrantsec.com/bin/view/Main/5000381 5000382 || [WINDOWS-MISC] Bonjour service is active [iTunes installed?] || url,wiki.quadrantsec.com/bin/view/Main/5000382 5000383 || [KNOCKD] Open Sesame || url,wiki.quadrantsec.com/bin/view/Main/5000383 5000384 || [KNOCKD] Sequence timeout || url,wiki.quadrantsec.com/bin/view/Main/5000384 5000385 || [BASH] iptables command access || url,wiki.quadrantsec.com/bin/view/Main/5000385 5000386 || [SNORT] Snort syslog message || url,wiki.quadrantsec.com/bin/view/Main/5000386 5000387 || [SQUID] MSG Messenger access || url,wiki.quadrantsec.com/bin/view/Main/5000387 5000388 || [CISCO-IOS] Fan failure - Fan not rotating [0/2] || url,wiki.quadrantsec.com/bin/view/Main/5000388 5000392 || [TELNET] Attempt to login with an option || url,wiki.quadrantsec.com/bin/view/Main/5000392 5000393 || [SYSLOG] kcfd - Unable to open certificate file || url,wiki.quadrantsec.com/bin/view/Main/5000393 5000395 || [SYSLOG] automount - Couldn't stat filesystem || url,wiki.quadrantsec.com/bin/view/Main/5000395 5000396 || [NETSCREEN] Fragmented traffic || url,wiki.quadrantsec.com/bin/view/Main/5000396 5000397 || [NETSCREEN] FIN but no ACK bit || url,wiki.quadrantsec.com/bin/view/Main/5000397 5000398 || [NETSCREEN] Port scan! || url,wiki.quadrantsec.com/bin/view/Main/5000398 5000399 || [NETSCREEN] ICMP fragment || url,wiki.quadrantsec.com/bin/view/Main/5000399 5000400 || [NETSCREEN] Malicious URL || url,wiki.quadrantsec.com/bin/view/Main/5000400 5000401 || [NETSCREEN] Large ICMP packet || url,wiki.quadrantsec.com/bin/view/Main/5000401 5000402 || [NETSCREEN] No tcp flag has been detected || url,wiki.quadrantsec.com/bin/view/Main/5000402 5000403 || [NETSCREEN] Denied traffic || url,wiki.quadrantsec.com/bin/view/Main/5000403 5000404 || [NETSCREEN] Syslog enabled || url,wiki.quadrantsec.com/bin/view/Main/5000404 5000405 || [SYSLOG] rmclomv - Power Supply FAULT! || url,wiki.quadrantsec.com/bin/view/Main/5000405 5000409 || [SU] su as 'root' suceeded || url,wiki.quadrantsec.com/bin/view/Main/5000409 5000410 || [SYSLOG] Nagios npre - Host not allowed || url,wiki.quadrantsec.com/bin/view/Main/5000410 5000411 || [OPENSSH] User logged into a disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000411 5000412 || [FTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000412 5000413 || [PROFTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000413 5000414 || [PUREFTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000414 5000415 || [FTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000415 5000416 || [CISCO-PIXASA] Failed to initialize 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000416 5000417 || [CISCO-PIXASA] Failed to initialize SFP in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000417 5000418 || [CISCO-PIXASA] Failed to run cached commands in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000418 5000419 || [CISCO-PIXASA] Internal error in function || url, wiki.quadrantsec.com/bin/view/Main/5000419 5000420 || [CISCO-PIXASA] AAA Marking protocol server ip-addr in server group tag as FAILED || url, wiki.quadrantsec.com/bin/view/Main/5000420 5000421 || [CISCO-PIXASA] Internal error in - function message || url, wiki.quadrantsec.com/bin/view/Main/5000421 5000422 || [CISCO-PIXASA] Internal error in function Fiber library cannot locate AK47 instance || url, wiki.quadrantsec.com/bin/view/Main/5000422 5000423 || [CISCO-PIXASA] Internal error in function Fiber library cannot attach AK47 instance || url, wiki.quadrantsec.com/bin/view/Main/5000423 5000424 || [CISCO-PIXASA] Internal error in function Fiber library cannot allocate default arena || url, wiki.quadrantsec.com/bin/view/Main/5000424 5000425 || [CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber descriptors pool || url, wiki.quadrantsec.com/bin/view/Main/5000425 5000426 || [CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber stacks pool || url, wiki.quadrantsec.com/bin/view/Main/5000426 5000427 || [CISCO-PIXASA] Internal error in function Fiber has joined fiber in unfinished state || url, wiki.quadrantsec.com/bin/view/Main/5000427 5000428 || [CISCO-PIXASA] Internal error in function Fiber scheduler has reached unreachable code. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000428 5000429 || [CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating || url, wiki.quadrantsec.com/bin/view/Main/5000429 5000430 || [CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling alien fiber. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000430 5000431 || [CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling finished fiber. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000431 5000432 || [CISCO-PIXASA] Internal error in function Fiber has joined fiber waited upon by someone else || url, wiki.quadrantsec.com/bin/view/Main/5000432 5000433 || [CISCO-PIXASA] Internal error in function Fiber in callback blocked on other channel || url, wiki.quadrantsec.com/bin/view/Main/5000433 5000434 || [CISCO-PIXASA] Internal error in function OCCAM failed to allocate memory for AK47 instance || url, wiki.quadrantsec.com/bin/view/Main/5000434 5000435 || [CISCO-PIXASA] Internal error in function OCCAM has corrupted ROL array. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000435 5000436 || [CISCO-PIXASA] Internal error in function OCCAM cached block has no associated arena || url, wiki.quadrantsec.com/bin/view/Main/5000436 5000437 || [CISCO-PIXASA] Internal error in function OCCAM pool has no associated arena || url, wiki.quadrantsec.com/bin/view/Main/5000437 5000438 || [CISCO-PIXASA] Internal error in function OCCAM has corrupted pool list. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000438 5000439 || [CISCO-PIXASA] Internal error in function OCCAM pool has no block list || url, wiki.quadrantsec.com/bin/view/Main/5000439 5000440 || [CISCO-PIXASA] Internal error in function OCCAM no realloc allowed in named pool || url, wiki.quadrantsec.com/bin/view/Main/5000440 5000441 || [CISCO-PIXASA] Internal error in function OCCAM corrupted standalone block || url, wiki.quadrantsec.com/bin/view/Main/5000441 5000442 || [CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL || url, wiki.quadrantsec.com/bin/view/Main/5000442 5000443 || [CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL || url, wiki.quadrantsec.com/bin/view/Main/5000443 5000444 || [CISCO-PIXASA] Unexpected fiber scheduler error - possible out-of-memory condition || url, wiki.quadrantsec.com/bin/view/Main/5000444 5000445 || [CISCO-PIXASA] Failed to get port statistics in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000445 5000446 || [CISCO-PIXASA] Failed to get current msr in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000446 5000447 || [CISCO-PIXASA] Failed to enable port after link is up in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000447 5000448 || [CISCO-PIXASA] Failed to set multicast address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000448 5000449 || [CISCO-PIXASA] Failed to set multicast hardware address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000449 5000450 || [CISCO-PIXASA] Failed to delete multicast address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000450 5000451 || [CISCO-PIXASA] Failed to delete multicast hardware address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000451 5000452 || [CISCO-PIXASA] Failed to set mac address table in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000452 5000453 || [CISCO-PIXASA] Failed to set mac address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000453 5000454 || [CISCO-PIXASA] Failed to set mode in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000454 5000455 || [CISCO-PIXASA] Failed to set multicast mode in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000455 5000456 || [CISCO-PIXASA] Failed to get link status in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000456 5000457 || [CISCO-PIXASA] Failed to set port speed in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000457 5000458 || [CISCO-PIXASA] Failed to set media type in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000458 5000459 || [CISCO-PIXASA] Internal error in function message || url, wiki.quadrantsec.com/bin/view/Main/5000459 5000460 || [CISCO-PIXASA] I2C_API_name error || url, wiki.quadrantsec.com/bin/view/Main/5000460 5000461 || [CISCO-PIXASA] VPN Handle error protocol || url, wiki.quadrantsec.com/bin/view/Main/5000461 5000462 || [CISCO-PIXASA] Module in slot experienced a control channel communications failure || url, wiki.quadrantsec.com/bin/view/Main/5000462 5000463 || [CISCO-PIXASA] Module in slot failed to write software. Hw-module reset is required before further use || url, wiki.quadrantsec.com/bin/view/Main/5000463 5000464 || [CISCO-PIXASA] Module in slot can not be powered on completely || url, wiki.quadrantsec.com/bin/view/Main/5000464 5000465 || [CISCO-PIXASA] Type Module in slot experienced a data channel communication failure, data channel is DOWN || url, wiki.quadrantsec.com/bin/view/Main/5000465 5000466 || [CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [1] || url, wiki.quadrantsec.com/bin/view/Main/5000466 5000467 || [CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [2] || url, wiki.quadrantsec.com/bin/view/Main/5000467 5000468 || [CISCO-PIXASA] TCP|UDP flow from interface is dropped because application has failed || url, wiki.quadrantsec.com/bin/view/Main/5000468 5000469 || [CISCO-PIXASA] TCP|UDP flow from interface is skipped because application has failed || url, wiki.quadrantsec.com/bin/view/Main/5000469 5000470 || [CISCO-PIXASA] Authentication to SSO server failed || url, wiki.quadrantsec.com/bin/view/Main/5000470 5000471 || [CISCO-PIXASA] Email Proxy session pointer has terminated due to reason error || url, wiki.quadrantsec.com/bin/view/Main/5000471 5000472 || [CISCO-PIXASA] SVC Message ERROR message [1] || url, wiki.quadrantsec.com/bin/view/Main/5000472 5000473 || [CISCO-PIXASA] SVC Message ERROR message [2] || url, wiki.quadrantsec.com/bin/view/Main/5000473 5000474 || [CISCO-PIXASA] SVC Message ERROR message [3] || url, wiki.quadrantsec.com/bin/view/Main/5000474 5000475 || [CISCO-PIXASA] Module in slot is not able to shut down. Module Error || url, wiki.quadrantsec.com/bin/view/Main/5000475 5000476 || [CISCO-PIXASA] Module in slot is not able to reload. Module Error || url, wiki.quadrantsec.com/bin/view/Main/5000476 5000477 || [CISCO-PIXASA] Module in slot failed to write software. Trying again || url, wiki.quadrantsec.com/bin/view/Main/5000477 5000478 || [CISCO-PIXASA] IPS requested to drop ICMP packets || url, wiki.quadrantsec.com/bin/view/Main/5000478 5000479 || [CISCO-PIXASA] {Allowed | Dropped} invalid NBNS pkt || url, wiki.quadrantsec.com/bin/view/Main/5000479 5000480 || [CISCO-PIXASA] {Allowed | Dropped} mismatched NBNS pkt || url, wiki.quadrantsec.com/bin/view/Main/5000480 5000481 || [CISCO-PIXASA] {Allowed | Dropped} invalid NBDGM pkt || url, wiki.quadrantsec.com/bin/view/Main/5000481 5000482 || [CISCO-PIXASA] {Allowed | Dropped} mismatched NBDGM pkt || url, wiki.quadrantsec.com/bin/view/Main/5000482 5000483 || [CISCO-PIXASA] {Allowed | Dropped} NBDGM pkt || url, wiki.quadrantsec.com/bin/view/Main/5000483 5000484 || [CISCO-PIXASA] Packet denied. [Ingress|Egress] interface is in a backup state || url, wiki.quadrantsec.com/bin/view/Main/5000484 5000485 || [CISCO-PIXASA] Connection to the backup interface is denied || url, wiki.quadrantsec.com/bin/view/Main/5000485 5000486 || [CISCO-PIXASA] Deny traffic, licensed host limit exceeded. || url, wiki.quadrantsec.com/bin/view/Main/5000486 5000487 || [CISCO-PIXASA] Received DH key with bad length || url, wiki.quadrantsec.com/bin/view/Main/5000487 5000488 || [CISCO-PIXASA] META-DATA Unexpected error in Next Card Code mode while not doing SDI || url, wiki.quadrantsec.com/bin/view/Main/5000488 5000489 || [CISCO-PIXASA] META-DATA Received authentication failure message || url, wiki.quadrantsec.com/bin/view/Main/5000489 5000490 || [CISCO-PIXASA] [VPN-unit] Failed to initialize with Chunk Manager || url, wiki.quadrantsec.com/bin/view/Main/5000490 5000491 || [CISCO-PIXASA] [VPN-unit] Failed to allocate chunk from Chunk Manager || url, wiki.quadrantsec.com/bin/view/Main/5000491 5000492 || [CISCO-PIXASA] [VPN-unit] Failed to register to High Availability Framework || url, wiki.quadrantsec.com/bin/view/Main/5000492 5000493 || [CISCO-PIXASA] [VPN-unit] Failed to create version control block || url, wiki.quadrantsec.com/bin/view/Main/5000493 5000494 || [CISCO-PIXASA] [VPN-unit] Failed to allocate memory || url, wiki.quadrantsec.com/bin/view/Main/5000494 5000495 || [CISCO-PIXASA] [VPN-unit] Failed to insert certificate in trust point || url, wiki.quadrantsec.com/bin/view/Main/5000495 5000496 || [CISCO-PIXASA] [VPN-unit] Failed to queue add to message queue || url, wiki.quadrantsec.com/bin/view/Main/5000496 5000497 || [CISCO-PIXASA] [VPN-unit] Failed to send type message id to standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000497 5000498 || [CISCO-PIXASA] [VPN-unit] Failed to receive message from active unit || url, wiki.quadrantsec.com/bin/view/Main/5000498 5000499 || [CISCO-PIXASA] [VPN-unit] Failed to sync SDI node secret file for server on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000499 5000500 || [CISCO-PIXASA] [VPN-unit] Failed to add new SDI node secret file for server id on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000500 5000501 || [CISCO-PIXASA] [VPN-unit] Failed to delete SDI node secret file for server id on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000501 5000502 || [CISCO-PIXASA] [VPN-unit] Failed to add cTCP IKE rule during bulk sync || url, wiki.quadrantsec.com/bin/view/Main/5000502 5000503 || [CISCO-PIXASA] [VPN-unit] Failed to add new cTCP record || url, wiki.quadrantsec.com/bin/view/Main/5000503 5000504 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover can only be run in single/non-transparent mode || url, wiki.quadrantsec.com/bin/view/Main/5000504 5000505 || [CISCO-PIXASA] [VPN-unit] Failed to update cTCP database || url, wiki.quadrantsec.com/bin/view/Main/5000505 5000506 || [CISCO-PIXASA] [VPN-unit] Failed to add new cTCP IKE rule || url, wiki.quadrantsec.com/bin/view/Main/5000506 5000507 || [CISCO-PIXASA] [VPN-unit] Failed to activate IKE database || url, wiki.quadrantsec.com/bin/view/Main/5000507 5000508 || [CISCO-PIXASA] [VPN-unit] Failed to deactivate IKE database || url, wiki.quadrantsec.com/bin/view/Main/5000508 5000509 || [CISCO-PIXASA] [VPN-unit] Failed to parse peer message || url, wiki.quadrantsec.com/bin/view/Main/5000509 5000510 || [CISCO-PIXASA] [VPN-unit] Failed to activate cTCP database || url, wiki.quadrantsec.com/bin/view/Main/5000510 5000511 || [CISCO-PIXASA] [VPN-unit] Failed to deactivate cTCP database || url, wiki.quadrantsec.com/bin/view/Main/5000511 5000512 || [CISCO-PIXASA] [VPN-unit] Fail to insert certificate in trust point on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000512 5000513 || [CISCO-PIXASA] Error parsing SVC connect request || url, wiki.quadrantsec.com/bin/view/Main/5000513 5000514 || [CISCO-PIXASA] Error consolidating SVC connect request. || url, wiki.quadrantsec.com/bin/view/Main/5000514 5000515 || [CISCO-PIXASA] Error authenticating SVC connect request || url, wiki.quadrantsec.com/bin/view/Main/5000515 5000516 || [CISCO-PIXASA] Error responding to SVC connect request || url, wiki.quadrantsec.com/bin/view/Main/5000516 5000517 || [CISCO-PIXASA] Bad SVC frame length length expected || url, wiki.quadrantsec.com/bin/view/Main/5000517 5000518 || [CISCO-PIXASA] Bad SVC framing 525446, reserved 0 || url, wiki.quadrantsec.com/bin/view/Main/5000518 5000519 || [CISCO-PIXASA] Bad SVC protocol version || url, wiki.quadrantsec.com/bin/view/Main/5000519 5000520 || [CISCO-PIXASA] CRYPTO An attempt to allocate a large memory block failed || url, wiki.quadrantsec.com/bin/view/Main/5000520 5000521 || [CISCO-PIXASA] META-DATA Rekey initiation is being disabled during CRACK authentication || url, wiki.quadrantsec.com/bin/view/Main/5000521 5000522 || [CISCO-PIXASA] Integrity Firewall Server is not available. VPN Tunnel creation rejected for client || url, wiki.quadrantsec.com/bin/view/Main/5000522 5000523 || [CISCO-PIXASA] Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client || url, wiki.quadrantsec.com/bin/view/Main/5000523 5000525 || [CISCO-PIXASA] [VPN-unit] Failed to initialize default timer || url, wiki.quadrantsec.com/bin/view/Main/5000525 5000526 || [CISCO-PIXASA] [VPN-unit] Failed to update LB runtime data || url, wiki.quadrantsec.com/bin/view/Main/5000526 5000527 || [CISCO-PIXASA] [VPN-unit] Failed to get a buffer from the underlying core high availability subsystem || url, wiki.quadrantsec.com/bin/view/Main/5000527 5000528 || [CISCO-PIXASA] [VPN-unit] Failed to update cTCP statistics || url, wiki.quadrantsec.com/bin/view/Main/5000528 5000529 || [CISCO-PIXASA] [VPN-unit] Failed to send type timer message || url, wiki.quadrantsec.com/bin/view/Main/5000529 5000530 || [CISCO-PIXASA] [VPN-unit] HA non-block send failed for peer msg. HA error code. || url, wiki.quadrantsec.com/bin/view/Main/5000530 5000531 || [CISCO-PIXASA] [VPN-unit] Fail to look up CTCP flow handle || url, wiki.quadrantsec.com/bin/view/Main/5000531 5000532 || [CISCO-PIXASA] [VPN-unit] Failed to process state update message from the active peer || url, wiki.quadrantsec.com/bin/view/Main/5000532 5000533 || [CISCO-PIXASA] [VPN-unit] Failed to update cTCP dynamic data || url, wiki.quadrantsec.com/bin/view/Main/5000533 5000534 || [CISCO-PIXASA] Timeout waiting for Integrity Firewall Server to become available || url, wiki.quadrantsec.com/bin/view/Main/5000534 5000535 || [CISCO-PIXASA] CRYPTO An attempt to release a DMA memory block failed, location address || url, wiki.quadrantsec.com/bin/view/Main/5000535 5000536 || [CISCO-PIXASA] WebVPN access DENIED to specified location url || url, wiki.quadrantsec.com/bin/view/Main/5000536 5000537 || [CISCO-PIXASA] WebVPN ACL Parse Error || url, wiki.quadrantsec.com/bin/view/Main/5000537 5000538 || [CISCO-PIXASA] WebVPN session not allowed. WebVPN ACL parse error || url, wiki.quadrantsec.com/bin/view/Main/5000538 5000539 || [CISCO-PIXASA] Reboot pending, new sessions disabled. Denied user login || url, wiki.quadrantsec.com/bin/view/Main/5000539 5000540 || [CISCO-PIXASA] Error adding to ACL || url, wiki.quadrantsec.com/bin/view/Main/5000540 5000541 || [CISCO-PIXASA] Error adding dynamic ACL for user || url, wiki.quadrantsec.com/bin/view/Main/5000541 5000542 || [CISCO-PIXASA] Email Proxy feature is disabled on interface || url, wiki.quadrantsec.com/bin/view/Main/5000542 5000543 || [CISCO-PIXASA] WebVPN authorization failed || url, wiki.quadrantsec.com/bin/view/Main/5000543 5000544 || [CISCO-PIXASA] WebVPN authorization completed successfully || url, wiki.quadrantsec.com/bin/view/Main/5000544 5000545 || [CISCO-PIXASA] WebVPN has not been successfully authenticated. Access denied || url, wiki.quadrantsec.com/bin/view/Main/5000545 5000546 || [CISCO-PIXASA] Email Proxy piggyback auth fail session || url, wiki.quadrantsec.com/bin/view/Main/5000546 5000547 || [CISCO-PIXASA] Email Proxy DNS name resolution failed for hostname || url, wiki.quadrantsec.com/bin/view/Main/5000547 5000548 || [CISCO-PIXASA] [VPN-unit] Starting VPN Stateful Failover Subsystem || url, wiki.quadrantsec.com/bin/view/Main/5000548 5000549 || [CISCO-PIXASA] [VPN-unit] Initialization of VPN Stateful Failover Component completed successfully || url, wiki.quadrantsec.com/bin/view/Main/5000549 5000550 || [CISCO-PIXASA] [VPN-unit] VPN failover main thread started || url, wiki.quadrantsec.com/bin/view/Main/5000550 5000551 || [CISCO-PIXASA] [VPN-unit] VPN failover timer thread started || url, wiki.quadrantsec.com/bin/view/Main/5000551 5000552 || [CISCO-PIXASA] [VPN-unit] VPN failover sync thread started || url, wiki.quadrantsec.com/bin/view/Main/5000552 5000553 || [CISCO-PIXASA] [VPN-unit] VPN failover client is being disabled || url, wiki.quadrantsec.com/bin/view/Main/5000553 5000554 || [CISCO-PIXASA] [VPN-unit] Failed to update IPSec failover runtime data on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000554 5000555 || [CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to active state || url, wiki.quadrantsec.com/bin/view/Main/5000555 5000556 || [CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to standby state || url, wiki.quadrantsec.com/bin/view/Main/5000556 5000557 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover Message Thread is being disabled || url, wiki.quadrantsec.com/bin/view/Main/5000557 5000559 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover Timer Thread is disabled || url, wiki.quadrantsec.com/bin/view/Main/5000559 5000561 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover Sync Thread is disabled. || url, wiki.quadrantsec.com/bin/view/Main/5000561 5000563 || [CISCO-PIXASA] SVC Global Compression Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000563 5000564 || [CISCO-PIXASA] Device failed SSL handshake || url, wiki.quadrantsec.com/bin/view/Main/5000564 5000565 || [CISCO-PIXASA] Failed to inject {TCP|UDP} packet || url, wiki.quadrantsec.com/bin/view/Main/5000565 5000566 || [CISCO-PIXASA] File access DENIED, filename || url, wiki.quadrantsec.com/bin/view/Main/5000566 5000567 || [CISCO-PIXASA] Unable to browse the network || url, wiki.quadrantsec.com/bin/view/Main/5000567 5000568 || [CISCO-PIXASA] Unable to browse domain domain || url, wiki.quadrantsec.com/bin/view/Main/5000568 5000569 || [CISCO-PIXASA] Unable to browse directory || url, wiki.quadrantsec.com/bin/view/Main/5000569 5000570 || [CISCO-PIXASA] Unable to view file || url, wiki.quadrantsec.com/bin/view/Main/5000570 5000571 || [CISCO-PIXASA] Unable to remove file || url, wiki.quadrantsec.com/bin/view/Main/5000571 5000572 || [CISCO-PIXASA] Unable to rename file || url, wiki.quadrantsec.com/bin/view/Main/5000572 5000573 || [CISCO-PIXASA] Unable to modify file || url, wiki.quadrantsec.com/bin/view/Main/5000573 5000574 || [CISCO-PIXASA] Unable to create file || url, wiki.quadrantsec.com/bin/view/Main/5000574 5000575 || [CISCO-PIXASA] Unable to create folder || url, wiki.quadrantsec.com/bin/view/Main/5000575 5000576 || [CISCO-PIXASA] Unable to remove folder || url, wiki.quadrantsec.com/bin/view/Main/5000576 5000577 || [CISCO-PIXASA] File Access User failed to login into the server || url, wiki.quadrantsec.com/bin/view/Main/5000577 5000579 || [CISCO-PIXASA] SVC Session Termination || url, wiki.quadrantsec.com/bin/view/Main/5000579 5000580 || [CISCO-PIXASA] SVC Session Termination Out || url, wiki.quadrantsec.com/bin/view/Main/5000580 5000581 || [CISCO-PIXASA] WebVPN Citrix encountered bad flow control flow || url, wiki.quadrantsec.com/bin/view/Main/5000581 5000582 || [CISCO-PIXASA] WebVPN Citrix SOCKS errors || url, wiki.quadrantsec.com/bin/view/Main/5000582 5000583 || [CISCO-PIXASA] WebVPN Citrix receives bad SOCKS socks message length || url, wiki.quadrantsec.com/bin/view/Main/5000583 5000584 || [CISCO-PIXASA] WebVPN Citrix received bad SOCKS socks message format || url, wiki.quadrantsec.com/bin/view/Main/5000584 5000585 || [CISCO-PIXASA] SSL lib error || url, wiki.quadrantsec.com/bin/view/Main/5000585 5000586 || [CISCO-PIXASA] Dynamic DNS Update failed || url, wiki.quadrantsec.com/bin/view/Main/5000586 5000587 || [CISCO-PIXASA] Switching to ACTIVE || url, wiki.quadrantsec.com/bin/view/Main/5000587 5000588 || [CISCO-PIXASA]%PIX|ASA-1-104002 [Primary] Switching to STNDBY [cause string]. || url, wiki.quadrantsec.com/bin/view/Main/5000588 5000589 || [CISCO-PIXASA]%PIX|ASA-1-104003 [Primary] Switching to FAILED || url, wiki.quadrantsec.com/bin/view/Main/5000589 5000590 || [CISCO-PIXASA]%PIX|ASA-1-104004 [Primary] Switching to OK. || url, wiki.quadrantsec.com/bin/view/Main/5000590 5000591 || [CISCO-PIXASA]%PIX|ASA-1-105037 The primary and standby units are switching back and forth as the active unit || url, wiki.quadrantsec.com/bin/view/Main/5000591 5000592 || [CISCO-PIXASA] Failed Identification Test || url, wiki.quadrantsec.com/bin/view/Main/5000592 5000595 || [CISCO-PIXASA] [Primary] Failover cable OK || url, wiki.quadrantsec.com/bin/view/Main/5000595 5000596 || [CISCO-PIXASA] [Primary] Bad failover cable || url, wiki.quadrantsec.com/bin/view/Main/5000596 5000597 || [CISCO-PIXASA] [Primary] Failover cable not connected [this unit] || url, wiki.quadrantsec.com/bin/view/Main/5000597 5000598 || [CISCO-PIXASA] [Primary] Failover cable not connected [other unit] || url, wiki.quadrantsec.com/bin/view/Main/5000598 5000599 || [CISCO-PIXASA] [Primary] Error reading failover cable status || url, wiki.quadrantsec.com/bin/view/Main/5000599 5000600 || [CISCO-PIXASA] [Primary] Power failure/System reload other side || url, wiki.quadrantsec.com/bin/view/Main/5000600 5000601 || [CISCO-PIXASA] [Primary] No response from other firewall || url, wiki.quadrantsec.com/bin/view/Main/5000601 5000602 || [CISCO-PIXASA] [Primary] Other firewall network interface OK || url, wiki.quadrantsec.com/bin/view/Main/5000602 5000603 || [CISCO-PIXASA] [Primary] Other firewall network interface failed || url, wiki.quadrantsec.com/bin/view/Main/5000603 5000604 || [CISCO-PIXASA] [Primary] Other firewall reports this firewall failed || url, wiki.quadrantsec.com/bin/view/Main/5000604 5000605 || [CISCO-PIXASA] [Primary] Other firewall reporting failure || url, wiki.quadrantsec.com/bin/view/Main/5000605 5000606 || [CISCO-PIXASA] [Primary] Switching to ACTIVE || url, wiki.quadrantsec.com/bin/view/Main/5000606 5000607 || [CISCO-PIXASA] [Primary] Switching to STNDBY || url, wiki.quadrantsec.com/bin/view/Main/5000607 5000608 || [CISCO-PIXASA] [Primary] Switching to FAILED || url, wiki.quadrantsec.com/bin/view/Main/5000608 5000609 || [CISCO-PIXASA] [Primary] Switching to OK || url, wiki.quadrantsec.com/bin/view/Main/5000609 5000610 || [CISCO-PIXASA] [Primary] Disabling failover || url, wiki.quadrantsec.com/bin/view/Main/5000610 5000611 || [CISCO-PIXASA] [Primary] Enabling failover || url, wiki.quadrantsec.com/bin/view/Main/5000611 5000612 || [CISCO-PIXASA] [Primary] Lost Failover communications with mate on interface || url, wiki.quadrantsec.com/bin/view/Main/5000612 5000614 || [CISCO-PIXASA] [Primary] Failover cable communication failure || url, wiki.quadrantsec.com/bin/view/Main/5000614 5000615 || [CISCO-PIXASA] [failover_unit] Standby unit failed to sync due to a locked config || url, wiki.quadrantsec.com/bin/view/Main/5000615 5000616 || [CISCO-PIXASA] Failover LAN interface is up || url, wiki.quadrantsec.com/bin/view/Main/5000616 5000617 || [CISCO-PIXASA] LAN Failover interface is down || url, wiki.quadrantsec.com/bin/view/Main/5000617 5000618 || [CISCO-PIXASA] Receive a LAN_FAILOVER_UP message from peer || url, wiki.quadrantsec.com/bin/view/Main/5000618 5000619 || [CISCO-PIXASA] Receive a LAN failover interface down msg from peer || url, wiki.quadrantsec.com/bin/view/Main/5000619 5000620 || [CISCO-PIXASA] dropped a LAN Failover command message || url, wiki.quadrantsec.com/bin/view/Main/5000620 5000621 || [CISCO-PIXASA] [Primary] Unable to verify the Interface count with mate. Failover may be disabled in mate || url, wiki.quadrantsec.com/bin/view/Main/5000621 5000622 || [CISCO-PIXASA] [Primary] Mate failover version is not compatible || url, wiki.quadrantsec.com/bin/view/Main/5000622 5000623 || [CISCO-PIXASA] [Primary] Failover interface OK || url, wiki.quadrantsec.com/bin/view/Main/5000623 5000624 || [CISCO-PIXASA] [Primary] Failover interface failed || url, wiki.quadrantsec.com/bin/view/Main/5000624 5000625 || [CISCO-PIXASA] Deny protocol reverse path check || url, wiki.quadrantsec.com/bin/view/Main/5000625 5000626 || [CISCO-PIXASA] Deny protocol connection spoof || url, wiki.quadrantsec.com/bin/view/Main/5000626 5000627 || [CISCO-PIXASA] The number of ACL log deny-flows has reached limit || url, wiki.quadrantsec.com/bin/view/Main/5000627 5000628 || [CISCO-PIXASA] RIP auth failed || url, wiki.quadrantsec.com/bin/view/Main/5000628 5000629 || [CISCO-PIXASA] RIP pkt failed || url, wiki.quadrantsec.com/bin/view/Main/5000629 5000631 || [CISCO-PIXASA] Inbound TCP connection denied || url, wiki.quadrantsec.com/bin/view/Main/5000631 5000632 || [CISCO-PIXASA] Connection denied by outbound ACL || url, wiki.quadrantsec.com/bin/view/Main/5000632 5000633 || [CISCO-PIXASA] Deny inbound UDP || url, wiki.quadrantsec.com/bin/view/Main/5000633 5000634 || [CISCO-PIXASA] Deny inbound UDP from outside due to DNS {Response|Query} || url, wiki.quadrantsec.com/bin/view/Main/5000634 5000635 || [CISCO-PIXASA] Dropping echo request || url, wiki.quadrantsec.com/bin/view/Main/5000635 5000636 || [CISCO-PIXASA] Deny IP spoof [0/1] || url, wiki.quadrantsec.com/bin/view/Main/5000636 5000637 || [CISCO-PIXASA] Deny IP due to Land Attack [0/1] || url, wiki.quadrantsec.com/bin/view/Main/5000637 5000638 || [CISCO-PIXASA] ICMP denied by outbound ACL || url, wiki.quadrantsec.com/bin/view/Main/5000638 5000639 || [CISCO-PIXASA] Deny IP teardrop fragment [0/1] || url, wiki.quadrantsec.com/bin/view/Main/5000639 5000640 || [CISCO-PIXASA] Bad route_compress || url, wiki.quadrantsec.com/bin/view/Main/5000640 5000641 || [CISCO-PIXASA] Failed Identification Test in slot || url, wiki.quadrantsec.com/bin/view/Main/5000641 5000642 || [CISCO-PIXASA] Dropped DNS responses with mis-matched id || url, wiki.quadrantsec.com/bin/view/Main/5000642 5000643 || [CISCO-PIXASA] Configuration replication failed for command || url, wiki.quadrantsec.com/bin/view/Main/5000643 5000644 || [CISCO-PIXASA] Unexpected event || url, wiki.quadrantsec.com/bin/view/Main/5000644 5000645 || [CISCO-PIXASA] [Primary] Failover message block alloc failed || url, wiki.quadrantsec.com/bin/view/Main/5000645 5000646 || [CISCO-PIXASA] Deny inbound protocol || url, wiki.quadrantsec.com/bin/view/Main/5000646 5000647 || [CISCO-PIXASA] Deny inbound [No xlate] || url, wiki.quadrantsec.com/bin/view/Main/5000647 5000648 || [CISCO-PIXASA] Deny inbound ICMP || url, wiki.quadrantsec.com/bin/view/Main/5000648 5000649 || [CISCO-PIXASA] Auth from inside to outside failed [too many pending auths] || url, wiki.quadrantsec.com/bin/view/Main/5000649 5000650 || [CISCO-PIXASA] Can't find authorization ACL for user || url, wiki.quadrantsec.com/bin/view/Main/5000650 5000651 || [CISCO-PIXASA] Downloaded ACL has parsing error || url, wiki.quadrantsec.com/bin/view/Main/5000651 5000652 || [CISCO-PIXASA] Downloaded ACL has config error || url, wiki.quadrantsec.com/bin/view/Main/5000652 5000653 || [CISCO-PIXASA] Unable to install ACL, downloaded for user || url, wiki.quadrantsec.com/bin/view/Main/5000653 5000654 || [CISCO-PIXASA] Kerberos error. Clock skew with server greater than 300 seconds || url, wiki.quadrantsec.com/bin/view/Main/5000654 5000655 || [CISCO-PIXASA] FTP data connection failed || url, wiki.quadrantsec.com/bin/view/Main/5000655 5000656 || [CISCO-PIXASA] RCMD backconnection failed || url, wiki.quadrantsec.com/bin/view/Main/5000656 5000657 || [CISCO-PIXASA] LU sw_module_name error || url, wiki.quadrantsec.com/bin/view/Main/5000657 5000658 || [CISCO-PIXASA] LU allocate block [bytes] failed || url, wiki.quadrantsec.com/bin/view/Main/5000658 5000659 || [CISCO-PIXASA] LU allocate connection failed || url, wiki.quadrantsec.com/bin/view/Main/5000659 5000660 || [CISCO-PIXASA] LU look NAT failed || url, wiki.quadrantsec.com/bin/view/Main/5000660 5000661 || [CISCO-PIXASA] LU allocate xlate failed || url, wiki.quadrantsec.com/bin/view/Main/5000661 5000662 || [CISCO-PIXASA] LU make UDP connection for outside to inside failed || url, wiki.quadrantsec.com/bin/view/Main/5000662 5000663 || [CISCO-PIXASA] LU PAT port reserve failed || url, wiki.quadrantsec.com/bin/view/Main/5000663 5000664 || [CISCO-PIXASA] LU create static xlate interface failed || url, wiki.quadrantsec.com/bin/view/Main/5000664 5000665 || [CISCO-PIXASA] Memory allocation Error || url, wiki.quadrantsec.com/bin/view/Main/5000665 5000666 || [CISCO-PIXASA] Unable to open SNMP channel || url, wiki.quadrantsec.com/bin/view/Main/5000666 5000667 || [CISCO-PIXASA] Unable to open SNMP trap channel || url, wiki.quadrantsec.com/bin/view/Main/5000667 5000668 || [CISCO-PIXASA] Unable to receive an SNMP request on interface || url, wiki.quadrantsec.com/bin/view/Main/5000668 5000669 || [CISCO-PIXASA] Unable to send an SNMP response || url, wiki.quadrantsec.com/bin/view/Main/5000669 5000670 || [CISCO-PIXASA] Dropping SNMP request || url, wiki.quadrantsec.com/bin/view/Main/5000670 5000671 || [CISCO-PIXASA] PPTP tunnel hashtable insert failed || url, wiki.quadrantsec.com/bin/view/Main/5000671 5000672 || [CISCO-PIXASA] PPP virtual interface client ip allocation failed || url, wiki.quadrantsec.com/bin/view/Main/5000672 5000673 || [CISCO-PIXASA] H.323 library_name ASN Library failed to initialize || url, wiki.quadrantsec.com/bin/view/Main/5000673 5000674 || [CISCO-PIXASA] ACL = deny no sa created || url, wiki.quadrantsec.com/bin/view/Main/5000674 5000675 || [CISCO-PIXASA] {outbound static|identity|portmap|regular] translation creation failed || url, wiki.quadrantsec.com/bin/view/Main/5000675 5000676 || [CISCO-PIXASA] Denied ICMP || url, wiki.quadrantsec.com/bin/view/Main/5000676 5000677 || [CISCO-PIXASA] Denied ICMPv6 || url, wiki.quadrantsec.com/bin/view/Main/5000677 5000678 || [CISCO-PIXASA] Fail to establish SSH session because RSA host key retrieval failed || url, wiki.quadrantsec.com/bin/view/Main/5000678 5000679 || [CISCO-PIXASA] Denied new tunnel limit exceeded || url, wiki.quadrantsec.com/bin/view/Main/5000679 5000681 || [CISCO-PIXASA] IP routing table creation failure || url, wiki.quadrantsec.com/bin/view/Main/5000681 5000682 || [CISCO-PIXASA] Internal error || url, wiki.quadrantsec.com/bin/view/Main/5000682 5000683 || [CISCO-PIXASA] Arp update for IP address address to NPn failed || url, wiki.quadrantsec.com/bin/view/Main/5000683 5000684 || [CISCO-PIXASA] Route update for IP address failed || url, wiki.quadrantsec.com/bin/view/Main/5000684 5000685 || [CISCO-PIXASA] Deny MAC address possible spoof attempt || url, wiki.quadrantsec.com/bin/view/Main/5000685 5000686 || [CISCO-PIXASA] ARP inspection check failed [1] || url, wiki.quadrantsec.com/bin/view/Main/5000686 5000687 || [CISCO-PIXASA] ARP inspection check failed [2] || url, wiki.quadrantsec.com/bin/view/Main/5000687 5000690 || [CISCO-PIXASA] GSN tunnel limit exceeded || url, wiki.quadrantsec.com/bin/view/Main/5000690 5000691 || [CISCO-PIXASA] Radius Accounting Request has a bad header length || url, wiki.quadrantsec.com/bin/view/Main/5000691 5000692 || [CISCO-PIXASA] Unexpected error in the timer library || url, wiki.quadrantsec.com/bin/view/Main/5000692 5000693 || [CISCO-PIXASA] Error || url, wiki.quadrantsec.com/bin/view/Main/5000693 5000694 || [CISCO-PIXASA] An internal error occurred while processing a packet queue || url, wiki.quadrantsec.com/bin/view/Main/5000694 5000695 || [CISCO-PIXASA] Mrib notification failed || url, wiki.quadrantsec.com/bin/view/Main/5000695 5000696 || [CISCO-PIXASA] Entry-creation failed || url, wiki.quadrantsec.com/bin/view/Main/5000696 5000697 || [CISCO-PIXASA] Entry-update failed || url, wiki.quadrantsec.com/bin/view/Main/5000697 5000698 || [CISCO-PIXASA] MRIB registration failed || url, wiki.quadrantsec.com/bin/view/Main/5000698 5000699 || [CISCO-PIXASA] MRIB connection-open failed || url, wiki.quadrantsec.com/bin/view/Main/5000699 5000700 || [CISCO-PIXASA] MRIB unbind failed || url, wiki.quadrantsec.com/bin/view/Main/5000700 5000701 || [CISCO-PIXASA] MRIB table deletion failed || url, wiki.quadrantsec.com/bin/view/Main/5000701 5000702 || [CISCO-PIXASA] Initialization of string functionality failed || url, wiki.quadrantsec.com/bin/view/Main/5000702 5000703 || [CISCO-PIXASA] Internal error || url, wiki.quadrantsec.com/bin/view/Main/5000703 5000704 || [CISCO-PIXASA] Initialization failed || url, wiki.quadrantsec.com/bin/view/Main/5000704 5000705 || [CISCO-PIXASA] Communication error || url, wiki.quadrantsec.com/bin/view/Main/5000705 5000706 || [CISCO-PIXASA] Failed to set un-numbered interface || url, wiki.quadrantsec.com/bin/view/Main/5000706 5000707 || [CISCO-PIXASA] Interface Manager error || url, wiki.quadrantsec.com/bin/view/Main/5000707 5000708 || [CISCO-PIXASA] List error || url, wiki.quadrantsec.com/bin/view/Main/5000708 5000709 || [CISCO-PIXASA] Error || url, wiki.quadrantsec.com/bin/view/Main/5000709 5000710 || [CISCO-PIXASA] Error || url, wiki.quadrantsec.com/bin/view/Main/5000710 5000711 || [CISCO-PIXASA] An internal error occurred while processing a packet queue || url, wiki.quadrantsec.com/bin/view/Main/5000711 5000712 || [CISCO-PIXASA] Server unexpected error || url, wiki.quadrantsec.com/bin/view/Main/5000712 5000713 || [CISCO-PIXASA] Corrupted update || url, wiki.quadrantsec.com/bin/view/Main/5000713 5000714 || [CISCO-PIXASA] Asynchronous error || url, wiki.quadrantsec.com/bin/view/Main/5000714 5000715 || [CISCO-PIXASA] IP SLA Monitor Failed to initialize, will not work || url, wiki.quadrantsec.com/bin/view/Main/5000715 5000716 || [CISCO-PIXASA] IP SLA Monitor Generic Timer wheel timer functionality failed to initialize || url, wiki.quadrantsec.com/bin/view/Main/5000716 5000717 || [CISCO-PIXASA] PPPoE - Bad host-unique in PADO - packet dropped || url, wiki.quadrantsec.com/bin/view/Main/5000717 5000718 || [CISCO-PIXASA] PPPoE - Bad host-unique in PADS - dropping packet || url, wiki.quadrantsec.com/bin/view/Main/5000718 5000719 || [CISCO-PIXASA] PPPoEPPPoE client on interface failed to locate PPPoE vpdn group || url, wiki.quadrantsec.com/bin/view/Main/5000719 5000720 || [CISCO-PIXASA] Failed to save logging buffer using filename to FTP server || url, wiki.quadrantsec.com/bin/view/Main/5000720 5000721 || [CISCO-PIXASA] Failed to save logging buffer to flash or syslog directory using file name filename || url, wiki.quadrantsec.com/bin/view/Main/5000721 5000722 || [CISCO-PIXASA] NTP daemon Packet denied || url, wiki.quadrantsec.com/bin/view/Main/5000722 5000723 || [CISCO-PIXASA] NTP daemon Authentication failed || url, wiki.quadrantsec.com/bin/view/Main/5000723 5000724 || [CISCO-PIXASA] VPNClient Backup Server List Error || url, wiki.quadrantsec.com/bin/view/Main/5000724 5000725 || [CISCO-PIXASA] Error processing payload || url, wiki.quadrantsec.com/bin/view/Main/5000725 5000726 || [CISCO-PIXASA] Tunnel Rejected User matched with group name, check failed || url, wiki.quadrantsec.com/bin/view/Main/5000726 5000727 || [CISCO-PIXASA] Tunnel Rejected User not member of group, check failed || url, wiki.quadrantsec.com/bin/view/Main/5000727 5000728 || [CISCO-PIXASA] Failed to retrieve identity certificate || url, wiki.quadrantsec.com/bin/view/Main/5000728 5000729 || [CISCO-PIXASA] Set Cert filehandle failure no IPSec SA in group || url, wiki.quadrantsec.com/bin/view/Main/5000729 5000730 || [CISCO-PIXASA] Request attempt failed! || url, wiki.quadrantsec.com/bin/view/Main/5000730 5000731 || [CISCO-PIXASA] Failed to process CONNECTED notify! || url, wiki.quadrantsec.com/bin/view/Main/5000731 5000732 || [CISCO-PIXASA] Client-reported firewall does not match configured firewall action tunnel || url, wiki.quadrantsec.com/bin/view/Main/5000732 5000733 || [CISCO-PIXASA] Client did not report firewall in use, but there is a configured firewall action tunnel || url, wiki.quadrantsec.com/bin/view/Main/5000733 5000734 || [CISCO-PIXASA] TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access || url, wiki.quadrantsec.com/bin/view/Main/5000734 5000735 || [CISCO-PIXASA] Remote user network access has been restricted by the Firewall Server || url, wiki.quadrantsec.com/bin/view/Main/5000735 5000736 || [CISCO-PIXASA] Remote user has been rejected by the Firewall Server || url, wiki.quadrantsec.com/bin/view/Main/5000736 5000737 || [CISCO-PIXASA] Remote user has been terminated by the Firewall Server || url, wiki.quadrantsec.com/bin/view/Main/5000737 5000738 || [CISCO-PIXASA] Headend security gateway has failed our user authentication attempt - check configured username and password || url, wiki.quadrantsec.com/bin/view/Main/5000738 5000739 || [CISCO-PIXASA] Remote peer has failed user authentication - check configured username and password [10/5] || url, wiki.quadrantsec.com/bin/view/Main/5000739 5000740 || [CISCO-PIXASA] Error Username too long - connection aborted || url, wiki.quadrantsec.com/bin/view/Main/5000740 5000741 || [CISCO-PIXASA] User Authorization failed || url, wiki.quadrantsec.com/bin/view/Main/5000741 5000742 || [CISCO-PIXASA] IKE Receiver Error reading from socket || url, wiki.quadrantsec.com/bin/view/Main/5000742 5000743 || [CISCO-PIXASA] Connection failed with peer, no trust-point defined || url, wiki.quadrantsec.com/bin/view/Main/5000743 5000744 || [CISCO-PIXASA] Internal Error, ike_lock trying to lock bit that is already locked || url, wiki.quadrantsec.com/bin/view/Main/5000744 5000745 || [CISCO-PIXASA] Internal Error, ike_lock trying to unlock bit that is not locked || url, wiki.quadrantsec.com/bin/view/Main/5000745 5000746 || [CISCO-PIXASA] Querying keypair failed || url, wiki.quadrantsec.com/bin/view/Main/5000746 5000747 || [CISCO-PIXASA] Certificate enrollment failed for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000747 5000748 || [CISCO-PIXASA] Certificate validation failed || url, wiki.quadrantsec.com/bin/view/Main/5000748 5000749 || [CISCO-PIXASA] CRL polling failed for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000749 5000750 || [CISCO-PIXASA] Failed to refresh CRL cache entry from the server for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000750 5000751 || [CISCO-PIXASA] Failed to query CA certificate for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000751 5000752 || [CISCO-PIXASA] Failed to insert CRL for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000752 5000753 || [CISCO-PIXASA] SSL failed to set device certificate for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000753 5000754 || [CISCO-PIXASA] Certificate chain failed validation || url, wiki.quadrantsec.com/bin/view/Main/5000754 5000755 || [CISCO-PIXASA] Deny protocol || url, wiki.quadrantsec.com/bin/view/Main/5000755 5000756 || [CISCO-PIXASA] Failed to determine the security context for the packetvlansource Vlan || url, wiki.quadrantsec.com/bin/view/Main/5000756 5000757 || [CISCO-PIXASA] NT Domain Authentication Failed rejecting guest login for username. || url, wiki.quadrantsec.com/bin/view/Main/5000757 5000758 || [CISCO-PIXASA] Authentication failed for admin user || url, wiki.quadrantsec.com/bin/view/Main/5000758 5000759 || [CISCO-PIXASA] Authentication failed for network user || url, wiki.quadrantsec.com/bin/view/Main/5000759 5000760 || [CISCO-PIXASA] Denied ICMP || url, wiki.quadrantsec.com/bin/view/Main/5000760 5000761 || [CISCO-PIXASA] No matching connection for ICMP error || url, wiki.quadrantsec.com/bin/view/Main/5000761 5000762 || [CISCO-PIXASA] NAC Downloaded ACL parse failure || url, wiki.quadrantsec.com/bin/view/Main/5000762 5000763 || [CISCO-PIXASA] Shun add failed unable to allocate resources || url, wiki.quadrantsec.com/bin/view/Main/5000763 5000764 || [CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000764 5000765 || [CISCO-PIXASA] IPSEC Received an ESP packet from remote IP to local IP that failed authentication [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000765 5000766 || [CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command || url, wiki.quadrantsec.com/bin/view/Main/5000766 5000767 || [CISCO-PIXASA] PPPoE failed to assign PPP IP address || url, wiki.quadrantsec.com/bin/view/Main/5000767 5000768 || [CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string || url, wiki.quadrantsec.com/bin/view/Main/5000768 5000769 || [CISCO-PIXASA] H225 message contains bad protocol discriminator hex || url, wiki.quadrantsec.com/bin/view/Main/5000769 5000770 || [CISCO-PIXASA] Deny traffic for local-host, license limit of number exceeded || url, wiki.quadrantsec.com/bin/view/Main/5000770 5000771 || [CISCO-PIXASA] Dropped UDP SNMP packet || url, wiki.quadrantsec.com/bin/view/Main/5000771 5000772 || [CISCO-PIXASA] Filter violation error conn number || url, wiki.quadrantsec.com/bin/view/Main/5000772 5000773 || [CISCO-PIXASA] Through-the-device packet to/from management-only network is denied || url, wiki.quadrantsec.com/bin/view/Main/5000773 5000774 || [CISCO-PIXASA] Dropping TCP packet, MSS exceeded/size - possible network scan. || url, wiki.quadrantsec.com/bin/view/Main/5000774 5000775 || [CISCO-PIXASA] RTP conformance Dropping RTP packet || url, wiki.quadrantsec.com/bin/view/Main/5000775 5000776 || [CISCO-PIXASA] RTCP conformance Dropping RTCP packet || url, wiki.quadrantsec.com/bin/view/Main/5000776 5000777 || [CISCO-PIXASA] Dropping Skinny message length value too small || url, wiki.quadrantsec.com/bin/view/Main/5000777 5000778 || [CISCO-PIXASA] Dropping Skinny message length value too large || url, wiki.quadrantsec.com/bin/view/Main/5000778 5000779 || [CISCO-PIXASA] Dropping Skinny message id value not allowed || url, wiki.quadrantsec.com/bin/view/Main/5000779 5000780 || [CISCO-PIXASA] Dropping Skinny message id value registration not complete || url, wiki.quadrantsec.com/bin/view/Main/5000780 5000781 || [CISCO-PIXASA] Auto Update failed || url, wiki.quadrantsec.com/bin/view/Main/5000781 5000782 || [CISCO-PIXASA] Auto Update failed || url, wiki.quadrantsec.com/bin/view/Main/5000782 5000783 || [CISCO-PIXASA] DNS lookup for Server failed! || url, wiki.quadrantsec.com/bin/view/Main/5000783 5000784 || [CISCO-PIXASA] Name lookup failed for hostname during PKI operation || url, wiki.quadrantsec.com/bin/view/Main/5000784 5000785 || [CISCO-PIXASA] Failed to find a suitable trustpoint for issuer || url, wiki.quadrantsec.com/bin/view/Main/5000785 5000786 || [CISCO-PIXASA] Tunnel group search using certificate maps failed || url, wiki.quadrantsec.com/bin/view/Main/5000786 5000787 || [CISCO-PIXASA] IP address end configuration {FAILED|OK} || url, wiki.quadrantsec.com/bin/view/Main/5000787 5000788 || [CISCO-PIXASA] FTP cmd_string command unsupported - failed strict inspection || url, wiki.quadrantsec.com/bin/view/Main/5000788 5000789 || [CISCO-PIXASA] Access denied URL chars || url, wiki.quadrantsec.com/bin/view/Main/5000789 5000790 || [CISCO-PIXASA] Asymmetric NAT rules matched for forward and reverse flows [0/1] || url, wiki.quadrantsec.com/bin/view/Main/5000790 5000791 || [CISCO-PIXASA] EAPoUDP association failed to establish || url, wiki.quadrantsec.com/bin/view/Main/5000791 5000792 || [CISCO-PIXASA] EAPoUDP failed to get a response from host || url, wiki.quadrantsec.com/bin/view/Main/5000792 5000793 || [CISCO-PIXASA] HTTP - matched string in policy-map verification failed || url, wiki.quadrantsec.com/bin/view/Main/5000793 5000794 || [CISCO-PIXASA] Bad TCP hdr length - Possible network scan || url, wiki.quadrantsec.com/bin/view/Main/5000794 5000796 || [CISCO-PIXASA] IKE area failed to find centry for message || url, wiki.quadrantsec.com/bin/view/Main/5000796 5000797 || [CISCO-PIXASA] Failure during phase 1 rekeying attempt due to collision || url, wiki.quadrantsec.com/bin/view/Main/5000797 5000798 || [CISCO-PIXASA] Ignoring received malformed firewall record || url, wiki.quadrantsec.com/bin/view/Main/5000798 5000800 || [CISCO-PIXASA] Create peer failure, already at maximum of number of peers || url, wiki.quadrantsec.com/bin/view/Main/5000800 5000801 || [CISCO-PIXASA] Fail to send to IP || url, wiki.quadrantsec.com/bin/view/Main/5000801 5000802 || [CISCO-PIXASA] Socket open failure || url, wiki.quadrantsec.com/bin/view/Main/5000802 5000803 || [CISCO-PIXASA] Socket bind failure || url, wiki.quadrantsec.com/bin/view/Main/5000803 5000804 || [CISCO-PIXASA] Send HELLO response failure || url, wiki.quadrantsec.com/bin/view/Main/5000804 5000805 || [CISCO-PIXASA] Send HELLO request failure || url, wiki.quadrantsec.com/bin/view/Main/5000805 5000806 || [CISCO-PIXASA] Send CFG UPDATE failure || url, wiki.quadrantsec.com/bin/view/Main/5000806 5000807 || [CISCO-PIXASA] Send OOS indicator failure || url, wiki.quadrantsec.com/bin/view/Main/5000807 5000808 || [CISCO-PIXASA] Send TOPOLOGY indicator failure || url, wiki.quadrantsec.com/bin/view/Main/5000808 5000809 || [CISCO-PIXASA] Create of secure tunnel failure || url, wiki.quadrantsec.com/bin/view/Main/5000809 5000810 || [CISCO-PIXASA] Delete of secure tunnel failure || url, wiki.quadrantsec.com/bin/view/Main/5000810 5000811 || [CISCO-PIXASA] Queue send failure from ISR || url, wiki.quadrantsec.com/bin/view/Main/5000811 5000812 || [CISCO-PIXASA] Inbound socket select fail || url, wiki.quadrantsec.com/bin/view/Main/5000812 5000813 || [CISCO-PIXASA] Inbound socket read fail || url, wiki.quadrantsec.com/bin/view/Main/5000813 5000814 || [CISCO-PIXASA] Cannot continue to run || url, wiki.quadrantsec.com/bin/view/Main/5000814 5000815 || [CISCO-PIXASA] Fail to create access list for peer || url, wiki.quadrantsec.com/bin/view/Main/5000815 5000816 || [CISCO-PIXASA] Fail to create tunnel group for peer || url, wiki.quadrantsec.com/bin/view/Main/5000816 5000817 || [CISCO-PIXASA] Fail to delete tunnel group for peer || url, wiki.quadrantsec.com/bin/view/Main/5000817 5000818 || [CISCO-PIXASA] Fail to create crypto map for peer || url, wiki.quadrantsec.com/bin/view/Main/5000818 5000819 || [CISCO-PIXASA] Fail to delete crypto map for peer || url, wiki.quadrantsec.com/bin/view/Main/5000819 5000820 || [CISCO-PIXASA] Fail to create crypto policy for peer || url, wiki.quadrantsec.com/bin/view/Main/5000820 5000821 || [CISCO-PIXASA] Fail to delete crypto policy for peer || url, wiki.quadrantsec.com/bin/view/Main/5000821 5000822 || [CISCO-PIXASA] Fail to install LB NP rules || url, wiki.quadrantsec.com/bin/view/Main/5000822 5000823 || [CISCO-PIXASA] Fail to delete LB NP rules || url, wiki.quadrantsec.com/bin/view/Main/5000823 5000824 || [CISCO-PIXASA] Deny IP [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000824 5000825 || [CISCO-PIXASA] Deny TCP [no connection] || url, wiki.quadrantsec.com/bin/view/Main/5000825 5000826 || [CISCO-PIXASA] Failed to determine the security context || url, wiki.quadrantsec.com/bin/view/Main/5000826 5000827 || [CISCO-PIXASA] Failed to determine the security context || url, wiki.quadrantsec.com/bin/view/Main/5000827 5000828 || [CISCO-PIXASA] access-list ACL {permitted | denied | est-allowed} protocol || url, wiki.quadrantsec.com/bin/view/Main/5000828 5000829 || [CISCO-PIXASA] Auth from inside to outside failed [server failed] on interface || url, wiki.quadrantsec.com/bin/view/Main/5000829 5000830 || [CISCO-PIXASA] Auth from inside to outside failed [all servers failed] on interface || url, wiki.quadrantsec.com/bin/view/Main/5000830 5000831 || [CISCO-PIXASA] Authentication failed for user [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000831 5000832 || [CISCO-PIXASA] Authorization permitted for user || url, wiki.quadrantsec.com/bin/view/Main/5000832 5000833 || [CISCO-PIXASA] Authorization denied for user from outside to inside on interface || url, wiki.quadrantsec.com/bin/view/Main/5000833 5000834 || [CISCO-PIXASA] Authorization denied [not authenticated] || url, wiki.quadrantsec.com/bin/view/Main/5000834 5000835 || [CISCO-PIXASA] Authorization denied for user || url, wiki.quadrantsec.com/bin/view/Main/5000835 5000836 || [CISCO-PIXASA] User user locked out on exceeding number successive failed authentication attempts || url, wiki.quadrantsec.com/bin/view/Main/5000836 5000837 || [CISCO-PIXASA] AAA unable to complete the request || url, wiki.quadrantsec.com/bin/view/Main/5000837 5000838 || [CISCO-PIXASA] URL Server request failed URL || url, wiki.quadrantsec.com/bin/view/Main/5000838 5000839 || [CISCO-PIXASA] RIP hdr failed || url, wiki.quadrantsec.com/bin/view/Main/5000839 5000840 || [CISCO-PIXASA] No management IP address configured for transparent firewall || url, wiki.quadrantsec.com/bin/view/Main/5000840 5000841 || [CISCO-PIXASA] NAC is disabled for host || url, wiki.quadrantsec.com/bin/view/Main/5000841 5000842 || [CISCO-PIXASA] Login denied [Brute Force] [10/1] || url, wiki.quadrantsec.com/bin/view/Main/5000842 5000843 || [CISCO-PIXASA] Authorization failed || url, wiki.quadrantsec.com/bin/view/Main/5000843 5000844 || [CISCO-PIXASA] User authentication failed [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000844 5000845 || [CISCO-PIXASA] VNPClient XAUTH Failed || url, wiki.quadrantsec.com/bin/view/Main/5000845 5000846 || [CISCO-PIXASA] VPNClient Secure Unit Authentication Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000846 5000847 || [CISCO-PIXASA] VPNClient User Authentication Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000847 5000848 || [CISCO-PIXASA] VPNClient Device Pass Thru Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000848 5000849 || [CISCO-PIXASA] VPNClient Extended XAUTH conversation initiated when SUA disabled || url, wiki.quadrantsec.com/bin/view/Main/5000849 5000850 || [CISCO-PIXASA] Checksum Failure in database || url, wiki.quadrantsec.com/bin/view/Main/5000850 5000851 || [CISCO-PIXASA] vlan number not available for firewall interface || url, wiki.quadrantsec.com/bin/view/Main/5000851 5000852 || [CISCO-PIXASA] vlan number available for firewall interface || url, wiki.quadrantsec.com/bin/view/Main/5000852 5000853 || [CISCO-PIXASA] Bad register || url, wiki.quadrantsec.com/bin/view/Main/5000853 5000854 || [CISCO-PIXASA] Attempt to send an IKE packet from standby unit. Dropping the packet! [0/1] || url, wiki.quadrantsec.com/bin/view/Main/5000854 5000855 || [CISCO-PIXASA] Certificate received from Certificate Authority for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000855 5000856 || [CISCO-PIXASA] PKCS 12 export failed || url, wiki.quadrantsec.com/bin/view/Main/5000856 5000857 || [CISCO-PIXASA] PKCS 12 import failed || url, wiki.quadrantsec.com/bin/view/Main/5000857 5000858 || [CISCO-PIXASA] uauth_lookup_net fail for uauth_in || url, wiki.quadrantsec.com/bin/view/Main/5000858 5000859 || [CISCO-PIXASA] Uauth null proxy error || url, wiki.quadrantsec.com/bin/view/Main/5000859 5000861 || [CISCO-PIXASA] Send failure || url, wiki.quadrantsec.com/bin/view/Main/5000861 5000862 || [CISCO-PIXASA] Cert validation failure handle invalid for Main/Aggressive Mode Initiator/Responder! || url, wiki.quadrantsec.com/bin/view/Main/5000862 5000863 || [CISCO-PIXASA] Attempt to get Phase 1 ID data failed while hash computation || url, wiki.quadrantsec.com/bin/view/Main/5000863 5000864 || [CISCO-PIXASA] Processing firewall record || url, wiki.quadrantsec.com/bin/view/Main/5000864 5000865 || [CISCO-PIXASA] Remote user has been granted access by the Firewall Server [Brute Force] [10/1] || url, wiki.quadrantsec.com/bin/view/Main/5000865 5000866 || [CISCO-PIXASA] The Firewall Server has requested a list of active user sessions || url, wiki.quadrantsec.com/bin/view/Main/5000866 5000867 || [CISCO-PIXASA] Got bad refCnt assigning || url, wiki.quadrantsec.com/bin/view/Main/5000867 5000868 || [CISCO-PIXASA] subroutine Q Send failure RetCode || url, wiki.quadrantsec.com/bin/view/Main/5000868 5000869 || [CISCO-PIXASA] subroutine name Bad message code Cod || url, wiki.quadrantsec.com/bin/view/Main/5000869 5000870 || [CISCO-PIXASA] IKE received response to a request from the utility || url, wiki.quadrantsec.com/bin/view/Main/5000870 5000871 || [CISCO-PIXASA] ERROR malformed Keepalive payload || url, wiki.quadrantsec.com/bin/view/Main/5000871 5000872 || [CISCO-PIXASA] Claims to be IOS but failed authentication || url, wiki.quadrantsec.com/bin/view/Main/5000872 5000873 || [CISCO-PIXASA] Dropped received IKE fragment || url, wiki.quadrantsec.com/bin/view/Main/5000873 5000874 || [CISCO-PIXASA] Error assembling fragments! Fragment numbers are non-continuous || url, wiki.quadrantsec.com/bin/view/Main/5000874 5000875 || [CISCO-PIXASA] IKE state_machine subtype FSM error history || url, wiki.quadrantsec.com/bin/view/Main/5000875 5000876 || [CISCO-PIXASA] Internal interprocess communication queue send failure || url, wiki.quadrantsec.com/bin/view/Main/5000876 5000877 || [CISCO-PIXASA] Send KEEPALIVE request failure || url, wiki.quadrantsec.com/bin/view/Main/5000877 5000878 || [CISCO-PIXASA] Send KEEPALIVE response failure || url, wiki.quadrantsec.com/bin/view/Main/5000878 5000879 || [CISCO-PIXASA] Fail to create group || url, wiki.quadrantsec.com/bin/view/Main/5000879 5000880 || [CISCO-PIXASA] Creation of group policy || url, wiki.quadrantsec.com/bin/view/Main/5000880 5000881 || [SENDMAIL] SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt || url,http://www.securityfocus.com/bid/38578 || url, wiki.quadrantsec.com/bin/view/Main/5000881 5000883 || [BRO] Successful Password Guessing [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000883 5000884 || [BRO] Protocol Violation [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000884 5000885 || [BRO] Sensitive Login [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000885 5000886 || [BRO] Sensitive Connection [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000886 5000887 || [BRO] Sensitive Username in password [0/5] 5000888 || [JUNIPER] AS group missing 5000889 || [JUNIPER] Duplicate IP address 5000890 || [JUNIPER] BGP missing MD5 digest 5000891 || [JUNIPER] ARP address change 5000892 || [JUNIPER] BGP no route to host 5000893 || [JUNIPER] Login authentication error 5000894 || [JUNIPER] Possible authentication dictionary attack 5000895 || [JUNIPER] SONET Alarm 5000896 || [JUNIPER] Possible SONET ring failure 5000897 || [JUNIPER] SDH Alarm 5000898 || [FORTINET] Protect profile changed || url,wiki.quadrantsec.com/bin/view/Main/5000898 5000899 || [FORTINET] ICMP traffic disallowed || url,wiki.quadrantsec.com/bin/view/Main/5000899 5000900 || [FORTINET] Login from LCD || url,wiki.quadrantsec.com/bin/view/Main/5000900 5000901 || [FORTINET] Administrator Login || url,wiki.quadrantsec.com/bin/view/Main/5000901 5000902 || [FORTINET] Admin login from LCD failed || url,wiki.quadrantsec.com/bin/view/Main/5000902 5000903 || [FORTINET] Admin login failed || url,wiki.quadrantsec.com/bin/view/Main/5000903 5000904 || [FORTINET] To many bad admin login attempts || url,wiki.quadrantsec.com/bin/view/Main/5000904 5000905 || [FORTINET] Administrator logout || url,wiki.quadrantsec.com/bin/view/Main/5000905 5000906 || [FORTINET] IPS error mode || url,wiki.quadrantsec.com/bin/view/Main/5000906 5000907 || [FORTINET] Login failed [Brute Force] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000907 5000908 || [FORTINET] Login accepted || url,wiki.quadrantsec.com/bin/view/Main/5000908 5000909 || [FORTINET] Disk full or almost full || url,wiki.quadrantsec.com/bin/view/Main/5000909 5000910 || [FORTINET] Fortigate has started || url,wiki.quadrantsec.com/bin/view/Main/5000910 5000911 || [FORTINET] Fortigate has entered error mode || url,wiki.quadrantsec.com/bin/view/Main/5000911 5000912 || [FORTINET] Fortigate has left error mode || url,wiki.quadrantsec.com/bin/view/Main/5000912 5000913 || [FORTINET] Administrator session timeout || url,wiki.quadrantsec.com/bin/view/Main/5000913 5000914 || [FORTINET] Abnormal Admin session drop || url,wiki.quadrantsec.com/bin/view/Main/5000914 5000915 || [FORTINET] Normal administrator logout || url,wiki.quadrantsec.com/bin/view/Main/5000915 5000916 || [FORTINET] Administrator is clearing/deleting logs || url,wiki.quadrantsec.com/bin/view/Main/5000916 5000917 || [FORTINET] Cannot store config. Low flash space || url,wiki.quadrantsec.com/bin/view/Main/5000917 5000918 || [FORTINET] Admin has left current VDOM || url,wiki.quadrantsec.com/bin/view/Main/5000918 5000919 || [FORTINET] Admin login failure || url,wiki.quadrantsec.com/bin/view/Main/5000919 5000920 || [FORTINET] Disk logs usage have exceeded || url,wiki.quadrantsec.com/bin/view/Main/5000920 5000921 || [FORTINET] Memory usage has exceeded || url,wiki.quadrantsec.com/bin/view/Main/5000921 5000922 || [FORTINET] Reason unknown error || url,wiki.quadrantsec.com/bin/view/Main/5000922 5000923 || [FORTINET] Out of error mode || url,wiki.quadrantsec.com/bin/view/Main/5000923 5000924 || [FORTINET] Administrator removed logs || url,wiki.quadrantsec.com/bin/view/Main/5000924 5000925 || [FORTINET] License about to expired || url,wiki.quadrantsec.com/bin/view/Main/5000925 5000926 || [FORTINET] Log disk is full || url,wiki.quadrantsec.com/bin/view/Main/5000926 5000927 || [FORTINET] Corrupted MAC packet detected || url,wiki.quadrantsec.com/bin/view/Main/5000927 5000928 || [FORTINET] Action reboot or shutdown || url,wiki.quadrantsec.com/bin/view/Main/5000928 5000929 || [FORTINET] Action reload || url,wiki.quadrantsec.com/bin/view/Main/5000929 5000930 || [FORTINET] Action factory_reset || url,wiki.quadrantsec.com/bin/view/Main/5000930 5000931 || [FORTINET] New access profile added || url,wiki.quadrantsec.com/bin/view/Main/5000931 5000932 || [FORTINET] Configuration change || url,wiki.quadrantsec.com/bin/view/Main/5000932 5000933 || [FORTINET] Access profile changed || url,wiki.quadrantsec.com/bin/view/Main/5000933 5000934 || [FORTINET] Access profile deleted || url,wiki.quadrantsec.com/bin/view/Main/5000934 5000935 || [FORTINET] New admin user added || url,wiki.quadrantsec.com/bin/view/Main/5000935 5000936 || [FORTINET] New user group added || url,wiki.quadrantsec.com/bin/view/Main/5000936 5000937 || [FORTINET] Flash memory is full! || url,wiki.quadrantsec.com/bin/view/Main/5000937 5000938 || [FORTINET] Admin authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000938 5000939 || [FORTINET] Admin authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000939 5000940 || [FORTINET] Admin authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000940 5000941 || [FORTINET] Failed authentication to many times || url,wiki.quadrantsec.com/bin/view/Main/5000941 5000942 || [FORTINET] Chassis fan anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000942 5000943 || [FORTINET] Chassis temperature anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000943 5000944 || [FORTINET] Chassis voltage anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000944 5000945 || [FORTINET] Blade fan anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000945 5000946 || [FORTINET] Blade temperature anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000946 5000947 || [FORTINET] Blade voltage anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000947 5000948 || [FORTINET] L2TP/PPTP/PPPoE Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000948 5000949 || [FORTINET] L2TP/PPTP/PPPoE Authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000949 5000950 || [FORTINET] L2TP/PPTP/PPPoE Max connection reached || url,wiki.quadrantsec.com/bin/view/Main/5000950 5000951 || [FORTINET] L2TP/PPTP/PPPoE Not enough memory || url,wiki.quadrantsec.com/bin/view/Main/5000951 5000952 || [FORTINET] Data Leak Prevention Rule Matched || url,wiki.quadrantsec.com/bin/view/Main/5000952 5000953 || [FORTINET] Application control instant messaging message || url,wiki.quadrantsec.com/bin/view/Main/5000953 5000954 || [FORTINET] Application control instant message file tranfer message || url,wiki.quadrantsec.com/bin/view/Main/5000954 5000955 || [FORTINET] Application control instant message chat message || url,wiki.quadrantsec.com/bin/view/Main/5000955 5000956 || [FORTINET] Control instant message SIP session blocked message || url,wiki.quadrantsec.com/bin/view/Main/5000956 5000957 || [FORTINET] Application control instant message message || url,wiki.quadrantsec.com/bin/view/Main/5000957 5000958 || [FORTINET] An application control VoIP-SIP session blocked message || url,wiki.quadrantsec.com/bin/view/Main/5000958 5000959 || [FORTINET] E-mail of an infected file || url,wiki.quadrantsec.com/bin/view/Main/5000959 5000960 || [FORTINET] File blocked via e-mail || url,wiki.quadrantsec.com/bin/view/Main/5000960 5000961 || [FORTINET] File intercepted via e-mail || url,wiki.quadrantsec.com/bin/view/Main/5000961 5000962 || [FORTINET] Attack signature matched [see content] [1] || url,wiki.quadrantsec.com/bin/view/Main/5000962 5000963 || [FORTINET] Attack signature matched [see content] [2] || url,wiki.quadrantsec.com/bin/view/Main/5000963 5000964 || [FORTINET] Banned word was found || url,wiki.quadrantsec.com/bin/view/Main/5000964 5000965 || [FORTINET] Cookie was removed || url,wiki.quadrantsec.com/bin/view/Main/5000965 5000966 || [FORTINET] Java applet was removed || url,wiki.quadrantsec.com/bin/view/Main/5000966 5000967 || [FORTINET] ActiveX script was removed || url,wiki.quadrantsec.com/bin/view/Main/5000967 5000968 || [FORTINET] URL was in blacklist || url,wiki.quadrantsec.com/bin/view/Main/5000968 5000969 || [FORTINET] URL belongs to a denied category || url,wiki.quadrantsec.com/bin/view/Main/5000969 5000970 || [FORTINET] calloc failed || url,wiki.quadrantsec.com/bin/view/Main/5000970 5000971 || [FORTINET] Admin changed another admin's password || url,wiki.quadrantsec.com/bin/view/Main/5000971 5000972 || [FORTINET] FTP attempt || url,wiki.quadrantsec.com/bin/view/Main/5000972 5000973 || [FORTINET] Entered system conserve mode! || url,wiki.quadrantsec.com/bin/view/Main/5000973 5000974 || [FORTINET] Leaving system conserve mode || url,wiki.quadrantsec.com/bin/view/Main/5000974 5000975 || [FORTINET] General CRITICAL event || url,wiki.quadrantsec.com/bin/view/Main/5000975 5000976 || [SNORT] Not Suspicious Traffic || url,wiki.quadrantsec.com/bin/view/Main/5000976 5000977 || [SNORT] Unknown Traffic || url,wiki.quadrantsec.com/bin/view/Main/5000977 5000978 || [SNORT] Bad Traffic || url,wiki.quadrantsec.com/bin/view/Main/5000978 5000979 || [SNORT] Attempted Information Leak || url,wiki.quadrantsec.com/bin/view/Main/5000979 5000980 || [SNORT] Information Leak || url,wiki.quadrantsec.com/bin/view/Main/5000980 5000981 || [SNORT] Large Scale Information Leak || url,wiki.quadrantsec.com/bin/view/Main/5000981 5000982 || [SNORT] Attempted Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/5000982 5000983 || [SNORT] Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/5000983 5000984 || [SNORT] Attempted User Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000984 5000985 || [SNORT] Unsuccessful User Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000985 5000986 || [SNORT] Successful User Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000986 5000987 || [SNORT] Attempted Administrator Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000987 5000988 || [SNORT] Successful Administrator Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000988 5000989 || [SNORT] Decode of an RPC Query || url,wiki.quadrantsec.com/bin/view/Main/5000989 5000990 || [SNORT] Executable code was detected || url,wiki.quadrantsec.com/bin/view/Main/5000990 5000991 || [SNORT] A suspicious string was detected || url,wiki.quadrantsec.com/bin/view/Main/5000991 5000992 || [SNORT] A suspicious filename was detected || url,wiki.quadrantsec.com/bin/view/Main/5000992 5000993 || [SNORT] An attempted login using a suspicious username was detected || url,wiki.quadrantsec.com/bin/view/Main/5000993 5000995 || [SNORT] A system call was detected || url,wiki.quadrantsec.com/bin/view/Main/5000995 5000996 || [SNORT] A TCP connection was detected || url,wiki.quadrantsec.com/bin/view/Main/5000996 5000997 || [SNORT] A Network Trojan was detected || url,wiki.quadrantsec.com/bin/view/Main/5000997 5000998 || [SNORT] A client was using an unusual port || url,wiki.quadrantsec.com/bin/view/Main/5000998 5000999 || [SNORT] Detection of a Network Scan || url,wiki.quadrantsec.com/bin/view/Main/5000999 5001000 || [SNORT] Detection of a Denial of Service Attack || url,wiki.quadrantsec.com/bin/view/Main/5001000 5001001 || [SNORT] Detection of a non-standard protocol or event || url,wiki.quadrantsec.com/bin/view/Main/5001001 5001002 || [SNORT] Generic Protocol Command Decode || url,wiki.quadrantsec.com/bin/view/Main/5001002 5001003 || [SNORT] access to a potentially vulnerable web application || url,wiki.quadrantsec.com/bin/view/Main/5001003 5001004 || [SNORT] Web Application Attack || url,wiki.quadrantsec.com/bin/view/Main/5001004 5001005 || [SNORT] Misc activity || url,wiki.quadrantsec.com/bin/view/Main/5001005 5001006 || [SNORT] Misc Attack || url,wiki.quadrantsec.com/bin/view/Main/5001006 5001007 || [SNORT] Generic ICMP event || url,wiki.quadrantsec.com/bin/view/Main/5001007 5001008 || [SNORT] SCORE! Get the lotion! [Porn] || url,wiki.quadrantsec.com/bin/view/Main/5001008 5001009 || [SNORT] Potential Corporate Privacy Violation || url,wiki.quadrantsec.com/bin/view/Main/5001009 5001010 || [SNORT] Attempt to login by a default username and password || url,wiki.quadrantsec.com/bin/view/Main/5001010 5001011 || [SYSLOG] syslog-ng I/O error || url,wiki.quadrantsec.com/bin/view/Main/5001011 5001012 || [SYSLOG] syslog-ng suspend write || url,wiki.quadrantsec.com/bin/view/Main/5001012 5001013 || [SENDMAIL] Possible open proxy || url, wiki.quadrantsec.com/bin/view/Main/5001013 5001014 || [KISMET] Detected new managed network || url, wiki.quadrantsec.com/bin/view/Main/5001014 5001015 || [KISMET] Detected new ad-hoc network || url, wiki.quadrantsec.com/bin/view/Main/5001015 5001016 || [KISMET] Detected new probe network || url, wiki.quadrantsec.com/bin/view/Main/5001016 5001017 || [KISMET] Detected new turbocell network || url, wiki.quadrantsec.com/bin/view/Main/5001017 5001018 || [KISMET] Detected new data network || url, wiki.quadrantsec.com/bin/view/Main/5001018 5001019 || [KISMET] Found IP address range || url, wiki.quadrantsec.com/bin/view/Main/5001019 5001020 || [KISMET] Kismet starting to gather packets [Startup] || url, wiki.quadrantsec.com/bin/view/Main/5001020 5001021 || [KISMET] Older AirJack tool in use || url, wiki.quadrantsec.com/bin/view/Main/5001021 5001022 || [KISMET] Possible spoof/broken AP || url, wiki.quadrantsec.com/bin/view/Main/5001022 5001023 || [KISMET] Out-of-sequence BSS timestamp. Possible AP spoof || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001023 5001024 || [KISMET] AP change channels. Possibel AP spoof || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001024 5001025 || [KISMET] AP spoof with less-secure encryption || url, wiki.quadrantsec.com/bin/view/Main/5001025 5001026 || [KISMET] Spoofed disassociated/deauthenitcate packets || url, http://www.wve.org/entries/show/WVE-2005-0061 || url, http://www.wve.org/entries/show/WVE-2005-046 || url, http://www.wve.org/entries/show/WVE-2005-0045 || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001026 5001027 || [KISMET] DHCP DISCOVER send with Client-ID not matching MAC || url, wiki.quadrantsec.com/bin/view/Main/5001027 5001028 || [KISMET] Misconfigured or spoofed client [ignoring DHCP] || url, wiki.quadrantsec.com/bin/view/Main/5001028 5001029 || [KISMET] Spoofed client [incorrectly] injecting data || url, wiki.quadrantsec.com/bin/view/Main/5001029 5001030 || [KISMET] Invalid disconnect/deauthenticate || url, wiki.quadrantsec.com/bin/view/Main/5001030 5001031 || [KISMET] Possible client spoof/MAC cloning attack || url, wiki.quadrantsec.com/bin/view/Main/5001031 5001032 || [KISMET] Over-size SSID. Possible exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5001032 5001033 || [KISMET] Older Lucent/Orinico card scanning the network || url, wiki.quadrantsec.com/bin/view/Main/5001033 5001034 || [KISMET] Broadcom wireless improper SSID handling || url, http://www.wve.org/entries/show/WVE-2006-0071 || url, wiki.quadrantsec.com/bin/view/Main/5001034 5001035 || [KISMET] Windows D-Link improper SSID handling || url, http://www.wve.org/entries/show/WVE-2006-0072 || url, wiki.quadrantsec.com/bin/view/Main/5001035 5001036 || [KISMET] Windows Netgear over-size beacon frame || url, wiki.quadrantsec.com/bin/view/Main/5001036 5001037 || [KISMET] Older version of Netsumbler detected || url, wiki.quadrantsec.com/bin/view/Main/5001037 5001038 || [KISMET] Zero length probe/response packet || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001038 5001039 || [KISMET] Active scanning tool deteceted [probe] || url, wiki.quadrantsec.com/bin/view/Main/5001039 5001040 || [KISMET] Kismet shutting down || url, wiki.quadrantsec.com/bin/view/Main/5001040 5001041 || [HOSTAPD] Possible downgrade attack || url, wiki.quadrantsec.com/bin/view/Main/5001041 5001042 || [HOSTAPD] Possible downgrade attack || url, wiki.quadrantsec.com/bin/view/Main/5001042 5001043 || [HOSTAPD] UPnP DoS excessive addresses [DoS] || url, wiki.quadrantsec.com/bin/view/Main/5001043 5001044 || [HOSTAPD] Radius - Starting accounting session || url, wiki.quadrantsec.com/bin/view/Main/5001044 5001045 || [HOSTAPD] WPA pairwise key handshake complete || url, wiki.quadrantsec.com/bin/view/Main/5001045 5001046 || [HOSTAPD] IEEE 802.11 - Disassociated || url, wiki.quadrantsec.com/bin/view/Main/5001046 5001047 || [HOSTAPD] IEEE 802.11 - Associated || url, wiki.quadrantsec.com/bin/view/Main/5001047 5001048 || [HOSTAPD] WPA - group key handshake complete [RSN] || url, wiki.quadrantsec.com/bin/view/Main/5001048 5001049 || [HOSTAPD] IEEE 802.11 - deauthenticated due to local deauth request || url, wiki.quadrantsec.com/bin/view/Main/5001049 5001050 || [RSYNC] mkdir failure. Permission denied || url, wiki.quadrantsec.com/bin/view/Main/5001050 5001051 || [RSYNC] stat failure. Permission denied || url, wiki.quadrantsec.com/bin/view/Main/5001051 5001052 || [RSYNC] Inbound rsync connection || url, wiki.quadrantsec.com/bin/view/Main/5001052 5001053 || [RSYNC] Connection closed stats || url, wiki.quadrantsec.com/bin/view/Main/5001053 5001054 || [RSYNC] Authentication failure || url, wiki.quadrantsec.com/bin/view/Main/5001054 5001055 || [RSYNC] Some files could not be transferred || url, wiki.quadrantsec.com/bin/view/Main/5001055 5001056 || [WINDOWS-MISC] Disk corruption [0/2] || url,wiki.quadrantsec.com/bin/view/Main/5001056 5001057 || [APC-EMU] Humidity violation || url,wiki.quadrantsec.com/bin/view/Main/5001057 5001058 || [APC-EMU] Humidity violation cleared || url,wiki.quadrantsec.com/bin/view/Main/5001058 5001059 || [APC-EMU] Front door opened || url,wiki.quadrantsec.com/bin/view/Main/5001059 5001060 || [APC-EMU] Front door closed || url,wiki.quadrantsec.com/bin/view/Main/5001060 5001061 || [ARP] arpwatch - New activity [new machine] || url,wiki.quadrantsec.com/bin/view/Main/5001061 5001062 || [ARP] arpwatch - Broadcast address detected || url,wiki.quadrantsec.com/bin/view/Main/5001062 5001063 || [ARP] arpwatch - Bogus IP address detected || url,wiki.quadrantsec.com/bin/view/Main/5001063 5001064 || [ARP] arpwatch - Ethernet mismatch [MAC != ARP] || url,wiki.quadrantsec.com/bin/view/Main/5001064 5001065 || [ASTERISK] Invalid to address || url,wiki.quadrantsec.com/bin/view/Main/5001065 5001066 || [BONDING] Interface is up || url,wiki.quadrantsec.com/bin/view/Main/5001066 5001067 || [BONDING] Interface is down || url,wiki.quadrantsec.com/bin/view/Main/5001067 5001069 || [BONDING] Link status down for active interface || url,wiki.quadrantsec.com/bin/view/Main/5001069 5001070 || [BONDING] Making interface the new active one || url,wiki.quadrantsec.com/bin/view/Main/5001070 5001071 || [BONDING] Interface is up and now the active interface || url,wiki.quadrantsec.com/bin/view/Main/5001071 5001072 || [BONDING] ARP monitoring enabled || url,wiki.quadrantsec.com/bin/view/Main/5001072 5001073 || [BONDING] Enslaving interface || url,wiki.quadrantsec.com/bin/view/Main/5001073 5001074 || [BONDING] Released all slaves || url,wiki.quadrantsec.com/bin/view/Main/5001074 5001075 || [BONDING] Failed to get speed or duplex || url,wiki.quadrantsec.com/bin/view/Main/5001075 5001076 || [CACTI] CPU went above threshold || url,wiki.quadrantsec.com/bin/view/Main/5001076 5001077 || [CACTI] CPU restored to normal || url,wiki.quadrantsec.com/bin/view/Main/5001077 5001078 || [IMAPD] Exessive login failures || url,wiki.quadrantsec.com/bin/view/Main/5001078 5001079 || [ARP] arpalert - Detected new machine on the network [mac-new] || url,wiki.quadrantsec.com/bin/view/Main/5001079 5001080 || [ARP] arpalert - MAC address flood || url,wiki.quadrantsec.com/bin/view/Main/5001080 5001081 || [ARP] arpalert - MAC address blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5001081 5001082 || [ARP] arpalert - MAC address changed || url,wiki.quadrantsec.com/bin/view/Main/5001082 5001083 || [SONICWALL] Possible TCP Port Scan || url,wiki.quadrantsec.com/bin/view/Main/5001085 5001084 || [SONICWALL] IPS Detection Alert || url,wiki.quadrantsec.com/bin/view/Main/5001084 5001085 || [SONICWALL] Possible UDP Port Scan || url,wiki.quadrantsec.com/bin/view/Main/5001085 5001086 || [CISCO-PIXASA] Access denied URL || url, wiki.quadrantsec.com/bin/view/Main/5001086 5001087 || [CISCO-PIXASA] AAA user authentication successful [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5001087 5001088 || [CISCO-PIXASA] Disconnect by SSH server || url, wiki.quadrantsec.com/bin/view/Main/5001088 5001089 || [CISCO-PIXASA] Access denied URL chars - HTTPS || url, wiki.quadrantsec.com/bin/view/Main/5001089 5001090 || [SONICWALL] IPS Detection Alert || url,wiki.quadrantsec.com/bin/view/Main/5001090 5001091 || [CISCO-PIXASA] Access denied URL - HTTPS || url, wiki.quadrantsec.com/bin/view/Main/5001091 5001092 || [CISCO-PIXASA] AAA user authentication Reject [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5001092 5001093 || [WEBLABYRINTH] New host logged! || url,wiki.quadrantsec.com/bin/view/Main/5001093 5001094 || [SENDMAIL] Insufficient system resources [Remote] [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5001094 5001095 || [WEBLABYRINTH] Weblabyrinth - Crawler Ensnared! || url,wiki.quadrantsec.com/bin/view/Main/5001095 5001096 || [WINDOWS-MISC] MSSQLServer I/O error || url,wiki.quadrantsec.com/bin/view/Main/5001096 5001097 || [VMWARE] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5001097 5001098 || [VMWARE] User logoff successful || url,wiki.quadrantsec.com/bin/view/Main/5001098 5001099 || [VMWARE] Lost access to volume || url,wiki.quadrantsec.com/bin/view/Main/5001098 5001100 || [VMWARE] Possible HD/Datastore failure || url,wiki.quadrantsec.com/bin/view/Main/5001100 5001101 || [VMWARE] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5001101 5001102 || [XINETD] Courierpassd|Poppassd - Old password is incorrect || url,wiki.quadrantsec.com/bin/view/Main/5001102 5001103 || [COURIER] Courierpassd|Poppassd - Changed user password || url,wiki.quadrantsec.com/bin/view/Main/5001103 5001104 || [LINUX-KERNEL] IPTABLES TCP || url,wiki.quadrantsec.com/bin/view/Main/5001104 5001105 || [LINUX-KERNEL] IPTABLES TCP || url,wiki.quadrantsec.com/bin/view/Main/5001105 5001120 || [HP-E-SERIES-SWITCH] Invalid username/password || url,wiki.quadrantsec.com/bin/view/Main/5001120 5001121 || [HP-E-SERIES-SWITCH] port is off-line || url,wiki.quadrantsec.com/bin/view/Main/5001121 5001122 || [HP-E-SERIES-SWITCH] System went down: || url,wiki.quadrantsec.com/bin/view/Main/5001122 5001123 || [HP-E-SERIES-SWITCH] Port Security Violation || url,wiki.quadrantsec.com/bin/view/Main/5001123 5001124 || [HP-E-SERIES-L3-SWITCH] port is off-line || url,wiki.quadrantsec.com/bin/view/Main/5001124 5001125 || [HP-E-SERIES-L3-SWITCH] Invalid username/password || url,wiki.quadrantsec.com/bin/view/Main/5001125 5001126 || [ADTRAN] TCP INTERNAL BLOCK || url,wiki.quadrantsec.com/bin/view/Main/5001126 5001127 || [ADTRAN] UDP INTERNAL BLOCK || url,wiki.quadrantsec.com/bin/view/Main/5001127 5001129 || [JUNIPER] The scheduled IDP security package update failed to start || url,wiki.quadrantsec.com/bin/view/Main/5001129 5001130 || [JUNIPER] IDP daemon encountered an internal error || url,wiki.quadrantsec.com/bin/view/Main/5001130 5001131 || [JUNIPER] An attempt to start IDP policy daemon failed || url,wiki.quadrantsec.com/bin/view/Main/5001131 5001132 || [JUNIPER] IDP Attack log generated for attack || url,wiki.quadrantsec.com/bin/view/Main/5001132 5001133 || [JUNIPER] IDP Attack log generated for attack in a logical system || url,wiki.quadrantsec.com/bin/view/Main/5001133 5001134 || [JUNIPER] IDP policy commit has completed || url,wiki.quadrantsec.com/bin/view/Main/5001134 5001135 || [JUNIPER] There was an error while trying to commit the active policy in IDPD || url,wiki.quadrantsec.com/bin/view/Main/5001135 5001136 || [JUNIPER] IDP IPv6 support is not enabled for the rulebase || url,wiki.quadrantsec.com/bin/view/Main/5001136 5001137 || [JUNIPER] IDP policy compiler encountered an error while compiling or packaging the policy || url,wiki.quadrantsec.com/bin/view/Main/5001137 5001138 || [JUNIPER] A compiled and optimized IDP policy could not be loaded into IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001138 5001139 || [JUNIPER] A compiled and optimized IDP policy was loaded successfully into the IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001139 5001140 || [JUNIPER] A running IDP policy could not be unloaded from IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001140 5001141 || [JUNIPER] A running IDP policy was unloaded successfully from the IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001141 5001142 || [JUNIPER] The scheduled IDP security package update has started || url,wiki.quadrantsec.com/bin/view/Main/5001142 5001143 || [JUNIPER] IDP background process has returned the security package install result || url,wiki.quadrantsec.com/bin/view/Main/5001143 5001144 || [JUNIPER] IDP session threshold crossing event || url,wiki.quadrantsec.com/bin/view/Main/5001144 5001145 || [JUNIPER] IDP session threshold crossing event in a logical system || url,wiki.quadrantsec.com/bin/view/Main/5001145 5001146 || [JUNIPER] IDP signature update license key has expired || url,wiki.quadrantsec.com/bin/view/Main/5001146 5001147 || [JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred || url,wiki.quadrantsec.com/bin/view/Main/5001147 5001148 || [JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred in logical system || url,wiki.quadrantsec.com/bin/view/Main/5001148 5001149 || [JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack in a logical system || url,wiki.quadrantsec.com/bin/view/Main/5001149 5001150 || [JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack || url,wiki.quadrantsec.com/bin/view/Main/5001150 5001151 || [WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001151 5001152 || [WINDOWS-AUTH] Login failure - Account login time restriction || url,wiki.quadrantsec.com/bin/view/Main/5001152 5001153 || [WINDOWS-AUTH] Login failure - Account currently disabled [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5001153 5001154 || [WINDOWS-AUTH] Login failure - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5001154 5001155 || [WINDOWS-AUTH] Login failure - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5001155 5001156 || [WINDOWS-AUTH] Login failure - User not granted login type || url,wiki.quadrantsec.com/bin/view/Main/5001156 5001157 || [WINDOWS-AUTH] Login failure - Account password is expired || url,wiki.quadrantsec.com/bin/view/Main/5001157 5001158 || [WINDOWS-AUTH] Login failure - Internal error || url,wiki.quadrantsec.com/bin/view/Main/5001158 5001159 || [WINDOWS-AUTH] Login failure - Account locked [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5001159 5001160 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001160 5001161 || [WINDOWS-AUTH] User account unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001161 5001162 || [WINDOWS-AUTH] Security enabled group created || url,wiki.quadrantsec.com/bin/view/Main/5001162 5001163 || [WINDOWS-AUTH] Security enabled group deleted || url,wiki.quadrantsec.com/bin/view/Main/5001163 5001164 || [WINDOWS-AUTH] Group account created || url,wiki.quadrantsec.com/bin/view/Main/5001164 5001165 || [WINDOWS-AUTH] Group account deleted || url,wiki.quadrantsec.com/bin/view/Main/5001165 5001166 || [WINDOWS-AUTH] Security enabled global group member added || url,wiki.quadrantsec.com/bin/view/Main/5001166 5001167 || [WINDOWS-AUTH] Security enabled global group member removed || url,wiki.quadrantsec.com/bin/view/Main/5001167 5001168 || [WINDOWS-AUTH] Security enabled global group deleted || url,wiki.quadrantsec.com/bin/view/Main/5001168 5001169 || [WINDOWS-AUTH] Security enabled local group created || url,wiki.quadrantsec.com/bin/view/Main/5001169 5001170 || [WINDOWS-AUTH] Security enabled local group member added || url,wiki.quadrantsec.com/bin/view/Main/5001170 5001171 || [WINDOWS-AUTH] Security enabled local group member removed || url,wiki.quadrantsec.com/bin/view/Main/5001171 5001172 || [WINDOWS-AUTH] Security enabled local group deleted || url,wiki.quadrantsec.com/bin/view/Main/5001172 5001173 || [WINDOWS-AUTH] Security enabled local group changed || url,wiki.quadrantsec.com/bin/view/Main/5001173 5001174 || [WINDOWS-AUTH] Security enabled group changed || url,wiki.quadrantsec.com/bin/view/Main/5001174 5001176 || [WINDOWS-AUTH] Security enabled universal group created || url,wiki.quadrantsec.com/bin/view/Main/5001176 5001177 || [WINDOWS-AUTH] Security enabled universal group changed || url,wiki.quadrantsec.com/bin/view/Main/5001177 5001178 || [WINDOWS-AUTH] Security enabled universal group member added || url,wiki.quadrantsec.com/bin/view/Main/5001178 5001179 || [WINDOWS-AUTH] Security enabled group member removed || url,wiki.quadrantsec.com/bin/view/Main/5001179 5001180 || [WINDOWS-AUTH] Security enabled group member deleted || url,wiki.quadrantsec.com/bin/view/Main/5001180 5001181 || [WINDOWS-AUTH] RDP maximum allowed failed logon attempts || url,wiki.quadrantsec.com/bin/view/Main/5001181 5001182 || [WINDOWS-MISC] Application uninstall || url,wiki.quadrantsec.com/bin/view/Main/5001182 5001183 || [WINDOWS-MISC] Application install || url,wiki.quadrantsec.com/bin/view/Main/5001183 5001184 || [WINDOWS-MISC] Windows is shutting down || url,wiki.quadrantsec.com/bin/view/Main/5001184 5001185 || [WINDOWS-MISC] Windows audit log was cleared || url,wiki.quadrantsec.com/bin/view/Main/5001185 5001186 || [WINDOWS-AUTH] Windows login attempt (ignored). Duplicated || url,wiki.quadrantsec.com/bin/view/Main/5001186 5001187 || [WINDOWS-AUTH] Remote access login failure || url,wiki.quadrantsec.com/bin/view/Main/5001187 5001188 || [WINDOWS-AUTH] Remote access login success || url,wiki.quadrantsec.com/bin/view/Main/5001188 5001189 || [WINDOWS-AUTH] Computer account changed/deleted || url,wiki.quadrantsec.com/bin/view/Main/5001189 5001190 || [WINDOWS-AUTH] Computer account changed/deleted || url,wiki.quadrantsec.com/bin/view/Main/5001190 5001191 || [WINDOWS-MISC] File system full || url,wiki.quadrantsec.com/bin/view/Main/5001191 5001192 || [WINDOWS-AUTH] Account locked out [multiple login errors] [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5001192 5001193 || [WINDOWS-AUTH] General account database changed || url,wiki.quadrantsec.com/bin/view/Main/5001193 5001194 || [WINDOWS-MISC] System time has changed || url,wiki.quadrantsec.com/bin/view/Main/5001194 5001195 || [WINDOWS-AUTH] DC - Integrity check on decrypted || url,wiki.quadrantsec.com/bin/view/Main/5001195 5001196 || [WINDOWS-AUTH] DC - Possible replay attack || url,wiki.quadrantsec.com/bin/view/Main/5001196 5001197 || [WINDOWS-AUTH] DC - Clock skew too great || url,wiki.quadrantsec.com/bin/view/Main/5001197 5001198 || [CISCO-IOS] Fans had a rotation error reported [0/2] || url,wiki.quadrantsec.com/bin/view/Main/5001198 5001199 || [CISCO-IOS] Power Controller reports power Imax error detected || url,wiki.quadrantsec.com/bin/view/Main/5001190 5001200 || [CITRIX] Netscaler - URL Transformation action matched URL || url,wiki.quadrantsec.com/bin/view/Main/5001200 || url,support.citrix.com/article/CTX123875 5001201 || [CITRIX] Netscaler - URL Transformation action didn't match URL || url,wiki.quadrantsec.com/bin/view/Main/5001201 || url,support.citrix.com/article/CTX123875 5001202 || [CITRIX] Netscaler - AppFw Request error. Generated 400 Response || url,wiki.quadrantsec.com/bin/view/Main/5001202 || url,support.citrix.com/article/CTX123875 5001203 || [CITRIX] Netscaler - Add a confidential field || url,wiki.quadrantsec.com/bin/view/Main/5001203 || url,support.citrix.com/article/CTX123875 5001204 || [CITRIX] Netscaler - Add an AppFw Field Type || url,wiki.quadrantsec.com/bin/view/Main/5001204 || url,support.citrix.com/article/CTX123875 5001205 || [CITRIX] Netscaler - Add an AppFw profile || url,wiki.quadrantsec.com/bin/view/Main/5001205 || url,support.citrix.com/article/CTX123875 5001206 || [CITRIX] Netscaler - AppFw rule bound to HTML profile || url,wiki.quadrantsec.com/bin/view/Main/5001206 || url,support.citrix.com/article/CTX123875 5001207 || [CITRIX] Netscaler - AppFw rule bound to XML profile || url,wiki.quadrantsec.com/bin/view/Main/5001207 || url,support.citrix.com/article/CTX123875 5001208 || [CITRIX] Netscaler - Memory allocation request failed || url,wiki.quadrantsec.com/bin/view/Main/5001208 || url,support.citrix.com/article/CTX123875 5001209 || [CITRIX] Netscaler - Remove a confidential field || url,wiki.quadrantsec.com/bin/view/Main/5001209 || url,support.citrix.com/article/CTX123875 5001210 || [CITRIX] Netscaler - Remove an Appfw Field Type || url,wiki.quadrantsec.com/bin/view/Main/5001210 || url,support.citrix.com/article/CTX123875 5001211 || [CITRIX] Netscaler - Remove an AppFw profile || url,wiki.quadrantsec.com/bin/view/Main/5001211 || url,support.citrix.com/article/CTX123875 5001212 || [CITRIX] Netscaler - Appsecure uthread a stack error || url,wiki.quadrantsec.com/bin/view/Main/5001212 || url,support.citrix.com/article/CTX123875 5001213 || [CITRIX] Netscaler - SNMP module stopped an alarm || url,wiki.quadrantsec.com/bin/view/Main/5001213 || url,support.citrix.com/article/CTX123875 5001214 || [CITRIX] Netscaler - SNMP module alarm || url,wiki.quadrantsec.com/bin/view/Main/5001214 || url,support.citrix.com/article/CTX123875 5001215 || [CITRIX] Netscaler - AppFw Buffer Overflow violation in Cookie || url,wiki.quadrantsec.com/bin/view/Main/5001215 || url,support.citrix.com/article/CTX123875 5001216 || [CITRIX] Netscaler - AppFw Buffer Overflow violation in HTTP Headers || url,wiki.quadrantsec.com/bin/view/Main/5001216 || url,support.citrix.com/article/CTX123875 5001217 || [CITRIX] Netscaler - AppFw Buffer Overflow violation in URL || url,wiki.quadrantsec.com/bin/view/Main/5001217 || url,support.citrix.com/article/CTX123875 5001218 || [CITRIX] Netscaler - AppFw Cookie Consistency violation || url,wiki.quadrantsec.com/bin/view/Main/5001218 || url,support.citrix.com/article/CTX123875 5001219 || [CITRIX] Netscaler - AppFw CSRF tag violation || url,wiki.quadrantsec.com/bin/view/Main/5001219 || url,support.citrix.com/article/CTX123875 5001220 || [CITRIX] Netscaler - AppFw DenyURL violation || url,wiki.quadrantsec.com/bin/view/Main/5001220 || url,support.citrix.com/article/CTX123875 5001221 || [CITRIX] Netscaler - AppFw Field Consistency violation || url,wiki.quadrantsec.com/bin/view/Main/5001221 || url,support.citrix.com/article/CTX123875 5001222 || [CITRIX] Netscaler - AppFw Field Format violation || url,wiki.quadrantsec.com/bin/view/Main/5001222 || url,support.citrix.com/article/CTX123875 5001223 || [CITRIX] Netscaler - AppFw profile invoked || url,wiki.quadrantsec.com/bin/view/Main/5001223 || url,support.citrix.com/article/CTX123875 5001224 || [CITRIX] Netscaler - AppFw built-in profile invoked || url,wiki.quadrantsec.com/bin/view/Main/5001224 || url,support.citrix.com/article/CTX123875 5001225 || [CITRIX] Netscaler - AppFw Referer header violation || url,wiki.quadrantsec.com/bin/view/Main/5001225 || url,support.citrix.com/article/CTX123875 5001226 || [CITRIX] Netscaler - AppFw Safe Commerce violation || url,wiki.quadrantsec.com/bin/view/Main/5001226 || url,support.citrix.com/article/CTX123875 5001227 || [CITRIX] Netscaler - AppFw Safe Commerce violation detected and transformed || url,wiki.quadrantsec.com/bin/view/Main/5001227 || url,support.citrix.com/article/CTX123875 5001228 || [CITRIX] Netscaler - AppFw Safe Object violation || url,wiki.quadrantsec.com/bin/view/Main/5001228 || url,support.citrix.com/article/CTX123875 5001229 || [CITRIX] Netscaler - AppFw SQL Injection violation || url,wiki.quadrantsec.com/bin/view/Main/5001229 || url,support.citrix.com/article/CTX123875 5001230 || [CITRIX] Netscaler - AppFw StartURL violation || url,wiki.quadrantsec.com/bin/view/Main/5001230 || url,support.citrix.com/article/CTX123875 5001231 || [CITRIX] Netscaler - Boundary mismatch in mime message || url,wiki.quadrantsec.com/bin/view/Main/5001231 || url,support.citrix.com/article/CTX123875 5001232 || [CITRIX] Netscaler - XML Attachment CallBack is NULL but HTTP message is MIME Attachment message || url,wiki.quadrantsec.com/bin/view/Main/5001232 || url,support.citrix.com/article/CTX123875 5001233 || [CITRIX] Netscaler - XML Message has an Attachment with Illegal Content-Type || url,wiki.quadrantsec.com/bin/view/Main/5001233 || url,support.citrix.com/article/CTX123875 5001234 || [CITRIX] Netscaler - String is supposed to be MIME Header. But it is not according to the format of Mime Header HeaderName:HeaderValue || url,wiki.quadrantsec.com/bin/view/Main/5001234 || url,support.citrix.com/article/CTX123875 5001235 || [CITRIX] Netscaler - HTTP Content type should be 'application/xop+xml' or '^(text|application)/([a-zA-Z]*+ xml|xml)' || url,wiki.quadrantsec.com/bin/view/Main/5001235 || url,support.citrix.com/article/CTX123875 5001236 || [CITRIX] Netscaler - XML Message has an Attachment with size greater than the Configured Max Attachment Size || url,wiki.quadrantsec.com/bin/view/Main/5001236 || url,support.citrix.com/article/CTX123875 5001237 || [CITRIX] Netscaler - Attachment Found in the XML Message || url,wiki.quadrantsec.com/bin/view/Main/5001237 || url,support.citrix.com/article/CTX123875 5001238 || [CITRIX] Netscaler - AppFw XML DDoS Send Fail Error || url,wiki.quadrantsec.com/bin/view/Main/5001238 || url,support.citrix.com/article/CTX123875 5001239 || [CITRIX] Netscaler - Exceeds max character data length || url,wiki.quadrantsec.com/bin/view/Main/5001239 || url,support.citrix.com/article/CTX123875 5001240 || [CITRIX] Netscaler - DTD present in the XML message || url,wiki.quadrantsec.com/bin/view/Main/5001240 || url,support.citrix.com/article/CTX123875 5001241 || [CITRIX] Netscaler - External entities present in the XML message || url,wiki.quadrantsec.com/bin/view/Main/5001241 || url,support.citrix.com/article/CTX123875 5001242 || [CITRIX] Netscaler - AppFw XML DoS Maximum Error || url,wiki.quadrantsec.com/bin/view/Main/5001242 || url,support.citrix.com/article/CTX123875 5001243 || [CITRIX] Netscaler - Element exceeds maximum attributes per element || url,wiki.quadrantsec.com/bin/view/Main/5001243 || url,support.citrix.com/article/CTX123876 5001244 || [CITRIX] Netscaler - Element an attribute exceeds maximum name length || url,wiki.quadrantsec.com/bin/view/Main/5001244 || url,support.citrix.com/article/CTX123875 5001245 || [CITRIX] Netscaler - Element attribute exceeds maximum attribute value length || url,wiki.quadrantsec.com/bin/view/Main/5001245 || url,support.citrix.com/article/CTX123875 5001246 || [CITRIX] Netscaler - Element exceeds maximum elements per message || url,wiki.quadrantsec.com/bin/view/Main/5001246 || url,support.citrix.com/article/CTX123875 5001247 || [CITRIX] Netscaler - Parent of element exceed maximum children || url,wiki.quadrantsec.com/bin/view/Main/5001247 || url,support.citrix.com/article/CTX123875 5001248 || [CITRIX] Netscaler - Element exceeds maximum element depth || url,wiki.quadrantsec.com/bin/view/Main/5001248 || url,support.citrix.com/article/CTX123875 5001249 || [CITRIX] Netscaler - Element exceeds maximum element name length || url,wiki.quadrantsec.com/bin/view/Main/5001249 || url,support.citrix.com/article/CTX123875 5001250 || [CITRIX] Netscaler - Exceeds max number of entity expansions || url,wiki.quadrantsec.com/bin/view/Main/5001250 || url,support.citrix.com/article/CTX123875 5001251 || [CITRIX] Netscaler - Exceeds max entity expansion depth || url,wiki.quadrantsec.com/bin/view/Main/5001251 || url,support.citrix.com/article/CTX123875 5001252 || [CITRIX] Netscaler - Message size exceeds max size || url,wiki.quadrantsec.com/bin/view/Main/5001252 || url,support.citrix.com/article/CTX123875 5001253 || [CITRIX] Netscaler - Element exceeds maximum active namespaces || url,wiki.quadrantsec.com/bin/view/Main/5001253 || url,support.citrix.com/article/CTX123875 5001254 || [CITRIX] Netscaler - In element a namespace exceeds maximum URI length || url,wiki.quadrantsec.com/bin/view/Main/5001254 || url,support.citrix.com/article/CTX123875 5001255 || [CITRIX] Netscaler - Node exceeds maximum nodes per message || url,wiki.quadrantsec.com/bin/view/Main/5001255 || url,support.citrix.com/article/CTX123875 5001256 || [CITRIX] Netscaler - Message size less than min size || url,wiki.quadrantsec.com/bin/view/Main/5001256 || url,support.citrix.com/article/CTX123875 5001257 || [CITRIX] Netscaler - Processing instructions present in the XML message || url,wiki.quadrantsec.com/bin/view/Main/5001257 || url,support.citrix.com/article/CTX123875 5001258 || [CITRIX] Netscaler - AppFw XML Internal error || url,wiki.quadrantsec.com/bin/view/Main/5001258 || url,support.citrix.com/article/CTX123875 5001259 || [CITRIX] Netscaler - AppFw XML DDoS Connect to Server Failed || url,wiki.quadrantsec.com/bin/view/Main/5001259 || url,support.citrix.com/article/CTX123875 5001260 || [CITRIX] Netscaler - AppFw XML DDoS Interaction socket open Failed || url,wiki.quadrantsec.com/bin/view/Main/5001260 || url,support.citrix.com/article/CTX123875 5001261 || [CITRIX] Netscaler - AppFw XML DDoS Invalid Config File || url,wiki.quadrantsec.com/bin/view/Main/5001261 || url,support.citrix.com/article/CTX123875 5001262 || [CITRIX] Netscaler - AppFw XML DDoS No Folder Installation Path || url,wiki.quadrantsec.com/bin/view/Main/5001262 || url,support.citrix.com/article/CTX123875 5001263 || [CITRIX] Netscaler - AppFw XML DDoS Failure to Open Config File || url,wiki.quadrantsec.com/bin/view/Main/5001263 || url,support.citrix.com/article/CTX123875 5001264 || [CITRIX] Netscaler - Denial of Service Error || url,wiki.quadrantsec.com/bin/view/Main/5001264 || url,support.citrix.com/article/CTX123875 5001265 || [CITRIX] Netscaler - Environment variable QTHOME not set || url,wiki.quadrantsec.com/bin/view/Main/5001265 || url,support.citrix.com/article/CTX123875 5001266 || [CITRIX] Netscaler - Problems inserting a namespace into the hash table || url,wiki.quadrantsec.com/bin/view/Main/5001266 || url,support.citrix.com/article/CTX123875 5001267 || [CITRIX] Netscaler - Problems getting the key of a namespace from the hash table || url,wiki.quadrantsec.com/bin/view/Main/5001267 || url,support.citrix.com/article/CTX123875 5001268 || [CITRIX] Netscaler - Unable to initialize XML tokenizer || url,wiki.quadrantsec.com/bin/view/Main/5001268 || url,support.citrix.com/article/CTX123875 5001269 || [CITRIX] Netscaler - Unable to open the file || url,wiki.quadrantsec.com/bin/view/Main/5001269 || url,support.citrix.com/article/CTX123875 5001270 || [CITRIX] Netscaler - AppFw XML Internal State Invalid || url,wiki.quadrantsec.com/bin/view/Main/5001270 || url,support.citrix.com/article/CTX123875 5001271 || [CITRIX] Netscaler - Invalid XPath || url,wiki.quadrantsec.com/bin/view/Main/5001271 || url,support.citrix.com/article/CTX123875 5001272 || [CITRIX] Netscaler - AppFw XML Low memory || url,wiki.quadrantsec.com/bin/view/Main/5001272 || url,support.citrix.com/article/CTX123875 5001273 || [CITRIX] Netscaler - Malformed address || url,wiki.quadrantsec.com/bin/view/Main/5001273 || url,support.citrix.com/article/CTX123875 5001274 || [CITRIX] Netscaler - Message is not a well-formed XML || url,wiki.quadrantsec.com/bin/view/Main/5001274 || url,support.citrix.com/article/CTX123875 5001275 || [CITRIX] Netscaler - The message having content-type as 'Multipart/Related' and not having a boundary is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001275 || url,support.citrix.com/article/CTX123875 5001276 || [CITRIX] Netscaler - NS-XML APPFW supports SwA and MTOM SOAP attachments || url,wiki.quadrantsec.com/bin/view/Main/5001276 || url,support.citrix.com/article/CTX123875 5001277 || [CITRIX] Netscaler - Problems registering callbacks for operations || url,wiki.quadrantsec.com/bin/view/Main/5001277 || url,support.citrix.com/article/CTX123875 5001278 || [CITRIX] Netscaler - Prefix length exceeded || url,wiki.quadrantsec.com/bin/view/Main/5001278 || url,support.citrix.com/article/CTX123875 5001279 || [CITRIX] Netscaler - AppFw XML Read Failure || url,wiki.quadrantsec.com/bin/view/Main/5001279 || url,support.citrix.com/article/CTX123875 5001280 || [CITRIX] Netscaler - Message contains SOAP Fault || url,wiki.quadrantsec.com/bin/view/Main/5001280 || url,support.citrix.com/article/CTX123875 5001281 || [CITRIX] Netscaler - Problems during pop of the node out of the XML stream || url,wiki.quadrantsec.com/bin/view/Main/5001281 || url,support.citrix.com/article/CTX123875 5001282 || [CITRIX] Netscaler - Problems during push of the node into the XML stream || url,wiki.quadrantsec.com/bin/view/Main/5001282 || url,support.citrix.com/article/CTX123875 5001283 || [CITRIX] Netscaler - Port in address is greater than 65535 || url,wiki.quadrantsec.com/bin/view/Main/5001283 || url,support.citrix.com/article/CTX123875 5001284 || [CITRIX] Netscaler - Unsupported protocol || url,wiki.quadrantsec.com/bin/view/Main/5001284 || url,support.citrix.com/article/CTX123875 5001285 || [CITRIX] Netscaler - AppFw XML Validation Failed || url,wiki.quadrantsec.com/bin/view/Main/5001285 || url,support.citrix.com/article/CTX123875 5001286 || [CITRIX] Netscaler - AppFw XML Context is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001286 || url,support.citrix.com/article/CTX123875 5001287 || [CITRIX] Netscaler - Context user state is NULL - Internal error || url,wiki.quadrantsec.com/bin/view/Main/5001287 || url,support.citrix.com/article/CTX123875 5001288 || [CITRIX] Netscaler - Message config struct is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001288 || url,support.citrix.com/article/CTX123875 5001289 || [CITRIX] Netscaler - Dumps the SOAP Fault contents to Audit log || url,wiki.quadrantsec.com/bin/view/Main/5001289 || url,support.citrix.com/article/CTX123875 5001290 || [CITRIX] Netscaler - AppFw SQL Injection violation in XML || url,wiki.quadrantsec.com/bin/view/Main/5001290 || url,support.citrix.com/article/CTX123875 5001291 || [CITRIX] Netscaler - Cannot instantiate abstract element || url,wiki.quadrantsec.com/bin/view/Main/5001291 || url,support.citrix.com/article/CTX123875 5001292 || [CITRIX] Netscaler - Cannot instantiate abstract type || url,wiki.quadrantsec.com/bin/view/Main/5001292 || url,support.citrix.com/article/CTX123875 5001293 || [CITRIX] Netscaler - Additional soap header present in soap message || url,wiki.quadrantsec.com/bin/view/Main/5001293 || url,support.citrix.com/article/CTX123875 5001294 || [CITRIX] Netscaler - Attribute appears more than once in element || url,wiki.quadrantsec.com/bin/view/Main/5001294 || url,support.citrix.com/article/CTX123875 5001295 || [CITRIX] Netscaler - Required attribute missing in element || url,wiki.quadrantsec.com/bin/view/Main/5001295 || url,support.citrix.com/article/CTX123875 5001296 || [CITRIX] Netscaler - Compiled WSDL file is corrupt || url,wiki.quadrantsec.com/bin/view/Main/5001296 || url,support.citrix.com/article/CTX123875 5001297 || [CITRIX] Netscaler - Content model of element not satisfied || url,wiki.quadrantsec.com/bin/view/Main/5001297 || url,support.citrix.com/article/CTX123875 5001298 || [CITRIX] Netscaler - Compiled WSDL file is corrupt || url,wiki.quadrantsec.com/bin/view/Main/5001298 || url,support.citrix.com/article/CTX123875 5001299 || [CITRIX] Netscaler - Error compiling the schema || url,wiki.quadrantsec.com/bin/view/Main/5001299 || url,support.citrix.com/article/CTX123875 5001300 || [CITRIX] Netscaler - Initialization of the data type engine failed || url,wiki.quadrantsec.com/bin/view/Main/5001300 || url,support.citrix.com/article/CTX123875 5001301 || [CITRIX] Netscaler - Internal corruption of WSDL in-memory structure || url,wiki.quadrantsec.com/bin/view/Main/5001301 || url,support.citrix.com/article/CTX123875 5001302 || [CITRIX] Netscaler - Attribute is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001302 || url,support.citrix.com/article/CTX123875 5001303 || [CITRIX] Netscaler - Invalid configuration for soap validation || url,wiki.quadrantsec.com/bin/view/Main/5001303 || url,support.citrix.com/article/CTX123875 5001304 || [CITRIX] Netscaler - Not able to open compiled WSDL || url,wiki.quadrantsec.com/bin/view/Main/5001304 || url,support.citrix.com/article/CTX123875 5001305 || [CITRIX] Netscaler - Element has invalid content model || url,wiki.quadrantsec.com/bin/view/Main/5001305 || url,support.citrix.com/article/CTX123875 5001306 || [CITRIX] Netscaler - Data type is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001306 || url,support.citrix.com/article/CTX123875 5001307 || [CITRIX] Netscaler - Invalid element || url,wiki.quadrantsec.com/bin/view/Main/5001307 || url,support.citrix.com/article/CTX123875 5001308 || [CITRIX] Netscaler - Not able to open the file || url,wiki.quadrantsec.com/bin/view/Main/5001308 || url,support.citrix.com/article/CTX123875 5001309 || [CITRIX] Netscaler - Did not get expected type for element || url,wiki.quadrantsec.com/bin/view/Main/5001309 || url,support.citrix.com/article/CTX123875 5001310 || [CITRIX] Netscaler - Unable to load validation engine || url,wiki.quadrantsec.com/bin/view/Main/5001310 || url,support.citrix.com/article/CTX123875 5001311 || [CITRIX] Netscaler - AppFw XML Validation Max Error || url,wiki.quadrantsec.com/bin/view/Main/5001311 || url,support.citrix.com/article/CTX123875 5001312 || [CITRIX] Netscaler - Service URL is not present or NULL || url,wiki.quadrantsec.com/bin/view/Main/5001312 || url,support.citrix.com/article/CTX123875 5001313 || [CITRIX] Netscaler - Feature not supported || url,wiki.quadrantsec.com/bin/view/Main/5001313 || url,support.citrix.com/article/CTX123875 5001314 || [CITRIX] Netscaler - Trying to pop from an empty stack || url,wiki.quadrantsec.com/bin/view/Main/5001314 || url,support.citrix.com/article/CTX123875 5001315 || [CITRIX] Netscaler - Level of recursion more than maximum allowed depth || url,wiki.quadrantsec.com/bin/view/Main/5001315 || url,support.citrix.com/article/CTX123875 5001316 || [CITRIX] Netscaler - Both SOAP Body and SOAP Header are empty in the SOAP request || url,wiki.quadrantsec.com/bin/view/Main/5001316 || url,support.citrix.com/article/CTX123875 5001317 || [CITRIX] Netscaler - Soap Body structure check failed || url,wiki.quadrantsec.com/bin/view/Main/5001317 || url,support.citrix.com/article/CTX123875 5001318 || [CITRIX] Netscaler - Soap Envelope structure check failed || url,wiki.quadrantsec.com/bin/view/Main/5001318 || url,support.citrix.com/article/CTX123875 5001319 || [CITRIX] Netscaler - Soap Header structure check failed || url,wiki.quadrantsec.com/bin/view/Main/5001319 || url,support.citrix.com/article/CTX123875 5001320 || [CITRIX] Netscaler - Prefix is unbounded || url,wiki.quadrantsec.com/bin/view/Main/5001320 || url,support.citrix.com/article/CTX123875 5001321 || [CITRIX] Netscaler - Element cannot be nil || url,wiki.quadrantsec.com/bin/view/Main/5001321 || url,support.citrix.com/article/CTX123875 5001322 || [CITRIX] Netscaler - Element is nil || url,wiki.quadrantsec.com/bin/view/Main/5001322 || url,support.citrix.com/article/CTX123875 5001323 || [CITRIX] Netscaler - Invalid data type || url,wiki.quadrantsec.com/bin/view/Main/5001323 || url,support.citrix.com/article/CTX123875 5001324 || [CITRIX] Netscaler - Element cannot appear at this location || url,wiki.quadrantsec.com/bin/view/Main/5001324 || url,support.citrix.com/article/CTX123875 5001325 || [CITRIX] Netscaler - Facet mismatch || url,wiki.quadrantsec.com/bin/view/Main/5001325 || url,support.citrix.com/article/CTX123875 5001326 || [CITRIX] Netscaler - AppFw XML Validator Load Failed || url,wiki.quadrantsec.com/bin/view/Main/5001326 || url,support.citrix.com/article/CTX123875 5001327 || [CITRIX] Netscaler - Attribute has invalid || url,wiki.quadrantsec.com/bin/view/Main/5001327 || url,support.citrix.com/article/CTX123875 5001328 || [CITRIX] Netscaler - Invalid schema data type || url,wiki.quadrantsec.com/bin/view/Main/5001328 || url,support.citrix.com/article/CTX123875 5001329 || [CITRIX] Netscaler - Invalid schema node type || url,wiki.quadrantsec.com/bin/view/Main/5001329 || url,support.citrix.com/article/CTX123875 5001330 || [CITRIX] Netscaler - Value does not match FIXED constraint || url,wiki.quadrantsec.com/bin/view/Main/5001330 || url,support.citrix.com/article/CTX123875 5001331 || [CITRIX] Netscaler - List length is greater than max allowed || url,wiki.quadrantsec.com/bin/view/Main/5001331 || url,support.citrix.com/article/CTX123875 5001332 || [CITRIX] Netscaler - List length is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001332 || url,support.citrix.com/article/CTX123875 5001333 || [CITRIX] Netscaler - List length is lesser than min allowed || url,wiki.quadrantsec.com/bin/view/Main/5001333 || url,support.citrix.com/article/CTX123875 5001334 || [CITRIX] Netscaler - AppFw XML Validation Maximum Load Error || url,wiki.quadrantsec.com/bin/view/Main/5001334 || url,support.citrix.com/article/CTX123875 5001335 || [CITRIX] Netscaler - Missing require attribute in element || url,wiki.quadrantsec.com/bin/view/Main/5001335 || url,support.citrix.com/article/CTX123875 5001336 || [CITRIX] Netscaler - Error code in the compiled Schema is being ignored || url,wiki.quadrantsec.com/bin/view/Main/5001336 || url,support.citrix.com/article/CTX123875 5001337 || [CITRIX] Netscaler - Error code in the compiled WSDL is being ignored || url,wiki.quadrantsec.com/bin/view/Main/5001337 || url,support.citrix.com/article/CTX123875 5001338 || [CITRIX] Netscaler - AppFw XML WSI Internal Context NULL || url,wiki.quadrantsec.com/bin/view/Main/5001338 || url,support.citrix.com/article/CTX123875 5001339 || [CITRIX] Netscaler - AppFw XML WSI HTTP Error || url,wiki.quadrantsec.com/bin/view/Main/5001339 || url,support.citrix.com/article/CTX123875 5001340 || [CITRIX] Netscaler - Resource id of deployment is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001340 || url,support.citrix.com/article/CTX123875 5001341 || [CITRIX] Netscaler - Port URL is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001341 || url,support.citrix.com/article/CTX123875 5001342 || [CITRIX] Netscaler - Deployed resource is not WSDL || url,wiki.quadrantsec.com/bin/view/Main/5001342 || url,support.citrix.com/article/CTX123875 5001343 || [CITRIX] Netscaler - AppFw XML WSI List Null || url,wiki.quadrantsec.com/bin/view/Main/5001343 || url,support.citrix.com/article/CTX123875 5001344 || [CITRIX] Netscaler - Error during initialization || url,wiki.quadrantsec.com/bin/view/Main/5001344 || url,support.citrix.com/article/CTX123875 5001345 || [CITRIX] Netscaler - AppFw XML XSDLOAD Failed during Compile || url,wiki.quadrantsec.com/bin/view/Main/5001345 || url,support.citrix.com/article/CTX123875 5001346 || [CITRIX] Netscaler - No XSModel to print || url,wiki.quadrantsec.com/bin/view/Main/5001346 || url,support.citrix.com/article/CTX123875 5001347 || [CITRIX] Netscaler - Error during parsing || url,wiki.quadrantsec.com/bin/view/Main/5001347 || url,support.citrix.com/article/CTX123875 5001348 || [CITRIX] Netscaler - Unexpected exception during parsing || url,wiki.quadrantsec.com/bin/view/Main/5001348 || url,support.citrix.com/article/CTX123875 5001349 || [CITRIX] Netscaler - AppFw XSS violation in XML || url,wiki.quadrantsec.com/bin/view/Main/5001349 || url,support.citrix.com/article/CTX123875 5001350 || [CITRIX] Netscaler - AppFw XSS violation || url,wiki.quadrantsec.com/bin/view/Main/5001350 || url,support.citrix.com/article/CTX123875 5001351 || [CITRIX] Netscaler - URL Transformation in a response body || url,wiki.quadrantsec.com/bin/view/Main/5001351 || url,support.citrix.com/article/CTX123875 5001352 || [CITRIX] Netscaler - Cache flush starts || url,wiki.quadrantsec.com/bin/view/Main/5001352 || url,support.citrix.com/article/CTX123875 5001353 || [CITRIX] Netscaler - Cache flush is complete || url,wiki.quadrantsec.com/bin/view/Main/5001353 || url,support.citrix.com/article/CTX123875 5001354 || [CITRIX] Netscaler - Severity ERROR - client security check for a SSLVPN session failed || url,wiki.quadrantsec.com/bin/view/Main/5001354 || url,support.citrix.com/article/CTX123875 5001355 || [CITRIX] Netscaler - Severity ERROR when client security expression evaluates to False || url,wiki.quadrantsec.com/bin/view/Main/5001355 || url,support.citrix.com/article/CTX123875 5001356 || [CITRIX] Netscaler - Logs the NSCLI/GUI command executed in NetScaler || url,wiki.quadrantsec.com/bin/view/Main/5001356 || url,support.citrix.com/article/CTX123875 5001357 || [CITRIX] Netscaler - Completed reading the configuration from ns.conf file || url,wiki.quadrantsec.com/bin/view/Main/5001357 || url,support.citrix.com/article/CTX123875 5001358 || [CITRIX] Netscaler - Read the configuration from ns.conf file || url,wiki.quadrantsec.com/bin/view/Main/5001358 || url,support.citrix.com/article/CTX123875 5001359 || [CITRIX] Netscaler - Server side and a client side TCP connection is delinked || url,wiki.quadrantsec.com/bin/view/Main/5001359 || url,support.citrix.com/article/CTX123875 5001360 || [CITRIX] Netscaler - TCP connection terminated || url,wiki.quadrantsec.com/bin/view/Main/5001360 || url,support.citrix.com/article/CTX123875 5001361 || [CITRIX] Netscaler - The input URL before rewriting || url,wiki.quadrantsec.com/bin/view/Main/5001361 || url,support.citrix.com/article/CTX123875 5001362 || [CITRIX] Netscaler - The matched URL || url,wiki.quadrantsec.com/bin/view/Main/5001362 || url,support.citrix.com/article/CTX123875 5001363 || [CITRIX] Netscaler - PCRE Error || url,wiki.quadrantsec.com/bin/view/Main/5001363 || url,support.citrix.com/article/CTX123875 5001364 || [CITRIX] Netscaler - The rewritten URL || url,wiki.quadrantsec.com/bin/view/Main/5001364 || url,support.citrix.com/article/CTX123875 5001365 || [CITRIX] Netscaler - Device is down || url,wiki.quadrantsec.com/bin/view/Main/5001365 || url,support.citrix.com/article/CTX123875 5001366 || [CITRIX] Netscaler - Device is out of service || url,wiki.quadrantsec.com/bin/view/Main/5001366 || url,support.citrix.com/article/CTX123875 5001367 || [CITRIX] Netscaler - Device is up || url,wiki.quadrantsec.com/bin/view/Main/5001367 || url,support.citrix.com/article/CTX123875 5001368 || [CITRIX] Netscaler - After a user logs in the group for the user has been extracted || url,wiki.quadrantsec.com/bin/view/Main/5001368 || url,support.citrix.com/article/CTX123875 5001369 || [CITRIX] Netscaler - URL Transformation profile invoked || url,wiki.quadrantsec.com/bin/view/Main/5001369 || url,support.citrix.com/article/CTX123875 5001370 || [CITRIX] Netscaler - Bad memory is freed (internal error) || url,wiki.quadrantsec.com/bin/view/Main/5001370 || url,support.citrix.com/article/CTX123875 5001371 || [CITRIX] Netscaler - Duplicate memory free occurs (internal error) || url,wiki.quadrantsec.com/bin/view/Main/5001371 || url,support.citrix.com/article/CTX123875 5001372 || [CITRIX] Netscaler - Memory is freed from a wrong pool (internal error) || url,wiki.quadrantsec.com/bin/view/Main/5001372 || url,support.citrix.com/article/CTX123875 5001373 || [CITRIX] Netscaler - A SSLVPN session receives a HTTP request || url,wiki.quadrantsec.com/bin/view/Main/5001373 || url,support.citrix.com/article/CTX123875 5001374 || [CITRIX] Netscaler - A http resource access is denied by policy engine || url,wiki.quadrantsec.com/bin/view/Main/5001374 || url,support.citrix.com/article/CTX123875 5001375 || [CITRIX] Netscaler - ICA application has terminated || url,wiki.quadrantsec.com/bin/view/Main/5001375 || url,support.citrix.com/article/CTX123875 5001376 || [CITRIX] Netscaler - ICA application launch has started || url,wiki.quadrantsec.com/bin/view/Main/5001376 || url,support.citrix.com/article/CTX123875 5001377 || [CITRIX] Netscaler - SSLVPN license limit reached || url,wiki.quadrantsec.com/bin/view/Main/5001377 || url,support.citrix.com/article/CTX123875 5001378 || [CITRIX] Netscaler - SSLVPN login succeeds || url,wiki.quadrantsec.com/bin/view/Main/5001378 || url,support.citrix.com/article/CTX123875 5001379 || [CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001379 || url,support.citrix.com/article/CTX123875 5001380 || [CITRIX] Netscaler - SSLVPN session logs out. || url,wiki.quadrantsec.com/bin/view/Main/5001380 || url,support.citrix.com/article/CTX123875 5001381 || [CITRIX] Netscaler - Monitor bound to the service is down || url,wiki.quadrantsec.com/bin/view/Main/5001381 || url,support.citrix.com/article/CTX123875 5001382 || [CITRIX] Netscaler - Monitor bound to the service has hit threshold limit || url,wiki.quadrantsec.com/bin/view/Main/5001382 || url,support.citrix.com/article/CTX123875 5001383 || [CITRIX] Netscaler - Monitor bound to the service is up || url,wiki.quadrantsec.com/bin/view/Main/5001383 || url,support.citrix.com/article/CTX123875 5001384 || [CITRIX] Netscaler - Network interface is in hung state || url,wiki.quadrantsec.com/bin/view/Main/5001384 || url,support.citrix.com/article/CTX123875 5001385 || [CITRIX] Netscaler - Interface's throughput is less than the min required || url,wiki.quadrantsec.com/bin/view/Main/5001385 || url,support.citrix.com/article/CTX123875 5001386 || [CITRIX] Netscaler - Interface is bound or unbound from a channel || url,wiki.quadrantsec.com/bin/view/Main/5001386 || url,support.citrix.com/article/CTX123875 5001387 || [CITRIX] Netscaler - Interface's throughput is equal or greater than the min required || url,wiki.quadrantsec.com/bin/view/Main/5001387 || url,support.citrix.com/article/CTX123875 5001388 || [CITRIX] Netscaler - Network interface is reset || url,wiki.quadrantsec.com/bin/view/Main/5001388 || url,support.citrix.com/article/CTX123875 5001389 || [CITRIX] Netscaler - Network interface is started || url,wiki.quadrantsec.com/bin/view/Main/5001389 || url,support.citrix.com/article/CTX123875 5001390 || [CITRIX] Netscaler - Network interface is stopped || url,wiki.quadrantsec.com/bin/view/Main/5001390 || url,support.citrix.com/article/CTX123875 5001391 || [CITRIX] Netscaler - A non-http resource access is denied by policy engine || url,wiki.quadrantsec.com/bin/view/Main/5001391 || url,support.citrix.com/article/CTX123875 5001392 || [CITRIX] Netscaler - Server side and a client side TCP connection is delinked || url,wiki.quadrantsec.com/bin/view/Main/5001392 || url,support.citrix.com/article/CTX123875 5001393 || [CITRIX] Netscaler - Process with PID is being restarted || url,wiki.quadrantsec.com/bin/view/Main/5001393 || url,support.citrix.com/article/CTX123875 5001394 || [CITRIX] Netscaler - Process with pid has reached maximum number of restarts || url,wiki.quadrantsec.com/bin/view/Main/5001394 || url,support.citrix.com/article/CTX123875 5001395 || [CITRIX] Netscaler - URL Transformation regex error || url,wiki.quadrantsec.com/bin/view/Main/5001395 || url,support.citrix.com/article/CTX123875 5001396 || [CITRIX] Netscaler - Pitboss watch is added or deleted on a process with the process id PID || url,wiki.quadrantsec.com/bin/view/Main/5001396 || url,support.citrix.com/article/CTX123875 5001397 || [CITRIX] Netscaler - HA propagation fails || url,wiki.quadrantsec.com/bin/view/Main/5001397 || url,support.citrix.com/article/CTX123875 5001398 || [CITRIX] Netscaler - HA propagation is successful || url,wiki.quadrantsec.com/bin/view/Main/5001398 || url,support.citrix.com/article/CTX123875 5001399 || [CITRIX] Netscaler - URL Transformation in a request header || url,wiki.quadrantsec.com/bin/view/Main/5001399 || url,support.citrix.com/article/CTX123875 5001400 || [CITRIX] Netscaler - URL Transformation parsing error || url,wiki.quadrantsec.com/bin/view/Main/5001400 || url,support.citrix.com/article/CTX123875 5001401 || [CITRIX] Netscaler - URL Transformation error in a request header || url,wiki.quadrantsec.com/bin/view/Main/5001401 || url,support.citrix.com/article/CTX123875 5001402 || [CITRIX] Netscaler - URL Transformation in a response header || url,wiki.quadrantsec.com/bin/view/Main/5001402 || url,support.citrix.com/article/CTX123875 5001403 || [CITRIX] Netscaler - Route is down || url,wiki.quadrantsec.com/bin/view/Main/5001403 || url,support.citrix.com/article/CTX123875 5001404 || [CITRIX] Netscaler - Route is up || url,wiki.quadrantsec.com/bin/view/Main/5001404 || url,support.citrix.com/article/CTX123875 5001405 || [CITRIX] Netscaler - Route Advertised || url,wiki.quadrantsec.com/bin/view/Main/5001405 || url,support.citrix.com/article/CTX123875 5001406 || [CITRIX] Netscaler - HA state change || url,wiki.quadrantsec.com/bin/view/Main/5001406 || url,support.citrix.com/article/CTX123875 5001407 || [CITRIX] Netscaler - Route Relearnt || url,wiki.quadrantsec.com/bin/view/Main/5001407 || url,support.citrix.com/article/CTX123875 5001408 || [CITRIX] Netscaler - Route Withdrawn || url,wiki.quadrantsec.com/bin/view/Main/5001408 || url,support.citrix.com/article/CTX123875 5001409 || [CITRIX] Netscaler - SSL Certificate Expiry Imminent || url,wiki.quadrantsec.com/bin/view/Main/5001409 || url,support.citrix.com/article/CTX123875 5001410 || [CITRIX] Netscaler - SSL CRL Update Failure || url,wiki.quadrantsec.com/bin/view/Main/5001410 || url,support.citrix.com/article/CTX123875 5001411 || [CITRIX] Netscaler - SSL CRL Update Success || url,wiki.quadrantsec.com/bin/view/Main/5001411 || url,support.citrix.com/article/CTX123875 5001412 || [CITRIX] Netscaler - SSL Handshake Failure || url,wiki.quadrantsec.com/bin/view/Main/5001412 || url,support.citrix.com/article/CTX123875 5001413 || [CITRIX] Netscaler - SSL Client Certificate IssueName || url,wiki.quadrantsec.com/bin/view/Main/5001413 || url,support.citrix.com/article/CTX123875 5001414 || [CITRIX] Netscaler - SSL Client Certificate SubjectName || url,wiki.quadrantsec.com/bin/view/Main/5001414 || url,support.citrix.com/article/CTX123875 5001415 || [CITRIX] Netscaler - SSL Handshake Success || url,wiki.quadrantsec.com/bin/view/Main/5001415 || url,support.citrix.com/article/CTX123875 5001416 || [CITRIX] Netscaler - CPU started || url,wiki.quadrantsec.com/bin/view/Main/5001416 || url,support.citrix.com/article/CTX123875 5001417 || [CITRIX] Netscaler - Save configuration started || url,wiki.quadrantsec.com/bin/view/Main/5001417 || url,support.citrix.com/article/CTX123875 5001418 || [CITRIX] Netscaler - System Started || url,wiki.quadrantsec.com/bin/view/Main/5001418 || url,support.citrix.com/article/CTX123875 5001419 || [CITRIX] Netscaler - HA State has changed || url,wiki.quadrantsec.com/bin/view/Main/5001419 || url,support.citrix.com/article/CTX123875 5001420 || [CITRIX] Netscaler - SSLVPN and the group for the user has been extracted || url,wiki.quadrantsec.com/bin/view/Main/5001420 || url,support.citrix.com/article/CTX123875 5001421 || [CITRIX] Netscaler - Save configuration has stopped || url,wiki.quadrantsec.com/bin/view/Main/5001421 || url,support.citrix.com/article/CTX123875 5001422 || [CITRIX] Netscaler - System stopped || url,wiki.quadrantsec.com/bin/view/Main/5001422 || url,support.citrix.com/article/CTX123875 5001423 || [CITRIX] Netscaler - Logged TCP connection related information || url,wiki.quadrantsec.com/bin/view/Main/5001423 || url,support.citrix.com/article/CTX123875 5001424 || [CITRIX] Netscaler - An SSLVPN connection timed out || url,wiki.quadrantsec.com/bin/view/Main/5001424 || url,support.citrix.com/article/CTX123875 5001425 || [CITRIX] Netscaler - UDP flow || url,wiki.quadrantsec.com/bin/view/Main/5001425 || url,support.citrix.com/article/CTX123875 5001426 || [CITRIX] Netscaler - Unknown Error || url,wiki.quadrantsec.com/bin/view/Main/5001426 || url,support.citrix.com/article/CTX123875 5001427 || [CITRIX] Netscaler - RHI state of VIP changes to down || url,wiki.quadrantsec.com/bin/view/Main/5001427 || url,support.citrix.com/article/CTX123875 5001428 || [CITRIX] Netscaler - RHI state of VIP changes to up || url,wiki.quadrantsec.com/bin/view/Main/5001428 || url,support.citrix.com/article/CTX123875 5001429 || [CITRIX] Netscaler - VRID changes state to backup || url,wiki.quadrantsec.com/bin/view/Main/5001429 || url,support.citrix.com/article/CTX123875 5001430 || [CITRIX] Netscaler - VRID changes state to backup || url,wiki.quadrantsec.com/bin/view/Main/5001430 || url,support.citrix.com/article/CTX123875 5001431 || [CITRIX] Netscaler - VRID changes state to INIT || url,wiki.quadrantsec.com/bin/view/Main/5001431 || url,support.citrix.com/article/CTX123875 5001432 || [CITRIX] Netscaler - VRID changes state to master || url,wiki.quadrantsec.com/bin/view/Main/5001432 || url,support.citrix.com/article/CTX123875 5001435 || [DIGITALPERSONA] User login || url,wiki.quadrantsec.com/bin/view/Main/5001435 5001436 || [DIGITALPERSONA] OTS Started || url,wiki.quadrantsec.com/bin/view/Main/5001436 5001437 || [DIGITALPERSONA] Fingerprint reader connected || url,wiki.quadrantsec.com/bin/view/Main/5001437 5001438 || [DIGITALPERSONA] Fingerprint reader disconnected || url,wiki.quadrantsec.com/bin/view/Main/5001438 5001439 || [DIGITALPERSONA] One-to-one fingerprint match failed [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001439 5001440 || [DIGITALPERSONA] System unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001440 5001441 || [DIGITALPERSONA] Kiosk Login || url,wiki.quadrantsec.com/bin/view/Main/5001441 5001442 || [DIGITALPERSONA] Logoff || url,wiki.quadrantsec.com/bin/view/Main/5001442 5001443 || [DIGITALPERSONA] Kiosk Logoff || url,wiki.quadrantsec.com/bin/view/Main/5001443 5001444 || [DIGITALPERSONA] System locked || url,wiki.quadrantsec.com/bin/view/Main/5001444 5001445 || [DIGITALPERSONA] Kiosk locked || url,wiki.quadrantsec.com/bin/view/Main/5001445 5001446 || [DIGITALPERSONA] System unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001446 5001447 || [DIGITALPERSONA] Kiosk unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001447 5001448 || [DIGITALPERSONA] Registered PIN || url,wiki.quadrantsec.com/bin/view/Main/5001448 5001449 || [DIGITALPERSONA] Changed PIN || url,wiki.quadrantsec.com/bin/view/Main/5001449 5001450 || [DIGITALPERSONA] FP used to unlocked smart card || url,wiki.quadrantsec.com/bin/view/Main/5001450 5001451 || [DIGITALPERSONA] Shared account problem || url,wiki.quadrantsec.com/bin/view/Main/5001451 5001452 || [DIGITALPERSONA] Shared account missing || url,wiki.quadrantsec.com/bin/view/Main/5001452 5001453 || [DIGITALPERSONA] OTS Stopped || url,wiki.quadrantsec.com/bin/view/Main/5001453 5001454 || [DIGITALPERSONA] Agent cannot start || url,wiki.quadrantsec.com/bin/view/Main/5001454 5001455 || [DIGITALPERSONA] Password changed canceled by user || url,wiki.quadrantsec.com/bin/view/Main/5001455 5001456 || [DIGITALPERSONA] Inital fillin was preformed || url,wiki.quadrantsec.com/bin/view/Main/5001456 5001457 || [DIGITALPERSONA] Fillin was preformed || url,wiki.quadrantsec.com/bin/view/Main/5001457 5001458 || [DIGITALPERSONA] Account data could not be modified || url,wiki.quadrantsec.com/bin/view/Main/5001458 5001459 || [DIGITALPERSONA] Account data successfully modified || url,wiki.quadrantsec.com/bin/view/Main/5001459 5001460 || [DIGITALPERSONA] CRC check failure || url,wiki.quadrantsec.com/bin/view/Main/5001460 5001461 || [DIGITALPERSONA] User added to Kiosk ID list || url,wiki.quadrantsec.com/bin/view/Main/5001461 5001462 || [DIGITALPERSONA] User deleted to Kiosk ID list || url,wiki.quadrantsec.com/bin/view/Main/5001462 5001463 || [DIGITALPERSONA] User pushed out of the User ID list || url,wiki.quadrantsec.com/bin/view/Main/5001463 5001464 || [DIGITALPERSONA] Kiosk ID list created || url,wiki.quadrantsec.com/bin/view/Main/5001464 5001465 || [DIGITALPERSONA] Kiosk ID list deleted || url,wiki.quadrantsec.com/bin/view/Main/5001465 5001466 || [DIGITALPERSONA] DPHost started || url,wiki.quadrantsec.com/bin/view/Main/5001466 5001467 || [DIGITALPERSONA] DPHost cannot started || url,wiki.quadrantsec.com/bin/view/Main/5001467 5001468 || [DIGITALPERSONA] Connection to server succeeded || url,wiki.quadrantsec.com/bin/view/Main/5001468 5001469 || [DIGITALPERSONA] Connection to server failed || url,wiki.quadrantsec.com/bin/view/Main/5001469 5001470 || [DIGITALPERSONA] Server busy || url,wiki.quadrantsec.com/bin/view/Main/5001470 5001471 || [DIGITALPERSONA] One-to-many matched failed || url,wiki.quadrantsec.com/bin/view/Main/5001471 5001472 || [DIGITALPERSONA] Account locked out || url,wiki.quadrantsec.com/bin/view/Main/5001472 5001473 || [DIGITALPERSONA] License quota exceeded || url,wiki.quadrantsec.com/bin/view/Main/5001473 5001474 || [DIGITALPERSONA] License quota near limit || url,wiki.quadrantsec.com/bin/view/Main/5001474 5001475 || [WINDOWS-AUTH] Group account changed || url,wiki.quadrantsec.com/bin/view/Main/5001475 5001476 || [CISCO-IOS] Unsupported Hardware Module || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1ab 5001477 || [CISCO-IOS] IP Packet recieved to short || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1abb 5001478 || [CISCO-IOS] IP Packet with probable bad checksum Dropped || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#EARL 5001479 || [CISCO-IOS] NetFlow addressable memory almost full || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1a 5001480 || [CISCO-IOS] IOS Keepalive Loop Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1b 5001481 || [CISCO-IOS] Possible IOS System Crash || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1bc 5001482 || [CISCO-IOS] Error in Layer 3 Forwarding ASIC [0/2] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#ASIC 5001483 || [CISCO-IOS] MAC/IP length inconsistencies || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1 5001484 || [CISCO-IOS] Invalid IP Checksum detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob2 5001485 || [CISCO-IOS] Excessive Multicast Traffic to IGMP reserved address || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob3 5001486 || [CISCO-IOS] PIM Hold Time Out of range || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob5 5001487 || [CISCO-IOS] Maximum Number of L2 Multicast Group Entries Created || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob6 5001488 || [CISCO-IOS] Internal Table Manager Parity Error || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob7 5001489 || [CISCO-IOS] Short IP Packets Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob8 5001490 || [CISCO-IOS] Creating Session to module/slot failed || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#Processor 5001491 || [CISCO-IOS] Module Firmware error detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob9 5001492 || [CISCO-IOS] Module Error Condition || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-error 5001493 || [CISCO-IOS] Switch Port Error Detected [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#mod-issue 5001494 || [CISCO-IOS] Unsupported SFP GBIC Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badkey 5001495 || [CISCO-IOS] TCAM Resource Exhaustion Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#TCAM 5001496 || [CISCO-IOS] Supervisor Engine Parity Errors [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tmparity 5001497 || [CISCO-IOS] Memory Parity Error [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-controller 5001498 || [CISCO-IOS] Linecard Endpoint Lost Sync || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#sp141 5001499 || [CISCO-IOS] Misconfigured Boot Variables || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#nwboot 5001500 || [CISCO-IOS] CPU Monitor Message Time Outs [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor 5001501 || [CISCO-IOS] CPU Monitor Message Not Heard [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor 5001502 || [CISCO-IOS] Invalid IDPROM Image || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#idprom 5001503 || [CISCO-IOS] Switch Module Powered Off || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#pwrdis 5001504 || [CISCO-IOS] ASIC Failed to Synchronize || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#onlinefail 5001505 || [CISCO-IOS] Flow Mask Request Failed || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#flowmask 5001506 || [CISCO-IOS] IGMP join packet Flood || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#igmpsnoop 5001507 || [CISCO-IOS] ASIC/Pinnacle Unrecoverable resources || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#dr 5001508 || [CISCO-IOS] Switching Bus Stalled || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec 5001509 || [CISCO-IOS] Switching Bus Recovered || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec 5001510 || [CISCO-IOS] SP-RP ping test failed, High Traffic || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#srp 5001511 || [CISCO-IOS] Sub-interface Limit Reached || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#subint 5001512 || [CISCO-IOS] Hash Bucket Collision || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#l2hash 5001513 || [CISCO-IOS] QoS Hardware Resources Exceeded || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#qm_agg 5001514 || [CISCO-IOS] Port Channel MTU Mismatch || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-bundle 5001515 || [CISCO-IOS] Port Channel Flow Control Mismatch || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#port 5001516 || [CISCO-IOS] Route entries about to reach FIB capacity || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tcamexception 5001517 || [CISCO-IOS] Switch Port Data Path Error || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#disablingport 5001518 || [CISCO-IOS] Bad CRC on ASIC Line Card || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module 5001519 || [CISCO-IOS] Switch Detected Unknown Protocol || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode 5001520 || [CISCO-IOS] Failed login || url,wiki.quadrantsec.com/bin/view/Main/5001520 5001521 || [CITRIX] Netscaler - AAA module failed to login the user || url,wiki.quadrantsec.com/bin/view/Main/5001521 || url,support.citrix.com/article/CTX123875 5001522 || [FTPD] Failed authentication || url,wiki.quadrantsec.com/bin/view/Main/5001522 5001523 || [OPENSSH] PAM Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001523 5001524 || [OPENSSH] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001524 5001525 || [OPENSSH] Authentication failure for root || url,wiki.quadrantsec.com/bin/view/Main/5001525 5001526 || [SU] SUDO authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001526 5001527 || [SU] FAILED su || url,wiki.quadrantsec.com/bin/view/Main/5001527 5001528 || [SYSLOG] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001528 5001529 || [VMWARE] User authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001529 5001530 || [VSFTPD] Login failed || url,wiki.quadrantsec.com/bin/view/Main/5001530 5001531 || [WINDOWS-AUTH] Login failure - Unknown username or bad password || url,wiki.quadrantsec.com/bin/view/Main/5001531 5001532 || [HUAWEI] USER_NOT_EXIST || url, http://www.huaweisymantec.com/en//download.do?id=658891 5001533 || [HUAWEI] ARP_DUPLICATE_IPADDR || url, huaweisymantec.com/en/download.do?id=658891 5001534 || [HUAWEI] DHCPC_LOG_NAK || url, huaweisymantec.com/en/download.do?id=658891 5001535 || [HUAWEI] DHCPC_LOG_REQIP_SUCCESS || url, huaweisymantec.com/en/download.do?id=658891 5001536 || [HUAWEI] DHCPC_LOG_REQIP_SUCCESS || url, huaweisymantec.com/en/download.do?id=658891 5001538 || [HUAWEI] FTPS - USERIN Login failed || url, huaweisymantec.com/en/download.do?id=658891 5001539 || [HUAWEI] FTPS - USEROUT Logout || url, huaweisymantec.com/en/download.do?id=658891 5001540 || [HUAWEI] FTPS - RECVDATA || url, huaweisymantec.com/en/download.do?id=658891 5001541 || [HUAWEI] FTPS - REQUEST || url, huaweisymantec.com/en/download.do?id=658891 5001542 || [HUAWEI] FTPS - SENDDATA || url, huaweisymantec.com/en/download.do?id=658891 5001543 || [HUAWEI] HTTPD - FAIL || url, huaweisymantec.com/en/download.do?id=658891 5001544 || [HUAWEI] HTTPD - OUT || url, huaweisymantec.com/en/download.do?id=658891 5001545 || [HUAWEI] HTTPD - PASS || url, huaweisymantec.com/en/download.do?id=658891 5001546 || [HUAWEI] ATCKDF - IP spoof attack || url, huaweisymantec.com/en/download.do?id=658891 5001547 || [HUAWEI] ATCKDF - Fraggle attack || url, huaweisymantec.com/en/download.do?id=658891 5001548 || [HUAWEI] ATCKDF - Smurf attack || url, huaweisymantec.com/en/download.do?id=658891 5001549 || [HUAWEI] ATCKDF - Land attack || url, huaweisymantec.com/en/download.do?id=658891 5001550 || [HUAWEI] ATCKDF - Time stamp attack || url, huaweisymantec.com/en/download.do?id=658891 5001551 || [HUAWEI] ATCKDF - Ip options attack || url, huaweisymantec.com/en/download.do?id=658891 5001552 || [HUAWEI] ATCKDF - Ip option source route attack || url, huaweisymantec.com/en/download.do?id=658891 5001553 || [HUAWEI] ATCKDF - ICMP flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001554 || [HUAWEI] ATCKDF - Redirect attack || url, huaweisymantec.com/en/download.do?id=658891 5001555 || [HUAWEI] ATCKDF - TCP flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001556 || [HUAWEI] ATCKDF - Winnuke attack || url, huaweisymantec.com/en/download.do?id=658891 5001557 || [HUAWEI] ATCKDF - Ping of death attack || url, huaweisymantec.com/en/download.do?id=658891 5001558 || [HUAWEI] ATCKDF - Tear drop attack || url, huaweisymantec.com/en/download.do?id=658891 5001559 || [HUAWEI] ATCKDF - Trace route attack || url, huaweisymantec.com/en/download.do?id=658891 5001560 || [HUAWEI] ATCKDF - Ip options route record attack || url, huaweisymantec.com/en/download.do?id=658891 5001561 || [HUAWEI] ATCKDF - Port scan attack || url, huaweisymantec.com/en/download.do?id=658891 5001562 || [HUAWEI] ATCKDF - Unreachable attack || url, huaweisymantec.com/en/download.do?id=658891 5001563 || [HUAWEI] ATCKDF - UDP flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001564 || [HUAWEI] ATCKDF - Syn flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001565 || [HUAWEI] ATCKDF - Other-protocol attack || url, huaweisymantec.com/en/download.do?id=658891 5001566 || [HUAWEI] ATCKDF - Large ICMP attack || url, huaweisymantec.com/en/download.do?id=658891 5001567 || [HUAWEI] ATCKDF - IP Fragment attack || url, huaweisymantec.com/en/download.do?id=658891 5001568 || [HUAWEI] ATCKDF - Ftp Bounce attack || url, huaweisymantec.com/en/download.do?id=658891 5001569 || [HUAWEI] ATCKDF - Too much Half Con of SYN Flood || url, huaweisymantec.com/en/download.do?id=658891 5001570 || [HUAWEI] ATCKDF - Tcp flag attack || url, huaweisymantec.com/en/download.do?id=658891 5001571 || [HUAWEI] BIND - VPN bound IP address || url, huaweisymantec.com/en/download.do?id=658891 5001572 || [HUAWEI] BIND - VPN unbound IP address || url, huaweisymantec.com/en/download.do?id=658891 5001573 || [HUAWEI] BLACKLIST - VPN added to blacklist || url, huaweisymantec.com/en/download.do?id=658891 5001574 || [HUAWEI] BLACKLIST - VPN removed from blacklist || url, huaweisymantec.com/en/download.do?id=658891 5001575 || [HUAWEI] BLACKLIST - Blacklist cleared || url, huaweisymantec.com/en/download.do?id=658891 5001576 || [HUAWEI] SESSION || url, huaweisymantec.com/en/download.do?id=658891 5001577 || [HUAWEI] SHELL - LOGIN || url, huaweisymantec.com/en/download.do?id=658891 5001578 || [HUAWEI] SHELL - LOGIN_FAIL || url, huaweisymantec.com/en/download.do?id=658891 5001579 || [HUAWEI] SHELL - LOGOUT || url, huaweisymantec.com/en/download.do?id=658891 5001580 || [HUAWEI] SHELL - CMD || url, huaweisymantec.com/en/download.do?id=658891 5001581 || [HUAWEI] FanAbnormal || url, huaweisymantec.com/en/download.do?id=658891 5001582 || [HUAWEI] VentTemp2Hot || url, huaweisymantec.com/en/download.do?id=658891 5001583 || [HUAWEI] SSH - add_success || url, huaweisymantec.com/en/download.do?id=658891 5001584 || [HUAWEI] SSH - LOGIN_FAIL || url, huaweisymantec.com/en/download.do?id=658891 5001585 || [HUAWEI] SSH - LOGIN_FAIL_CHALLENGE_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001586 || [HUAWEI] SSH - LOGIN_FAIL_COOKIE_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001587 || [HUAWEI] SSH - LOGIN_FAIL_DISSCONNECT || url, huaweisymantec.com/en/download.do?id=658891 5001588 || [HUAWEI] SSH - LOGIN_FAIL_PWD_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001589 || [HUAWEI] SSH - LOGIN_FAIL_RETRY_OUT || url, huaweisymantec.com/en/download.do?id=658891 5001590 || [HUAWEI] SSH - LOGIN_FAIL_RSA_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001591 || [HUAWEI] VRRP - LogAuthFailed || url, huaweisymantec.com/en/download.do?id=658891 5001592 || [HUAWEI] SSH - LOGIN_FAIL - Brute force [5/5] || url, huaweisymantec.com/en/download.do?id=658891 5001593 || [CISCO-PIXASA] AAA user authentication Reject - Brute force [10/1] || url, wiki.quadrantsec.com/bin/view/Main/5001593 5001595 || [MONGODB] DBException causing immediate shutdown || url,www.mongodb.org 5001596 || [MONGODB] IOS_Base exception causing immediate shutdown || url,www.mongodb.org 5001597 || [MONGODB] Bad allocation exception causing immediate shutdown || url,www.mongodb.org 5001598 || [MONGODB] Shutting down || url,www.mongodb.org 5001599 || [MONGODB] Clock skew detected || url,www.mongodb.org 5001600 || [MONGODB] Large clock skew detected || url,www.mongodb.org 5001601 || [MONGODB] Clock skew exception - shutting down || url,www.mongodb.org 5001602 || [MONGODB] Terminating- Shutdown command received || url,www.mongodb.org 5001603 || [MONGODB] Handshake detected || url,www.mongodb.org 5001604 || [MONGODB] Auth: Could not find user || url,www.mongodb.org 5001605 || [MONGODB] Admin command received from client || url,www.mongodb.org 5001606 || [MONGODB] Attempting to sync || url,www.mongodb.org 5001607 || [MONGODB] Replauthenticate failed: Requires Admin permissions || url,www.mongodb.org 5001608 || [MONGODB] Cannot authenticate to master server || url,www.mongodb.org 5001609 || [MONGODB] replSet is going into maintenance mode || url,www.mongodb.org 5001610 || [MONGODB] replSet is leaving maintenance mode || url,www.mongodb.org 5001611 || [NETSCREEN] SYN Flood || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001612 || [NETSCREEN] Teardrop attack || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001613 || [NETSCREEN] IP spoofing || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001614 || [NETSCREEN] ICMP flood || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001615 || [NETSCREEN] SYN fragment || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001616 || [NETSCREEN] Unknown protocol || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001617 || [NETSCREEN] Bad IP option || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001618 || [NETSCREEN] SYN-ACK-ACK || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001619 || [NETSCREEN] Connection refused by the DNS || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001620 || [WINDOWS-AUTH] Attempted Password Reset || url,wiki.quadrantsec.com/bin/view/Main/5001620 5001621 || [SYSLOG] Authentication failure - Brute force [10 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001621 5001622 || [SYSLOG] Authentication failure - Brute force [20 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001622 5001623 || [SYSLOG] Authentication failure - Brute force [50 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001623 5001624 || [SYSLOG] Authentication failure - Brute force [100 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001624 5001625 || [CISCO-IOS] Login Failed || url,wiki.quadrantsec.com/bin/view/Main/5001625 5001626 || [CISCO-IOS] High CPU usage detected || url,wiki.quadrantsec.com/bin/view/Main/5001626 5001627 || [FORTINET] Botnet traffic detected || url,wiki.quadrantsec.com/bin/view/Main/5001627 5001628 || [OPENSSH] Authentication failure - Brute force [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5001628 5001629 || [OPENSSH] Authentication failure - Brute force [20/5] || url,wiki.quadrantsec.com/bin/view/Main/5001629 5001630 || [OPENSSH] Authentication failure - Brute force [30/5] || url,wiki.quadrantsec.com/bin/view/Main/5001630 5001631 || [OPENSSH] Authentication failure - Brute force [40/5] || url,wiki.quadrantsec.com/bin/view/Main/5001631 5001632 || [OPENSSH] Authentication failure - Brute force [50/5] || url,wiki.quadrantsec.com/bin/view/Main/5001632 5001633 || [OPENSSH] Authentication failure - Brute force [100/5] || url,wiki.quadrantsec.com/bin/view/Main/5001633 5001634 || [OPENSSH] PAM Authentication failure - Brute force [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5001634 5001635 || [OPENSSH] PAM Authentication failure - Brute force [20/5] || url,wiki.quadrantsec.com/bin/view/Main/5001635 5001636 || [OPENSSH] PAM Authentication failure - Brute force [30/5] || url,wiki.quadrantsec.com/bin/view/Main/5001636 5001637 || [OPENSSH] PAM Authentication failure - Brute force [40/5] || url,wiki.quadrantsec.com/bin/view/Main/5001637 5001638 || [OPENSSH] PAM Authentication failure - Brute force [50/5] || url,wiki.quadrantsec.com/bin/view/Main/5001638 5001639 || [OPENSSH] PAM Authentication failure - Brute force [100/5] || url,wiki.quadrantsec.com/bin/view/Main/5001639 5001640 || [WINDOWS-MSSQL] Login Failure || url,wiki.quadrantsec.com/bin/view/Main/5001640 5001641 || [WINDOWS-MSSQL] Login Failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001641 5001642 || [JUNIPER] SSHD_LOGIN_ATTEMPTS_THRESHOLD - Brute Force || url,wiki.quadrantsec.com/bin/view/Main/5001642 5001643 || [JUNIPER] SSHD_LOGIN_FAILED_LIMIT - Brute Force || url,wiki.quadrantsec.com/bin/view/Main/5001643 5001644 || [JUNIPER] SSHD_LOGIN_FAILED || url,wiki.quadrantsec.com/bin/view/Main/5001644 5001645 || [JUNIPER] SSHD_LOGIN_FAILED - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001645 5001646 || [OPENSSH] Failed password - Brute force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5001646 5001647 || [OPENSSH] Failed password || url,wiki.quadrantsec.com/bin/view/Main/5001647 5001648 || [WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5001648 5001649 || [WINDOWS-MISC] DHCP Scope is almost full || url,wiki.quadrantsec.com/bin/view/Main/5001649 5001650 || [WINDOWS-MISC] DHCP Scope if full. No IP addresses left || url,wiki.quadrantsec.com/bin/view/Main/5001650 5001651 || [OPENVPN] Authentication failure [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5001651 5001652 || [OPENVPN] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5001652 5001653 || [OPENVPN] Unencrypted VPN connection initiated || url,wiki.quadrantsec.com/bin/view/Main/5001653 5001654 || [CISCO-PIXASA] User authentication failed - Brute force [5/1] || url, wiki.quadrantsec.com/bin/view/Main/5001654 5001655 || [CISCO-ISE] Failed Login Attempt || url,wiki.quadrantsec.com/bin/view/Main/5001655 5001656 || [CISCO-ISE] Failed Login Attempt - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001656 5001657 || [WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001657 5001658 || [WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password || url,wiki.quadrantsec.com/bin/view/Main/5001658 5001659 || [WINDOWS-AUTH] User account does not exist || url,wiki.quadrantsec.com/bin/view/Main/5001659 5001660 || [WINDOWS-AUTH] Domain does not exist || url,wiki.quadrantsec.com/bin/view/Main/5001660 5001661 || [WINDOWS-AUTH] No matching newtork policy || url,wiki.quadrantsec.com/bin/view/Main/5001661 5001662 || [WINDOWS-AUTH] RADIUS Access-Request message is disabled || url,wiki.quadrantsec.com/bin/view/Main/5001662 5001663 || [WINDOWS-AUTH] User much change password || url,wiki.quadrantsec.com/bin/view/Main/5001663 5001664 || [WINDOWS-AUTH] Remote RADIUS did not process auth request || url,wiki.quadrantsec.com/bin/view/Main/5001664 5001665 || [WINDOWS-AUTH] Incomplete message. Signature not verified || url,wiki.quadrantsec.com/bin/view/Main/5001665 5001666 || [WINDOWS-AUTH] EAP type cannot be processed by server || url,wiki.quadrantsec.com/bin/view/Main/5001666 5001667 || [WINDOWS-AUTH] Error occured with EAP || url,wiki.quadrantsec.com/bin/view/Main/5001667 5001668 || [CISCO-IOS] Authentication Failure SSH || url,wiki.quadrantsec.com/bin/view/Main/5001668 5001669 || [CISCO-IOS] Illegal User SSH || url,wiki.quadrantsec.com/bin/view/Main/5001669 5001670 || [CISCO-IOS] Authentication Failure SSH - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001670 5001671 || [CISCO-IOS] FATAL - bad tty - login (no program) || url,wiki.quadrantsec.com/bin/view/Main/5001671 5001672 || [CISCO-IOS] Auth to privilege 15 failed || url,wiki.quadrantsec.com/bin/view/Main/5001672 5001673 || [CISCO-IOS] Multicast storm detected || url,wiki.quadrantsec.com/bin/view/Main/5001673 5001674 || [CISCO-IOS] Invalid ARP || url,wiki.quadrantsec.com/bin/view/Main/5001674 5001675 || [SYMANTEC-EMS] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5001675 5001676 || [SYMANTEC-EMS] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001676 5001677 || [SYMANTEC-EMS] Multiple authentication failures || url,wiki.quadrantsec.com/bin/view/Main/5001677 5001678 || [SYMANTEC-EMS] Authorization failure || url,wiki.quadrantsec.com/bin/view/Main/5001678 5001679 || [SYMANTEC-EMS] Multiple authorization failures || url,wiki.quadrantsec.com/bin/view/Main/5001679 5001680 || [SYMANTEC-EMS] Encrypted partition mount failure || url,wiki.quadrantsec.com/bin/view/Main/5001680 5001681 || [SYMANTEC-EMS] Error regrouping - expired key || url,wiki.quadrantsec.com/bin/view/Main/5001681 5001682 || [SYMANTEC-EMS] Error regrouping - expired key || url,wiki.quadrantsec.com/bin/view/Main/5001682 5001683 || [SYMANTEC-EMS] Error regrouping - bad parameters || url,wiki.quadrantsec.com/bin/view/Main/5001683 5001684 || [SYMANTEC-EMS] Failed to map user to a directory || url,wiki.quadrantsec.com/bin/view/Main/5001684 5001685 || [SYMANTEC-EMS] LDAP key error - name lookup failed || url,wiki.quadrantsec.com/bin/view/Main/5001685 5001686 || [CISCO-IOS] Login Failed - Brute Force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5001686 5001687 || [WINDOWS-AUTH] User account enabled || url,wiki.quadrantsec.com/bin/view/Main/5001687 5001688 || [CISCO-IOS] Low FAN RPM - Service recommended || url,wiki.quadrantsec.com/bin/view/Main/5001688 5001689 || [CISCO-WLC] Rogue AP detected [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5001689 5001692 || [WINDOWS-AUTH] Local Administrator account added to a local group || url,wiki.quadrantsec.com/bin/view/Main/5001692 5001693 || [WINDOWS-AUTH] User added to Network Config Operator group || url,wiki.quadrantsec.com/bin/view/Main/5001693 5001694 || [WINDOWS-AUTH] User added to DNS Admins group || url,wiki.quadrantsec.com/bin/view/Main/5001694 5001695 || [WINDOWS-AUTH] User added to Domain Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5001695 5001696 || [WINDOWS-AUTH] User added to Enterprise Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5001696 5001697 || [WINDOWS-AUTH] User added to Group Policy Creator Owner group || url,wiki.quadrantsec.com/bin/view/Main/5001696 5001699 || [WEB-ATTACKS] Havij SQL Injection Tool Identified || url,wiki.quadrantsec.com/bin/view/Main/5001699 5001700 || [WEB-ATTACKS] UNION ALL SELECT in URL - Possible SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/5001700 5001701 || [WEB-ATTACKS] SQL Injection Using Encapsulated Data - x=x || url,wiki.quadrantsec.com/bin/view/Main/5001701 5001702 || [WEB-ATTACKS] SQL Injection Using Encapsulated Data - 1=1 || url,wiki.quadrantsec.com/bin/view/Main/5001702 5001703 || [WEB-ATTACKS] SQL Injection Using Hex Encoding || url,wiki.quadrantsec.com/bin/view/Main/5001703 5001704 || [SYSLOG] password changed for user || url,wiki.quadrantsec.com/bin/view/Main/5001704 5001705 || [SYSLOG] password changed for user root || url,wiki.quadrantsec.com/bin/view/Main/5001705 5001706 || [BIND] Version attempt || url,wiki.quadrantsec.com/bin/view/Main/5001706 5001707 || [CISCO-IOS] EIGRP Adjacency Change - Neighbor Up || url,wiki.quadrantsec.com/bin/view/Main/5001707 5001708 || [CISCO-IOS] EIGRP Adjacency Change - Neighbor Down || url,wiki.quadrantsec.com/bin/view/Main/5001708 5001709 || [CISCO-IOS] Call Manager Telephony Subsystem Shutdown || url,wiki.quadrantsec.com/bin/view/Main/5001709 5001710 || [CISCO-IOS] Call Manager Telephony Subsystem ModuleStop || url,wiki.quadrantsec.com/bin/view/Main/5001710 5001711 || [CISCO-IOS] Grammar Manager Telephony Subsystem ModuleStop || url,wiki.quadrantsec.com/bin/view/Main/5001711 5001712 || [CISCO-IOS] Cisco Unified CCX MGR Shutdown || url,wiki.quadrantsec.com/bin/view/Main/5001712 5001713 || [CISCO-IOS] Socket Manager Telephony Subsystem ModuleStart || url,wiki.quadrantsec.com/bin/view/Main/5001713 5001714 || [CISCO-PIXASA] TCP access denied by ACL - Brute force [25/1] || url, wiki.quadrantsec.com/bin/view/Main/5001714 5001715 || [CISCO-PIXASA] TCP access denied by ACL || url, wiki.quadrantsec.com/bin/view/Main/5001715 5001716 || [WINDOWS-MISC] DHCP Scope is FULL || url,wiki.quadrantsec.com/bin/view/Main/5001716 5001717 || [ORACLE] Authentication Failure || url, wiki.quadrantsec.com/bin/view/Main/5001717 5001718 || [CISCO-IOS] BGP Adjacency Change - Neighbor Up || url,wiki.quadrantsec.com/bin/view/Main/5001718 5001719 || [CISCO-IOS] BGP Adjacency Change - Neighbor Down || url,wiki.quadrantsec.com/bin/view/Main/5001719 5001720 || [CISCO-IOS] BGP Neighbor Removed From Topology || url,wiki.quadrantsec.com/bin/view/Main/5001720 5001721 || [CISCO-IOS] HSRP Requesting Active State || url,wiki.quadrantsec.com/bin/view/Main/5001721 5001722 || [CISCO-IOS] HSRP State Change || url,wiki.quadrantsec.com/bin/view/Main/5001722 5001723 || [CISCO-IOS] HSRP State Change || url,wiki.quadrantsec.com/bin/view/Main/5001723 5001724 || [CISCO-MALWARE] ZeroAccess UDP port 16464 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001724 5001725 || [CISCO-MALWARE] ZeroAccess UDP port 16465 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001725 5001726 || [CISCO-MALWARE] ZeroAccess UDP port 16470 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001726 5001727 || [CISCO-MALWARE] ZeroAccess UDP port 16471 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001727 5001728 || [WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001728 5001729 || [WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001729 5001730 || [WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001730 5001731 || [WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001731 5001732 || [WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001732 5001733 || [WINDOWS-AUTH] Windows Brute force - Expired Account [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001733 5001734 || [WINDOWS-AUTH] Windows Brute force - Expired Password [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001734 5001735 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001735 5001736 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001736 5001737 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001737 5001738 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001738 5001739 || [PROXY-MALWARE] Pony Trojan || url,wiki.quadrantsec.com/bin/view/Main/5001739 5001740 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001740 5001741 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001741 5001742 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001742 5001743 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001743 5001744 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001744 5001745 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001745 5001746 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001746 5001747 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001747 5001748 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001748 5001749 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001749 5001750 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001750 5001751 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001751 5001752 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001752 5001753 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001753 5001754 || [WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001754 5001755 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001755 5001756 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001756 5001757 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001757 5001758 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001758 5001759 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001759 5001760 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001760 5001761 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001761 5001762 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001762 5001763 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Kerberos password authentication failure [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001763 5001764 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001764 5001765 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001765 5001766 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001766 5001767 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001767 5001768 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001768 5001769 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001769 5001770 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001770 5001771 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001771 5001772 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001772 5001773 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001773 5001774 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001774 5001775 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001775 5001776 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001776 5001777 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001777 5001778 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001778 5001779 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001779 5001780 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001780 5001781 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001781 5001782 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001782 5001783 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001783 5001784 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001784 5001785 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001785 5001786 || [FORTINET-MALWARE] ZeroAccess UDP port 16464 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001786 5001787 || [FORTINET-MALWARE] ZeroAccess UDP port 16465 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001787 5001788 || [FORTINET-MALWARE] ZeroAccess UDP port 16470 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001788 5001789 || [FORTINET-MALWARE] ZeroAccess UDP port 16471 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001789 5001790 || [CISCO-MALWARE] ZeroAccess pre-2012 TCP port 13620 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001790 5001791 || [WINDOWS-AUTH] User account created || url,wiki.quadrantsec.com/bin/view/Main/5001786 5001792 || [WEB-ATTACKS] bsqlbf Brute Force SQL Injection || url,doc.emergingthreats.net/2008362 || url,code.google.com/p/bsqlbf-v2/ 5001793 || [WEB-ATTACKS] Cisco Torch IOS HTTP Scan || url,doc.emergingthreats.net/2008415 || url,www.securiteam.com/tools/5EP0F1FEUA.html || url,www.hackingexposedcisco.com/?link=tools 5001794 || [WEB-ATTACKS] Core-Project Scanning Bot UA Detected 5001795 || [WEB-ATTACKS] crimscanner User-Agent detected || url,doc.emergingthreats.net/2010954 5001796 || [WEB-ATTACKS] DavTest WebDav Vulnerability Scanner Default User Agent Detected || url,doc.emergingthreats.net/2011089 || url,code.google.com/p/davtest/ || url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/ 5001797 || [WEB-ATTACKS] DirBuster Web App Scan in Progress || url,doc.emergingthreats.net/2008186 || url,owasp.org 5001798 || [WEB-ATTACKS] Possible Fast-Track Tool Spidering User-Agent Detected || url,doc.emergingthreats.net/2011721 || url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes 5001799 || [WEB-ATTACKS] Suspicious User-Agent - get-minimal - Possible Vuln Scan || url,doc.emergingthreats.net/2003634 5001800 || [WEB-ATTACKS] Grabber.py Web Scan Detected || url,doc.emergingthreats.net/2009483 || url,rgaucher.info/beta/grabber/ 5001801 || [WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected [0/5] || url,doc.emergingthreats.net/2009480 || url,www.grendel-scan.com 5001802 || [WEB-ATTACKS] Hmap Webserver Fingerprint Scan || url,doc.emergingthreats.net/2008537 || url,www.ujeni.murkyroc.com/hmap/ 5001803 || [WEB-ATTACKS] Mini MySqlatOr SQL Injection Scanner || url,doc.emergingthreats.net/2008729 || url,www.scrt.ch/pages_en/minimysqlator.html 5001804 || [WEB-ATTACKS] Default Mysqloit User Agent Detected - Mysql Injection Takover Tool || url,doc.emergingthreats.net/2009882 || url,code.google.com/p/mysqloit/ 5001805 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap NSE || url,doc.emergingthreats.net/2009359 5001806 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected - Nmap Scripting Engine || url,doc.emergingthreats.net/2009358 5001807 || [WEB-ATTACKS] Nessus User Agent || url,doc.emergingthreats.net/2002664 || url,www.nessus.org 5001808 || [WEB-ATTACKS] Netsparker Default User-Agent || url,www.mavitunasecurity.com/communityedition/ 5001809 || [WEB-ATTACKS] Nikto Web App Scan in Progress || url,doc.emergingthreats.net/2002677 || url,www.cirt.net/code/nikto.shtml 5001810 || [WEB-ATTACKS] Paros Proxy Scanner Detected || url,doc.emergingthreats.net/2008187 || url,www.parosproxy.org 5001811 || [WEB-ATTACKS] SQL Injection Attempt (Agent uil2pn) || url,doc.emergingthreats.net/2010215 || url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html 5001812 || [WEB-ATTACKS] SQL Power Injector SQL Injection User Agent Detected || url,doc.emergingthreats.net/2009769 || url,en.wikipedia.org/wiki/Sql_injection || url,www.sqlpowerinjector.com/index.htm 5001813 || [WEB-ATTACKS] Sqlmap SQL Injection Scan || url,doc.emergingthreats.net/2008538 || url,sqlmap.sourceforge.net 5001814 || [WEB-ATTACKS] Skipfish Web Application Scan Detected || url,doc.emergingthreats.net/2010953 || url,code.google.com/p/skipfish/ || url,isc.sans.org/diary.html?storyid=8467 5001815 || [WEB-ATTACKS] Skipfish Web Application Scan Detected (2) || url,doc.emergingthreats.net/2010956 || url,code.google.com/p/skipfish/ || url,isc.sans.org/diary.html?storyid=8467 5001816 || [WEB-ATTACKS] Springenwerk XSS Scanner User-Agent Detected || url,doc.emergingthreats.net/2010508 || url,springenwerk.org/ 5001817 || [WEB-ATTACKS] Suspicious User-Agent inbound (bot) || url,doc.emergingthreats.net/bin/view/Main/2008228 5001818 || [WEB-ATTACKS] Toata Scanner User-Agent Detected || url,doc.emergingthreats.net/2009159 || url,isc.sans.org/diary.html?storyid=5599 5001819 || [WEB-ATTACKS] Tomcat Web Application Manager scanning || url,doc.emergingthreats.net/2010019 5001820 || [WEB-ATTACKS] Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner || url,doc.emergingthreats.net/2010087 || url,www.owasp.org/index.php/SQL_Injection 5001821 || [WEB-ATTACKS] Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner || url,doc.emergingthreats.net/2010088 5001822 || [WEB-ATTACKS] Suspicious User-Agent Containing Security Scan/ner, Likely Scan || url,doc.emergingthreats.net/2010089 5001823 || [WEB-ATTACKS] w3af User Agent || url,doc.emergingthreats.net/2007757 || url,w3af.sourceforge.net 5001824 || [WEB-ATTACKS] WSFuzzer Web Application Fuzzing || url,doc.emergingthreats.net/2008628 || url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project 5001825 || [WEB-ATTACKS] Wapiti Web Server Vulnerability Scan || url,doc.emergingthreats.net/2008417 || url,wapiti.sourceforge.net/ 5001826 || [WEB-ATTACKS] WebHack Control Center User-Agent Inbound (WHCC/) || url,doc.emergingthreats.net/2003924 || url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start= 5001827 || [WEB-ATTACKS] Open-Proxy ScannerBot (webcollage-UA) || url,doc.emergingthreats.net/2010768 || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 5001828 || [WEB-ATTACKS] WebShag Web Application Scan Detected || url,doc.emergingthreats.net/2009158 || url,www.scrt.ch/pages_en/outils.html 5001829 || [WEB-ATTACKS] WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected || url,doc.emergingthreats.net/2010960 || url,www.morningstarsecurity.com/research/whatweb 5001830 || [WEB-ATTACKS] WITOOL SQL Injection Scan || url,doc.emergingthreats.net/2009833 || url,witool.sourceforge.net/ 5001831 || [WEB-ATTACKS] ZmEu exploit scanner || url,doc.emergingthreats.net/2010715 5001832 || [WEB-ATTACKS] Possible jBroFuzz Fuzzer Detected || url,doc.emergingthreats.net/2009476 || url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz 5001833 || [WEB-ATTACKS] Hydra User-Agent || url,freeworld.thc.org/thc-hydra 5001834 || [WEB-ATTACKS] Inspathx Path Disclosure Scanner User-Agent Detected || url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/ || url,code.google.com/p/inspathx/ 5001835 || [WEB-ATTACKS] Medusa User-Agent || url,www.foofus.net/~jmk/medusa/medusa.html 5001836 || [WEB-ATTACKS] DotDotPwn User-Agent || url,dotdotpwn.sectester.net 5001838 || [WEB-ATTACKS] Havij SQL Injection Tool User-Agent Inbound || url,itsecteam.com/en/projects/project1.htm 5001839 || [WEB-ATTACKS] OpenVAS User-Agent Inbound || url,openvas.org 5001840 || [WEB-ATTACKS] ZmEu Scanner User-Agent Inbound 5001841 || [WEB-ATTACKS] Internal Dummy Connection User-Agent Inbound 5001842 || [WEB-ATTACKS] DominoHunter Security Scan in Progress || url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html 5001843 || [WEB-ATTACKS] Vega Web Application Scan || url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/ || url,www.subgraph.com/products.html 5001844 || [WEB-ATTACKS] FHScan core User-Agent Detect || url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html 5001845 || [WEB-ATTACKS] w3af User-Agent 2 5001846 || [HONEYD] Connection made to honeypot || url,wiki.quadrantsec.com/bin/view/Main/5001846 5001847 || [HONEYD] Attempt to login to honeypot Telnet server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001847 5001848 || [HONEYD] Attempt to login to honeypot Telnet server as admin user [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001848 5001849 || [HONEYD] Attempt to login to honeypot FTP server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001849 5001850 || [HONEYD] Connection to honeypot IIS server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001850 5001851 || [HONEYD] Connection to honeypot Apache server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001851 5001852 || [HONEYD] Connection to honeypot SMTP server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001852 5001853 || [NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16464 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001853 5001854 || [NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16465 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001854 5001855 || [NFCAPD] Netflow - ZeroAccess UDP port 16470 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001855 5001856 || [NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16471 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001856 5001857 || [NFCAPD-MALWARE] Netflow - Old ZeroAccess TCP port 13620 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001857 5001858 || [CISCO-MALWARE] ZeroAccess UDP port 16464 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001858 5001859 || [CISCO-MALWARE] ZeroAccess UDP port 16465 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001859 5001860 || [CISCO-MALWARE] ZeroAccess UDP port 16470 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001860 5001861 || [CISCO-MALWARE] ZeroAccess UDP port 16471 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001861 5001862 || [CISCO-MALWARE] ZeroAccess TCP port 13620 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001862 5001863 || [WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected || url,doc.emergingthreats.net/2009480 || url,www.grendel-scan.com 5001864 || [WEB-ATTACKS] Absinthe SQL Injection Tool HTTP Header Detected || url,doc.emergingthreats.net/2009555 || url,0x90.org/releases/absinthe 5001865 || [WEB-ATTACKS] Nessus User Agent || url,doc.emergingthreats.net/2002664 || url,www.nessus.org 5001866 || [WEB-ATTACKS] Nikto Web App Scan in Progress || url,doc.emergingthreats.net/2002677 || url,www.cirt.net/code/nikto.shtml 5001867 || [FORTINET-MALWARE] Older ZeroAccess TCP port 13620 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001867 5001868 || [CISCO-GEOIP] VPN Login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001868 5001869 || [CISCO-GEOIP] Console login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001869 5001870 || [PROFTPD-GEOIP] Authentication success from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001870 5001871 || [CISCO-IOS] Command logged || url,wiki.quadrantsec.com/bin/view/Main/5001871 5001872 || [CISCO-IOS] Enable command executed || url,wiki.quadrantsec.com/bin/view/Main/5001872 5001873 || [WINDOWS-GEOIP] Windows Logon outside of HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001873 5001874 || [OPENSSH-GEOIP] Authentication success via password from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001874 5001875 || [OPENSSH-GEOIP] Authentication success via publickey from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001875 5001876 || [OPENSSH-GEOIP] Authentication success via keyboard from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001876 5001877 || [SSH-TECTIA-SERVER] Authentication Failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001877 5001878 || [SSH-TECTIA-SERVER-GEOIP] Authentication success from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001878 5001879 || [CISCO-GEOIP] Login permitted from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001879 5001880 || [WINDOWS-AUTH] User account created [XBIT SET] || url,wiki.quadrantsec.com/bin/view/Main/5001880 5001881 || [WINDOWS-AUTH] User account re-enabled || url,wiki.quadrantsec.com/bin/view/Main/5001881 5001882 || [PROXY-MALWARE] Zeus bin Request 1 || url,labs.snort.org/papers/zeus.html 5001883 || [PROXY-MALWARE] Zeus bin Request 2 || url,labs.snort.org/papers/zeus.html 5001884 || [PROXY-MALWARE] Zeus bin Request 3 || url,labs.snort.org/papers/zeus.html 5001885 || [PROXY-MALWARE] Zeus bin Request 4 || url,labs.snort.org/papers/zeus.html 5001886 || [PROXY-MALWARE] Zeus bin Request 5 || url,labs.snort.org/papers/zeus.html 5001887 || [PROXY-MALWARE] Zeus bin Request 6 || url,labs.snort.org/papers/zeus.html 5001888 || [PROXY-MALWARE] Zeus bin Request 7 || url,labs.snort.org/papers/zeus.html 5001889 || [PROXY-MALWARE] Zeus bin Request 8 || url,labs.snort.org/papers/zeus.html 5001890 || [PROXY-MALWARE] Zeus bin Request 9 || url,labs.snort.org/papers/zeus.html 5001891 || [PROXY-MALWARE] Zeus bin Request 10 || url,labs.snort.org/papers/zeus.html 5001892 || [PROXY-MALWARE] Zeus bin Request 11 || url,labs.snort.org/papers/zeus.html 5001893 || [PROXY-MALWARE] Zeus bin Request 12 || url,labs.snort.org/papers/zeus.html 5001894 || [PROXY-MALWARE] Zeus bin Request 13 || url,labs.snort.org/papers/zeus.html 5001895 || [PROXY-MALWARE] Zeus bin Request 14 || url,labs.snort.org/papers/zeus.html 5001896 || [PROXY-MALWARE] Zeus bin Request 15 || url,labs.snort.org/papers/zeus.html 5001897 || [PROXY-MALWARE] Zeus bin Request 16 || url,labs.snort.org/papers/zeus.html 5001898 || [PROXY-MALWARE] Zeus bin Request 17 || url,labs.snort.org/papers/zeus.html 5001899 || [PROXY-MALWARE] Zeus bin Request 18 || url,labs.snort.org/papers/zeus.html 5001900 || [PROXY-MALWARE] Zeus bin Request 19 || url,labs.snort.org/papers/zeus.html 5001901 || [PROXY-MALWARE] Zeus bin Request 20 || url,labs.snort.org/papers/zeus.html 5001902 || [PROXY-MALWARE] Zeus bin Request 21 || url,labs.snort.org/papers/zeus.html 5001903 || [PROXY-MALWARE] Zeus bin Request 22 || url,labs.snort.org/papers/zeus.html 5001904 || [PROXY-MALWARE] Zeus bin Request 23 || url,labs.snort.org/papers/zeus.html 5001905 || [PROXY-MALWARE] Zeus bin Request 24 || url,labs.snort.org/papers/zeus.html 5001906 || [PROXY-MALWARE] Zeus bin Request 25 || url,labs.snort.org/papers/zeus.html 5001907 || [PROXY-MALWARE] Zeus bin Request 26 || url,labs.snort.org/papers/zeus.html 5001908 || [PROXY-MALWARE] Zeus bin Request 27 || url,labs.snort.org/papers/zeus.html 5001909 || [PROXY-MALWARE] Zeus bin Request 28 || url,labs.snort.org/papers/zeus.html 5001910 || [PROXY-MALWARE] Zeus bin Request 29 || url,labs.snort.org/papers/zeus.html 5001911 || [PROXY-MALWARE] Zeus bin Request 30 || url,labs.snort.org/papers/zeus.html 5001912 || [PROXY-MALWARE] Zeus bin Request 31 || url,labs.snort.org/papers/zeus.html 5001913 || [PROXY-MALWARE] Zeus bin Request 32 || url,labs.snort.org/papers/zeus.html 5001914 || [PROXY-MALWARE] Zeus bin Request 33 || url,labs.snort.org/papers/zeus.html 5001915 || [PROXY-MALWARE] Zeus bin Request 34 || url,labs.snort.org/papers/zeus.html 5001916 || [PROXY-MALWARE] Zeus bin Request 35 || url,labs.snort.org/papers/zeus.html 5001917 || [PROXY-MALWARE] Zeus bin Request 36 || url,labs.snort.org/papers/zeus.html 5001918 || [PROXY-MALWARE] Zeus php Request 1 || url,labs.snort.org/papers/zeus.html 5001919 || [PROXY-MALWARE] Zeus php Request 2 || url,labs.snort.org/papers/zeus.html 5001920 || [PROXY-MALWARE] Zeus php Request 3 || url,labs.snort.org/papers/zeus.html 5001921 || [PROXY-MALWARE] Zeus php Request 4 || url,labs.snort.org/papers/zeus.html 5001922 || [PROXY-MALWARE] Zeus php Request 5 || url,labs.snort.org/papers/zeus.html 5001923 || [PROXY-MALWARE] Zeus php Request 6 || url,labs.snort.org/papers/zeus.html 5001924 || [PROXY-MALWARE] Zeus php Request 7 || url,labs.snort.org/papers/zeus.html 5001925 || [PROXY-MALWARE] Zeus php Request 8 || url,labs.snort.org/papers/zeus.html 5001926 || [PROXY-MALWARE] Zeus php Request 9 || url,labs.snort.org/papers/zeus.html 5001927 || [PROXY-MALWARE] Zeus php Request 10 || url,labs.snort.org/papers/zeus.html 5001928 || [PROXY-MALWARE] Zeus php Request 11 || url,labs.snort.org/papers/zeus.html 5001929 || [PROXY-MALWARE] Zeus php Request 12 || url,labs.snort.org/papers/zeus.html 5001930 || [PROXY-MALWARE] Zeus php Request 13 || url,labs.snort.org/papers/zeus.html 5001931 || [PROXY-MALWARE] Zeus php Request 14 || url,labs.snort.org/papers/zeus.html 5001932 || [PROXY-MALWARE] Zeus php Request 15 || url,labs.snort.org/papers/zeus.html 5001933 || [PROXY-MALWARE] Zeus php Request 16 || url,labs.snort.org/papers/zeus.html 5001934 || [PROXY-MALWARE] Zeus php Request 17 || url,labs.snort.org/papers/zeus.html 5001935 || [PROXY-MALWARE] Zeus php Request 18 || url,labs.snort.org/papers/zeus.html 5001936 || [PROXY-MALWARE] Zeus php Request 19 || url,labs.snort.org/papers/zeus.html 5001937 || [PROXY-MALWARE] Zeus php Request 20 || url,labs.snort.org/papers/zeus.html 5001938 || [PROXY-MALWARE] Zeus php Request 21 || url,labs.snort.org/papers/zeus.html 5001939 || [PROXY-MALWARE] Zeus php Request 22 || url,labs.snort.org/papers/zeus.html 5001940 || [PROXY-MALWARE] Zeus php Request 23 || url,labs.snort.org/papers/zeus.html 5001941 || [PROXY-MALWARE] Zeus php Request 24 || url,labs.snort.org/papers/zeus.html 5001942 || [PROXY-MALWARE] Zeus php Request 25 || url,labs.snort.org/papers/zeus.html 5001943 || [LINUX-KERNEL] ReiserFS error || url,wiki.quadrantsec.com/bin/view/Main/5001943 5001944 || [LINUX-KERNEL] Unhandled error code || url,wiki.quadrantsec.com/bin/view/Main/5001944 5001945 || [LINUX-KERNEL] I/O error || url,wiki.quadrantsec.com/bin/view/Main/5001945 5001946 || [LINUX-KERNEL] hostbyte=DID_ERROR || url,wiki.quadrantsec.com/bin/view/Main/5001946 5001947 || [FORTINET-GEOIP] Login accepted from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001947 5001948 || [FORTINET-GEOIP] Administrator Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001948 5001949 || [FORTINET-GEOIP] Admin authentication success outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001949 5001950 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001950 5001951 || [WINDOWS-MALWARE] Black POS Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001951 5001952 || [CISCO-IOS] Login Success || url,wiki.quadrantsec.com/bin/view/Main/5001952 5001954 || [OPENSSH] SYSLOG Authentication failure - Brute force [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5001954 5001955 || [FATPIPE] Login Success || url,wiki.quadrantsec.com/bin/view/Main/5001955 5001956 || [FATPIPE] Login Success - ADMINISTRATOR || url,wiki.quadrantsec.com/bin/view/Main/5001956 5001957 || [FATPIPE] Login Failed || url,wiki.quadrantsec.com/bin/view/Main/5001957 5001958 || [FATPIPE] Login Failed - Brute Force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001958 5001959 || [FATPIPE-GEOIP] Login Success from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001959 5001960 || [FATPIPE-GEOIP] Login Success - ADMINISTRATOR - from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001960 5001961 || [SYSLOG] Redhat Linux not updating || url,wiki.quadrantsec.com/bin/view/Main/5001961 5001962 || [CISCO-GEOIP] VPN disconnect from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001962 5001963 || [CISCO-PIXASA] WebVPN console/admin failed || url, wiki.quadrantsec.com/bin/view/Main/5001963 5001964 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001964 5001965 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16464 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001965 5001966 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16465 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001966 5001967 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16470 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001967 5001968 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16471 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001968 5001969 || [CISCO-MALWARE] ACE ZeroAccess pre-2012 TCP port 13620 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001969 5001970 || [FORTINET] SSH traffic detected || url,wiki.quadrantsec.com/bin/view/Main/5001970 5001971 || [FORTINET-GEOIP] SSH traffic detected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001971 5001972 || [SYSLOG] SCSI task abort || url,wiki.quadrantsec.com/bin/view/Main/5001972 5001973 || [SYSLOG] Remounting filesystem read-only || url,wiki.quadrantsec.com/bin/view/Main/5001973 5001974 || [OPENSSH] Fail2Ban SSH Suspicious Activity || url,wiki.quadrantsec.com/bin/view/Main/5001974 5001977 || [CISCO-GEOIP] ACS Login success from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001977 5001978 || [WINDOWS-AUTH] Account locked out (ADMINISTRATOR) || url,wiki.quadrantsec.com/bin/view/Main/5001978 5001979 || [FILE-GEOIP] Executable Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001979 5001980 || [FILE-GEOIP] Java Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001980 5001981 || [FILE-GEOIP] Jar/Zip Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001981 5001982 || [FILE-GEOIP] PDF Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001982 5001983 || [FILE-GEOIP] Flash Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001983 5001984 || [NFCAPD] Possible IRC detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001984 5001985 || [NFCAPD] Possible IRC detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001985 5001986 || [NFCAPD] Possible IRC - Port 6660 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001986 5001987 || [NFCAPD] Possible IRC - Port 6661 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001987 5001988 || [NFCAPD] Possible IRC - Port 6662 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001988 5001989 || [NFCAPD] Possible IRC - Port 6663 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001989 5001990 || [NFCAPD] Possible IRC - Port 6664 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001990 5001991 || [NFCAPD] Possible IRC - Port 6665 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001991 5001992 || [NFCAPD] Possible IRC - Port 6666 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001992 5001993 || [NFCAPD] Possible IRC - Port 6668 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001993 5001994 || [NFCAPD] Possible IRC - Port 6669 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001994 5001995 || [NFCAPD] Possible IRC - Port 7000 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001995 5001996 || [NFCAPD] PUSH/ACK Traffic Detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001996 5001997 || [NFCAPD] PUSH/ACK Traffic Detected - Port 2222 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001997 5001998 || [NFCAPD] Telnet Traffic Detected via PUSH/ACK [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001998 5001999 || [WINDOWS-MALWARE] Suspicious misspelled process || url,wiki.quadrantsec.com/bin/view/Main/5001999 5002000 || [WINDOWS-MALWARE] Lower case drive letter used in process || url,wiki.quadrantsec.com/bin/view/Main/5002000 5002001 || [WINDOWS-MALWARE] Incorrect path called for svchost.exe || url,wiki.quadrantsec.com/bin/view/Main/5002001 5002002 || [WINDOWS-MALWARE] Incorrect path called for explorer.exe || url,wiki.quadrantsec.com/bin/view/Main/5002002 5002003 || [WINDOWS-MALWARE] Suspicious application crash || url,wiki.quadrantsec.com/bin/view/Main/5002003 5002006 || [WINDOWS-MALWARE] Suspicious Tool Event || url,wiki.quadrantsec.com/bin/view/Main/5002006 5002007 || [WINDOWS-MALWARE] Virus Found! || url,wiki.quadrantsec.com/bin/view/Main/5002007 5002011 || [WINDOWS-MALWARE] System protection disabled || url,wiki.quadrantsec.com/bin/view/Main/5002011 5002014 || [WINDOWS-MISC] System shutdown [XBIT SET] || url,wiki.quadrantsec.com/bin/view/Main/5002014 5002015 || [WINDOWS-AUTH] RDP / Logon type 10 || url,wiki.quadrantsec.com/bin/view/Main/5002015 5002016 || [WINDOWS-GEOIP] RDP / Logon type 10 from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002016 5002017 || [WINDOWS-AUTH] Pass-The-Hash detected! || url, http://en.wikipedia.org/wiki/Pass_the_hash || url,wiki.quadrantsec.com/bin/view/Main/5002017 5002018 || [WINDOWS-AUTH] Logon attempt using explicit credentials || url,wiki.quadrantsec.com/bin/view/Main/5002018 5002020 || [WINDOWS-GEOIP] Logon attempt using explicit credentials from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002020 5002022 || [JUNIPER] VPN Login failed || url,wiki.quadrantsec.com/bin/view/Main/5002022 5002023 || [JUNIPER] VPN Login failed - Brute Force [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5002023 5002024 || [JUNIPER] Possible VPN Login bypass attempt || url,wiki.quadrantsec.com/bin/view/Main/5002024 5002025 || [JUNIPER] VPN Unable to download virus signatures || url,wiki.quadrantsec.com/bin/view/Main/5002025 5002026 || [JUNIPER] VPN - Possible scan/probe || url,wiki.quadrantsec.com/bin/view/Main/5002026 5002027 || [JUNIPER] VPN - Policy violation || url,wiki.quadrantsec.com/bin/view/Main/5002027 5002028 || [JUNIPER-GEOIP] VPN Login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002028 5002029 || [JUNIPER-GEOIP] VPN Logout from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002029 5002030 || [RIVERBED] Administrator Login || url,wiki.quadrantsec.com/bin/view/Main/5002030 5002031 || [RIVERBED] Administrator Login Failure || url,wiki.quadrantsec.com/bin/view/Main/5002031 5002032 || [RIVERBED-GEOIP] Administrator Login outside of HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002032 5002033 || [RIVERBED] Administrator Login Failure - Brute Force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002033 5002034 || [CISCO-AETAS] VPN Login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002034 5002035 || [CISCO-AETAS] Console login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002035 5002036 || [CISCO-AETAS] Login permitted at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002036 5002037 || [CISCO-AETAS] WebVPN login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002037 5002038 || [CISCO-AETAS] VPN disconnect at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002038 5002039 || [CISCO-AETAS] VPN login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002039 5002040 || [CISCO-AETAS] ACS Login success at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002040 5002041 || [FATPIPE-AETAS] Login Success at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002041 5002042 || [FATPIPE-AETAS] Login Success - ADMINISTRATOR - at supicious time || url,wiki.quadrantsec.com/bin/view/Main/5002042 5002043 || [FORTINET-AETAS] Login accepted at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002043 5002044 || [FORTINET-AETAS] Administrator Login at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002044 5002045 || [FORTINET-AETAS] Admin authentication access at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002045 5002046 || [FORTINET-AETAS] SSH traffic detected at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002046 5002047 || [JUNIPER-AETAS] VPN Login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002047 5002048 || [JUNIPER-AETAS] VPN Logout at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002048 5002049 || [OPENSSH-AETAS] Authentication success via password at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002049 5002050 || [OPENSSH-AETAS] Authentication success via publickey at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002050 5002051 || [OPENSSH-AETAS] Authentication success via keyboard at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002051 5002052 || [PROFTPD-AETAS] Authentication success at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002052 5002053 || [RIVERBED-AETAS] Administrator Login at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002053 5002054 || [SSH-TECTIA-SERVER-AETAS] Authentication success at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002054 5002055 || [WINDOWS-GEOIP] Windows Logon at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002055 5002056 || [WINDOWS-GEOIP] RDP / Logon type 10 at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002056 5002057 || [WINDOWS-GEOIP] Logon attempt using explicit credentials at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002057 5002058 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY [2] || url, wiki.quadrantsec.com/bin/view/Main/5002058 5002059 || [CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002059 5002060 || [CISCO-GEOIP] FTP file transfer to outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002060 5002061 || [PROXY-MALWARE] Tor2www Request || url,www.tor2www.com 5002062 || [PROXY-MALWARE] Tor2web Request || url,www.tor2web.org 5002063 || [BRO] SSH Password_Guessing [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002063 5002064 || [BRO] TeamCymruMalwareHashRegistry Match || url,www.team-cymru.org/Services/MHR/ 5002065 || [BRO] HTTP SQL_Injection_Attacker || url,wiki.quadrantsec.com/bin/view/Main/5002065 5002066 || [BRO] HTTP SQL_Injection_Victim || url,wiki.quadrantsec.com/bin/view/Main/5002066 5002067 || [BRO] SSH Login_By_Password_Guesser || url,wiki.quadrantsec.com/bin/view/Main/5002067 5002068 || [BRO] SSH Watched_Country_Login || url,wiki.quadrantsec.com/bin/view/Main/5002068 5002069 || [BRO] 10+ SSL Invalid_Server_Cert in 30 seconds [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5002069 5002070 || [BRO] 10+ unable to get local issuer certificate in 30 seconds [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5002070 5002071 || [BRO] ZeroAccess ZeroAccess_Client [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002070 5002072 || [BRO] Probable LURK0 RAT C&C Access || url,wiki.quadrantsec.com/bin/view/Main/5002072 5002073 || [BRO] Sidejacking attach detected || url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro || url,wiki.quadrantsec.com/bin/view/Main/5002073 5002074 || [BRO] Bitcoin Miner [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5002074 5002075 || [IMAPD-BLUEDOT] Login from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002075 5002076 || [IMAPD-BLUEDOT] Logout from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002076 5002077 || [IMAPD-BLUEDOT] Timeout from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002077 5002079 || [IMAPD-BLUEDOT] Connection from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002079 5002080 || [ARTILLERY] General Artillery Message || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002080 5002081 || [ARTILLERY] FTP brute force violation || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002081 5002082 || [ARTILLERY] Issue identified - Permissions not set as root || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002082 5002083 || [ARTILLERY] Issue identified - vsftp.conf Anonymous FTP allowed || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002083 5002084 || [ARTILLERY] Issue identified - SSH running on default TCP port 22 || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002084 5002085 || [ARTILLERY] Issue identified - sshd_config allows RootLogin || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002085 5002086 || [ARTILLERY] Honeyport blocked/blacklisted address || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002086 5002087 || [ARTILLERY] Honeyport attack detected || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002087 5002088 || [ARTILLERY] File changes have occured || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002088 5002089 || [ARTILLERY] SSH brute force violation || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002089 5002090 || [WINDOWS-APPLOCKER] Allowed program to execute || url,wiki.quadrantsec.com/bin/view/Main/5002090 5002091 || [WINDOWS-APPLOCKER] Application blocked || url,wiki.quadrantsec.com/bin/view/Main/5002091 5002092 || [WINDOWS-APPLOCKER] Allowed an MSI or script to execute || url,wiki.quadrantsec.com/bin/view/Main/5002092 5002093 || [WINDOWS-APPLOCKER] Allowed MSI/Script, but would have blocked || url,wiki.quadrantsec.com/bin/view/Main/5002093 5002094 || [WINDOWS-APPLOCKER] Prevent MSI/Script to execute || url,wiki.quadrantsec.com/bin/view/Main/5002094 5002095 || [WINDOWS-APPLOCKER] Package application allowed || url,wiki.quadrantsec.com/bin/view/Main/5002095 5002096 || [WINDOWS-APPLOCKER] Package application audited || url,wiki.quadrantsec.com/bin/view/Main/5002096 5002097 || [WINDOWS-APPLOCKER] Package application disabled || url,wiki.quadrantsec.com/bin/view/Main/5002097 5002098 || [WINDOWS-APPLOCKER] Package application installation allowed || url,wiki.quadrantsec.com/bin/view/Main/5002098 5002099 || [WINDOWS-APPLOCKER] Package application installation audited || url,wiki.quadrantsec.com/bin/view/Main/5002099 5002100 || [WINDOWS-APPLOCKER] Package application installation disabled || url,wiki.quadrantsec.com/bin/view/Main/5002100 5002101 || [WINDOWS-EMET] Detected Caller mitigation/will close application || url,wiki.quadrantsec.com/bin/view/Main/5002101 5002102 || [WINDOWS-EMET] EMET process stopped, but not due to reboot || url,wiki.quadrantsec.com/bin/view/Main/5002102 5002103 || [WINDOWS-MALWARE] RASWMI Malware process detected || url,wiki.quadrantsec.com/bin/view/Main/5002103 5002104 || [CISCO-WLC] Bcast Deauth || url,wiki.quadrantsec.com/bin/view/Main/5002104 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002105 || [CISCO-WLC] Null probe resp 1 || url,wiki.quadrantsec.com/bin/view/Main/5002105 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002106 || [CISCO-WLC] Null probe resp 2 || url,wiki.quadrantsec.com/bin/view/Main/5002106 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002107 || [CISCO-WLC] Assoc Flood || url,wiki.quadrantsec.com/bin/view/Main/5002107 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002108 || [CISCO-WLC] Reassoc Flood || url,wiki.quadrantsec.com/bin/view/Main/5002108 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002109 || [CISCO-WLC] Broadcast Probe flood || url,wiki.quadrantsec.com/bin/view/Main/5002109 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002110 || [CISCO-WLC] Disassoc flood || url,wiki.quadrantsec.com/bin/view/Main/5002110 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002111 || [CISCO-WLC] Deauth flood || url,wiki.quadrantsec.com/bin/view/Main/5002111 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002112 || [CISCO-WLC] Res mgmt 6 & 7 || url,wiki.quadrantsec.com/bin/view/Main/5002112 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002113 || [CISCO-WLC] Res mgmt D || url,wiki.quadrantsec.com/bin/view/Main/5002113 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002114 || [CISCO-WLC] Res mgmt E & F || url,wiki.quadrantsec.com/bin/view/Main/5002114 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002115 || [CISCO-WLC] EAPOL flood || url,wiki.quadrantsec.com/bin/view/Main/5002115 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002116 || [CISCO-WLC] NetStumbler 3.2.0 detected || url,wiki.quadrantsec.com/bin/view/Main/5002116 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002117 || [CISCO-WLC] NetStumbler 3.2.3 detected || url,wiki.quadrantsec.com/bin/view/Main/5002117 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002118 || [CISCO-WLC] NetStumbler 3.3.0 detected || url,wiki.quadrantsec.com/bin/view/Main/5002118 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002119 || [CISCO-WLC] NetStumbler generic detected || url,wiki.quadrantsec.com/bin/view/Main/5002119 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002120 || [CISCO-WLC] Wellenreiter detected || url,wiki.quadrantsec.com/bin/view/Main/5002120 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002121 || [CISCO-WLC] Big NAV Dos attack || url,wiki.quadrantsec.com/bin/view/Main/5002121 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002122 || [CISCO-PRIME] BIG NAV DOS Attack || url,wiki.quadrantsec.com/bin/view/Main/5002122 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002123 || [CISCO-PRIME] Rogue AP detect and contained || url,wiki.quadrantsec.com/bin/view/Main/5002123 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002124 || [CISCO-PRIME] Rogue AP detected exceed theshold || url,wiki.quadrantsec.com/bin/view/Main/5002124 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002125 || [CISCO-PRIME] SNMP Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002125 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002126 || [CISCO-PRIME] Authentication failure by local management user/MAC || url,wiki.quadrantsec.com/bin/view/Main/5002126 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002127 || [CISCO-PRIME] Rogue AP or ADHOC detected || url,wiki.quadrantsec.com/bin/view/Main/5002127 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002128 || [CISCO-PRIME] Rogue AP on the network! || url,wiki.quadrantsec.com/bin/view/Main/5002128 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002129 || [CISCO-PRIME] Rogue AP has been removed || url,wiki.quadrantsec.com/bin/view/Main/5002129 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002130 || [CISCO-PRIME] Internal high temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002130 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002131 || [CISCO-PRIME] Internal low temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002131 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002132 || [CISCO-PRIME] Station authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002132 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002133 || [CISCO-PRIME] Station association failure || url,wiki.quadrantsec.com/bin/view/Main/5002133 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002134 || [CISCO-PRIME] Station blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5002134 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002135 || [CISCO-PRIME] Duplicate IP address assigned to controller || url,wiki.quadrantsec.com/bin/view/Main/5002135 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002136 || [CISCO-PRIME] Possible brute force from management user! || url,wiki.quadrantsec.com/bin/view/Main/5002136 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002137 || [CISCO-PRIME] Rogue ADHOC contained || url,wiki.quadrantsec.com/bin/view/Main/5002137 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002138 || [CISCO-PRIME] Rogue AP auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002138 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002140 || [CISCO-PRIME] Trusted AP has invalid encryption || url,wiki.quadrantsec.com/bin/view/Main/5002140 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002141 || [CISCO-PRIME] Trusted AP has invalid radio policy || url,wiki.quadrantsec.com/bin/view/Main/5002141 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002142 || [CISCO-PRIME] Trusted AP has invalid SSID || url,wiki.quadrantsec.com/bin/view/Main/5002142 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002143 || [CISCO-PRIME] Trusted AP missing || url,wiki.quadrantsec.com/bin/view/Main/5002143 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002144 || [CISCO-PRIME] AP impersionation detected! || url,wiki.quadrantsec.com/bin/view/Main/5002144 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002145 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002145 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002146 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002146 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002147 || [CISCO-PRIME] MESH Console login || url,wiki.quadrantsec.com/bin/view/Main/5002147 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002148 || [CISCO-PRIME] MESH authorization failure || url,wiki.quadrantsec.com/bin/view/Main/5002148 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002149 || [CISCO-PRIME] Shun client alert from IDS/IPS appliance! || url,wiki.quadrantsec.com/bin/view/Main/5002149 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002150 || [CISCO-PRIME] MFP anomaly detected || url,wiki.quadrantsec.com/bin/view/Main/5002150 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002151 || [CISCO-PRIME] MESH authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002151 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002152 || [CISCO-PRIME] GUEST user created on controller || url,wiki.quadrantsec.com/bin/view/Main/5002152 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002153 || [CISCO-PRIME] GUEST user authenticated || url,wiki.quadrantsec.com/bin/view/Main/5002153 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002154 || [CISCO-PRIME] GUEST user logoff || url,wiki.quadrantsec.com/bin/view/Main/5002154 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002155 || [CISCO-PRIME] SI Security trap raised! || url,wiki.quadrantsec.com/bin/view/Main/5002155 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002156 || [CISCO-PRIME] Cooling fan failure [MSE-3355] || url,wiki.quadrantsec.com/bin/view/Main/5002156 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002157 || [CISCO-PRIME] Friendly rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002157 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002158 || [CISCO-PRIME] Friendly rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002158 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002159 || [CISCO-PRIME] Unclassified rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002159 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002160 || [CISCO-PRIME] Unclassified rogue AP detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002160 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002161 || [CISCO-PRIME] Unclassified rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002161 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002162 || [CISCO-PRIME] Unclassified rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002162 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002163 || [CISCO-PRIME] Malicious rogue AP detected on the network || url,wiki.quadrantsec.com/bin/view/Main/5002163 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002164 || [CISCO-PRIME] Malicious rogue AP detected on the network contained || url,wiki.quadrantsec.com/bin/view/Main/5002164 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002165 || [CISCO-PRIME] Malicious rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002165 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002166 || [CISCO-PRIME] Malicious rogue AP || url,wiki.quadrantsec.com/bin/view/Main/5002166 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002167 || [CISCO-PRIME] Rogue ADHOC detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002167 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002168 || [CISCO-PRIME] Rogue ADHOC detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002168 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002170 || [CISCO-PRIME] Rogue AP state change || url,wiki.quadrantsec.com/bin/view/Main/5002170 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002171 || [CISCO-PRIME] Rogue detected || url,wiki.quadrantsec.com/bin/view/Main/5002171 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002172 || [CISCO-PRIME] Rogue detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002172 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002173 || [CISCO-PRIME] Rogue detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002173 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002174 || [CISCO-PRIME] Rogue auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002174 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002175 || [CISCO-PRIME] User authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002175 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002176 || [CISCO-PRIME] WIPS Event! || url,wiki.quadrantsec.com/bin/view/Main/5002176 || url,www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002177 || [OPENSSH-CORRELATED] SSH login success after brute force attack! || url,wiki.quadrantsec.com/bin/view/Main/5002176 5002178 || [OPENSSH-CORRELATED] Accepted publickey after brute force attack! || url,wiki.quadrantsec.com/bin/view/Main/5002178 5002179 || [BASH] Remote execution attempt via CVE-2014-6271 || url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 || url,wiki.quadrantsec.com/bin/view/Main/5002179 5002180 || [APACHE] Remote execution attempt via CVE-2014-6271 || url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 || url,wiki.quadrantsec.com/bin/view/Main/5002180 5002181 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002182 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002183 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002184 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002185 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002186 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002187 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002188 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002189 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002190 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002191 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002192 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002193 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002194 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002195 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002196 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002197 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002198 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002199 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002200 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002201 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002202 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002203 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002204 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002205 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002206 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002207 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002208 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002209 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002210 || [APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF || url,www.invisiblethreat.ca/2014/09/cve-2014-6271/ 5002211 || [APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF || url,www.invisiblethreat.ca/2014/09/cve-2014-6271/ 5002212 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002213 || [WINDOWS-AUTH] User account disabled || url,wiki.quadrantsec.com/bin/view/Main/5002213 5002214 || [PROXY-MALWARE] Fiesta malware request || url,wiki.quadrantsec.com/bin/view/Main/5002214 5002215 || [WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002215 5002216 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002216 5002217 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002217 5002218 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002218 5002219 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5002219 5002220 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5002220 5002222 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5002222 5002223 || [WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002223 5002224 || [WINDOWS-BROINTEL] RDP / Logon type 10 from a Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002224 5002225 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002225 5002226 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [Time restriction] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002226 5002227 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Account currently disabled [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002227 5002228 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5002228 5002229 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5002229 5002230 || [WINDOWS-BROINTEL] Login failure - Account locked from a Bro Intel listed IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002230 5002231 || [WINDOWS-BROINTEL] Windows DC Logon Failure from a Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002231 5002240 || [CISCO-BLACKLIST] VPN Login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002240 5002241 || [CISCO-BLACKLIST] Console login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002241 5002242 || [CISCO-BLACKLIST] Login permitted from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002242 5002243 || [CISCO-BLACKLIST] WebVPN login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002243 5002244 || [CISCO-BLACKLIST] VPN disconnect from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002244 5002245 || [CISCO-BLACKLIST] VPN login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002245 5002246 || [CISCO-BLACKLIST] ACS Login success from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002246 5002247 || [CISCO-BLACKLIST] VPN login from blacklisted IP [2] || url, wiki.quadrantsec.com/bin/view/Main/5002247 5002248 || [CISCO-BLACKLIST] FTP file transfer from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002248 5002249 || [CISCO-BLACKLIST] FTP file transfer from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002249 5002250 || [CISCO-BROINTEL] VPN Login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002250 5002251 || [CISCO-BROINTEL] Console login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002251 5002252 || [CISCO-BROINTEL] Login permitted from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002252 5002253 || [CISCO-BROINTEL] WebVPN login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002253 5002254 || [CISCO-BROINTEL] VPN disconnect from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002254 5002255 || [CISCO-BROINTEL] VPN login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002255 5002256 || [CISCO-BROINTEL] ACS Login success from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002256 5002257 || [CISCO-BROINTEL] VPN login from Bro Intel IP [2] || url, wiki.quadrantsec.com/bin/view/Main/5002257 5002258 || [CISCO-BROINTEL] FTP file transfer from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002258 5002259 || [CISCO-BROINTEL] FTP file transfer from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002259 5002260 || [CITRIX-GEOIP] Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002260 || url,support.citrix.com/article/CTX123875 5002261 || [CITRIX-BLACKLIST] Login from outside blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002261 || url,support.citrix.com/article/CTX123875 5002262 || [CITRIX-BROINTEL] Login from outside Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002262 || url,support.citrix.com/article/CTX123875 5002264 || [WINDOWS-OWA] Login failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002264 5002265 || [WINDOWS-OWA-GEOIP] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002265 5002266 || [WINDOWS-OWA-BROINTEL] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002266 5002267 || [WINDOWS-OWA-BLACKLIST] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002267 5002270 || [BRO-INTEL] Suspicious communications detected via Bro-Intel || url,wiki.quadrantsec.com/bin/view/Main/5002270 5002271 || [BLACKLIST] Suspicious communications detected via Blacklist || url,wiki.quadrantsec.com/bin/view/Main/5002271 5002272 || [WINDOWS] A directory service object was modified 5002273 || [WINDOWS] A directory service object was created 5002274 || [WINDOWS] A directory service object was undeleted 5002275 || [WINDOWS] A directory service object was moved 5002276 || [NeXpose] Scan paused || url,wiki.quadrantsec.com/bin/view/Main/5002276 5002277 || [NeXpose] Scan failed || url,wiki.quadrantsec.com/bin/view/Main/5002277 5002278 || [LINUX-KERNEL] Hard drive/RAID - FAILED abort on device || url,wiki.quadrantsec.com/bin/view/Main/5002278 5002279 || [LINUX-KERNEL] Hard drive/RAID - probably means device no longer present || url,wiki.quadrantsec.com/bin/view/Main/5002279 5002280 || [CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002280 || url,support.citrix.com/article/CTX123875 5002281 || [CITRIX-BLACKLIST] AAA LOGIN_FAILED from blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002281 || url,support.citrix.com/article/CTX123875 5002282 || [CITRIX-BROINTEL] AAA LOGIN_FAILED from Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002282 || url,support.citrix.com/article/CTX123875 5002284 || [CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002284 || url,support.citrix.com/article/CTX123875 5002285 || [CITRIX-BLACKLIST] SSLVPN HTTPREQUEST from blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002285 || url,support.citrix.com/article/CTX123875 5002286 || [CITRIX-BROINTEL] SSLVPN HTTPREQUEST from Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002286 || url,support.citrix.com/article/CTX123875 5002288 || [BLUEDOT] Suspicious IP detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002288 5002289 || [NeXpose] Scan stopped || url,wiki.quadrantsec.com/bin/view/Main/5002289 5002291 || [NFCAPD] Possible BitTorrent - Port 6881 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002291 5002294 || [NFCAPD] Possible BitTorrent - Port 6884 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002294 5002295 || [NFCAPD] Possible BitTorrent - Port 6885 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002295 5002296 || [NFCAPD] Possible BitTorrent - Port 6886 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002296 5002297 || [NFCAPD] Possible BitTorrent - Port 6887 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002297 5002298 || [NFCAPD] Possible BitTorrent - Port 6888 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002298 5002299 || [NFCAPD] Possible BitTorrent - Port 6889 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002299 5002300 || [NFCAPD] Possible TOR - Port 9001 || url, torstatus.blutmagie.de || url, wiki.quadrantsec.com/bin/view/Main/5002300 5002301 || [NFCAPD] Possible TOR - Port 9030 after Port 9001 || url, torstatus.blutmagie.de || url, wiki.quadrantsec.com/bin/view/Main/5002301 5002302 || [NFCAPD] Possible TOR - Port 443 after Port 9001 || url, torstatus.blutmagie.de || url, wiki.quadrantsec.com/bin/view/Main/5002302 5002303 || [BASH] History hiding 5002304 || [BASH] History hiding 5002306 || [BASH] Netcat execution 5002308 || [BASH] Python subproces execution 5002309 || [BASH] PHP socket execution 5002310 || [BASH] PHP subproces execution 5002311 || [BASH] Perl socket execution 5002312 || [BASH] Perl subproces execution 5002313 || [BASH] Ruby socket execution 5002314 || [BASH] Ruby subproces execution 5002315 || [BASH] mknod execution [XBIT SET] 5002316 || [BASH] telnet reverse shell execution 5002317 || [BASH] /dev/tcp access 5002318 || [BASH] /dev/udp access 5002319 || [BASH] csh shell execution 5002320 || [BASH] ksh shell execution 5002321 || [BASH] tcsh shell execution 5002322 || [BASH] zsh shell execution 5002323 || [BASH] stunnel execution 5002324 || [BASH] SSH agent forwarding 5002325 || [BASH] SSH dynamic forwarding 5002326 || [BASH] SSH GSSAPI forwarding 5002327 || [BASH] SSH local forwarding 5002328 || [BASH] SSH remote forwarding 5002329 || [BASH] SSH input and output forwarding 5002330 || [BASH] SSH tunnel forwarding 5002331 || [BASH] SSH X11 forwarding 5002332 || [BASH] SSH X11 trusted forwarding 5002333 || [BASH] LD_PRELOAD environment variable access 5002334 || [BASH] LD_LIBRARY_PATH environment variable access 5002335 || [WINDOWS-AUTH] User account deleted || url,wiki.quadrantsec.com/bin/view/Main/5002335 5002336 || [WINDOWS-CORRELATED] Successful RDP login after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5002336 5002337 || [WINDOWS-GEOIP] Windows Network Cleartext from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002337 5002338 || [WINDOWS-GEOIP] Windows Session Disconnected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002338 5002339 || [WINDOWS-GEOIP] Windows RDP Session Disconnected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002339 5002340 || [WINDOWS-GEOIP] Attempted explicit windows logon || url,wiki.quadrantsec.com/bin/view/Main/5002340 5002341 || [CITRIX-BLUEDOT] Login from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002341 || url,support.citrix.com/article/CTX123875 5002342 || [CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002342 || url,support.citrix.com/article/CTX123875 5002343 || [CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002343 || url,support.citrix.com/article/CTX123875 5002344 || [WINDOWS-BLUEDOT] RDP / Logon type 10 from a Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002344 5002345 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002345 5002346 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [Time restriction] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002346 5002347 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account currently disabled [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002347 5002348 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5002348 5002349 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5002349 5002350 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account locked [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5002350 5002351 || [WINDOWS-BLUEDOT] Windows DC Logon Failure from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002351 5002352 || [WINDOWS-OWA-BLUEDOT] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002352 5002358 || [CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002358 || url,support.citrix.com/article/CTX123875 5002372 || [FORTINET-CORRELATED] Administrator Login after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002372 5002381 || [VMWARE-GEOIP] User login successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002381 5002382 || [VMWARE-GEOIP] User login successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002382 5002383 || [VMWARE-GEOIP] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5002383 5002387 || [VSFTPD-GEOIP] Authentication successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002387 5002388 || [VSFTPD-GEOIP] File uploaded from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002388 5002392 || [WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures || url,wiki.quadrantsec.com/bin/view/Main/5002392 5002393 || [COURIER] Timeout || url,wiki.quadrantsec.com/bin/view/Main/5002393 5002394 || [COURIER-GEOIP] Authentication failure from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002394 5002395 || [COURIER-GEOIP] Logout/disconnect from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002395 5002396 || [COURIER-GEOIP] User login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002396 5002397 || [COURIER-GEOIP] Timeout from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002397 5002398 || [COURIER] Authentication failure - Brute Force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002398 5002402 || [WINDOWS-MSSQL] Login Failure from non-trusted connection - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002402 5002403 || [WINDOWS-AUTH] Security enabled global group created || url,wiki.quadrantsec.com/bin/view/Main/5002403 5002404 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Is Locked Out [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002404 5002405 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Account Disabled [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002405 5002406 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002406 5002407 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Account [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002407 5002408 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002408 5002409 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002409 5002410 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002410 5002411 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002411 5002412 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002412 5002413 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002413 5002414 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002414 5002415 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002415 5002416 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002416 5002417 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002417 5002418 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002418 5002419 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002419 5002420 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002420 5002421 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002421 5002422 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002422 5002423 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002423 5002424 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002424 5002425 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002425 5002426 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002426 5002427 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002427 5002428 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002428 5002429 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002429 5002430 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002430 5002431 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002431 5002432 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002432 5002433 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002433 5002434 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002434 5002435 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002435 5002436 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002436 5002437 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002437 5002438 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002438 5002439 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002439 5002440 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002440 5002441 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002441 5002442 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002442 5002443 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002443 5002444 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002444 5002445 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002445 5002446 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002446 5002447 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002447 5002448 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002448 5002449 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002449 5002450 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002450 5002451 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002451 5002452 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002452 5002453 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002453 5002454 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002454 5002455 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002455 5002456 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Correct but Incorrect Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002456 5002457 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Is Locked Out [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002457 5002458 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Account Disabled [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002458 5002459 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002459 5002460 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Account [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002460 5002461 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002461 5002462 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002462 5002463 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002463 5002464 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002464 5002465 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002465 5002466 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002466 5002467 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002467 5002468 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002468 5002469 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002469 5002470 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002470 5002471 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002471 5002472 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002472 5002473 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002473 5002475 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002475 5002476 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002476 5002477 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002477 5002478 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002478 5002479 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002479 5002480 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002480 5002481 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002481 5002482 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002482 5002483 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002483 5002484 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002484 5002485 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002485 5002486 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002486 5002487 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002487 5002488 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002488 5002489 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002489 5002490 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002490 5002491 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002491 5002492 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002492 5002493 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002493 5002494 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002494 5002495 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002495 5002496 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002496 5002497 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002497 5002498 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002498 5002499 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002499 5002500 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002500 5002501 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002501 5002502 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002502 5002503 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002503 5002504 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002504 5002505 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002505 5002506 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002506 5002507 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002507 5002508 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002508 5002509 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002509 5002510 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002510 5002511 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002511 5002512 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002512 5002513 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002513 5002514 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002514 5002515 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002515 5002516 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002516 5002517 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002517 5002518 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002518 5002519 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002519 5002520 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002520 5002521 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002521 5002522 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002522 5002523 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002523 5002524 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002524 5002525 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002525 5002526 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002526 5002527 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002527 5002528 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002528 5002529 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002529 5002530 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002530 5002531 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002531 5002532 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002532 5002533 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002533 5002534 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002534 5002535 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002535 5002536 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002536 5002537 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002537 5002538 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002538 5002539 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002539 5002540 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002540 5002541 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002541 5002542 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002542 5002543 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002543 5002544 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002544 5002545 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002545 5002546 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002546 5002547 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002547 5002548 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002548 5002549 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002549 5002550 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002550 5002551 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002551 5002552 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002552 5002553 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002553 5002554 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002554 5002555 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002555 5002556 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002556 5002557 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002557 5002558 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002558 5002559 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002559 5002560 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002560 5002561 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002561 5002562 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Correct but Incorrect Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002562 5002563 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002563 5002564 || [WINDOWS-MISC] Unable to log events to security log || url,wiki.quadrantsec.com/bin/view/Main/5002564 5002565 || [BASH] root password change attempt || url,wiki.quadrantsec.com/bin/view/Main/5002565 5002566 || [SU] root password change attempt || url,wiki.quadrantsec.com/bin/view/Main/5002566 5002567 || [CYLANCE] AuditLog - Device Edit || url,wiki.quadrantsec.com/bin/view/Main/5002567 5002568 || [CYLANCE] AuditLog - Login Success || url,wiki.quadrantsec.com/bin/view/Main/5002568 5002569 || [CYLANCE] AuditLog - Syslog Settings Saved || url,wiki.quadrantsec.com/bin/view/Main/5002569 5002570 || [CYLANCE] AuditLog - Zone Add Device || url,wiki.quadrantsec.com/bin/view/Main/5002570 5002571 || [CYLANCE] Device - Action Taken || url,wiki.quadrantsec.com/bin/view/Main/5002571 5002572 || [CYLANCE] Device - Registration || url,wiki.quadrantsec.com/bin/view/Main/5002572 5002573 || [CYLANCE] Device - System Security || url,wiki.quadrantsec.com/bin/view/Main/5002573 5002574 || [CYLANCE] ExploitAttempt - Blocked || url,wiki.quadrantsec.com/bin/view/Main/5002574 5002575 || [CYLANCE] ExploitAttempt - No Action Taken || url,wiki.quadrantsec.com/bin/view/Main/5002575 5002576 || [CYLANCE] Threat - Changed || url,wiki.quadrantsec.com/bin/view/Main/5002576 5002577 || [CYLANCE] Threat - Found || url,wiki.quadrantsec.com/bin/view/Main/5002577 5002578 || [CYLANCE] Threat - Quarantined || url,wiki.quadrantsec.com/bin/view/Main/5002578 5002579 || [CYLANCE] Threat - Removed || url,wiki.quadrantsec.com/bin/view/Main/5002579 5002580 || [PALO-ALTO] Certificate has illegal URL || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002581 || [PALO-ALTO] Accepted SSH Connection From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002582 || [PALO-ALTO] AntiVirus update job failed || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002583 || [PALO-ALTO] Authorization failed - Brute Force [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002584 || [PALO-ALTO] Chassis Master Alarm || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002585 || [PALO-ALTO] Failed to connect to Panorama Server || url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002586 || [PALO-ALTO] Failed Interactive Login - Brute Force [15/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002587 || [PALO-ALTO] Failed to install software || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002588 || [PALO-ALTO] NTLM Authentication Brute Force - [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002589 || [PALO-ALTO] Successful NTLM Authentication From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002590 || [PALO-ALTO] User Authenticated From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002591 || [PALO-ALTO] User Authentication - Brute Force [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002592 || [PALO-ALTO] Possible Replay Attempt Caused Disconnection || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002593 || [PALO-ALTO] GlobalProtect Portal Authentication From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002594 || [PALO-ALTO] PPPoE Session Connected For User Outside Home Country; content: "PPPoE session was connected for user || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002595 || [PALO-ALTO] PPPoE Brute Force Attempt - [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002596 || [PALO-ALTO] SSL VPN User Authentication Failure - Brute Force [25/1] || url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002597 || [PALO-ALTO] SSL VPN Authentication From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002598 || [PALO-ALTO] SSL VPN Login - Brute Force [25/1] || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002599 || [PALO-ALTO] SSL VPN Login From Outside Home Country || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002600 || [PALO-ALTO] Certificate is revoked || url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx 5002601 || [SONICWALL] Possible restart for system maintenance || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002602 || [SONICWALL] Auto-Dial Failure || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002603 || [SONICWALL] Ethernet Port Down || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002604 || [SONICWALL] Ethernet Port Up || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002605 || [SONICWALL] Registration Update Needed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002606 || [SONICWALL] 3G Device Detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002607 || [SONICWALL] 3G Data Limit Reached || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002608 || [SONICWALL] No 3G Sim Card Detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002609 || [SONICWALL] Preferences File Inaccessable || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002610 || [SONICWALL] OS Upgrade Performed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002611 || [SONICWALL] Attempted access from host out of compliance with GSC policy || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002612 || [SONICWALL] Access attempt from host without Anti-Virus agent installed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002613 || [SONICWALL] Security Services || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002614 || [SONICWALL] Firewall Rule Added || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002615 || [SONICWALL] Firewall Rule Deleted || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002616 || [SONICWALL] Firewall Rule Modified || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002617 || [SONICWALL] Firewall Rule reset to defaults || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002618 || [SONICWALL] Network Access to proxy server denied || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002619 || [SONICWALL] ActiveX access denied || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002620 || [SONICWALL] ActiveX or Java archive access denied || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002621 || [SONICWALL] Successful Administrator Access || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002622 || [SONICWALL] Administrator Access denied due to bad credentials || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002623 || [SONICWALL] Administrator Access not allowed on this interface || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002624 || [SONICWALL] Administrator Account Name Changed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002625 || [SONICWALL] Firewall preferences reset to factory defaults || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002626 || [SONICWALL] Allowed LDAP server certificate with wrong host name || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002627 || [SONICWALL] Possible Intrusion detection - Anti-Spyware detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002628 || [SONICWALL] Possible Intrusion detection - Anti-Spyware detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002629 || [SONICWALL] Intrusion Detection - Suspicious Application detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002630 || [SONICWALL] Intrusion Detection - Suspicious Application detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002631 || [SONICWALL] ASOC Flood detected from WLAN station || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002632 || [SONICWALL] Intrusion Detection - Back Orifice Attack Dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002633 || [SONICWALL] High Availability - Backup active || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002634 || [SONICWALL] High Availability/Failover - Backup Firewall Active || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002635 || [SONICWALL] High Availability/Failover - Backup Firewall transitioned to idle || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002636 || [SONICWALL] High Availability - Backup Firewall Rebooting || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002637 || [SONICWALL] High Availability - Backup WAN link down || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002638 || [SONICWALL] VPN PKI - Bad CRL format || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002639 || [SONICWALL] VPN PKI - Blacklisted Certificate || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002640 || [SONICWALL] Administrator Login - Commandline login successful || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002641 || [SONICWALL] Administrator login failed due to bad credentials || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002642 || [SONICWALL] Firewall event - Diagnostic Reboot || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002643 || [SONICWALL] Firewall Hardware Diagnostic Code A || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002644 || [SONICWALL] Firewall Hardware Diagnostic Code B || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002645 || [SONICWALL] Firewall Hardware Diagnostic Code C || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002646 || [SONICWALL] Firewall Hardware Diagnostic Code D || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002647 || [SONICWALL] Firewall Hardware Diagnostic Code E || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002648 || [SONICWALL] Firewall Hardware Diagnostic Code F || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002649 || [SONICWALL] Firewall Hardware Diagnostic Code G || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002650 || [SONICWALL] Firewall Hardware Diagnostic Code H || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002651 || [SONICWALL] Firewall Hardware Diagnostic Code I || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002652 || [SONICWALL] Firewall Hardware Diagnostic Code J || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002653 || [SONICWALL] Intrusion Detection Non-Sonicpoint WLAN traffic dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002654 || [SONICWALL] Error initializing Hardware acceleration for VPN || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002655 || [SONICWALL] High Availability - Error rebooting peer firewall || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002656 || [SONICWALL] High Availability - Error setting up IP address of the backup || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002657 || [SONICWALL] Security Services - License Sync Failed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002658 || [SONICWALL] Intrusion Detection - Possible FIN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002659 || [SONICWALL] Intrusion Detection - Possible FIN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002660 || [SONICWALL] WLAN IDS - Rouge Access Point || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002661 || [SONICWALL] Intrusion Detection - Fraudulent Microsoft Certificate || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002662 || [SONICWALL] FTP - Login Failed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002663 || [SONICWALL] Network Access - Dropped access from non-default port || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002664 || [SONICWALL] Intrusion Detection - Bounce attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002665 || [SONICWALL] Intrusion Detection - Spoof attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002666 || [SONICWALL] Guest account created || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002667 || [SONICWALL] Guest account deleted || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002668 || [SONICWALL] Guest account disabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002669 || [SONICWALL] Guest account pruned || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002670 || [SONICWALL] Guest account re-enabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002671 || [SONICWALL] Guest account re-generated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002672 || [SONICWALL] Heartbeat detected from incompatable source || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002673 || [SONICWALL] HTTP management port has changed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002674 || [SONICWALL] Wireless - Unauthorized user || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002675 || [SONICWALL] Possible IP spoof detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002676 || [SONICWALL] Possible IP spoof dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002677 || [SONICWALL] IPS Detection Alert || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002678 || [SONICWALL] IPS Prevention Alert || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002679 || [SONICWALL] Intrusion Detection - Land attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002680 || [SONICWALL] Intrusion Detection - removed from FIN flood blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002681 || [SONICWALL] Intrusion Detection - removed from RST flood blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002682 || [SONICWALL] Intrusion Detection - removed from SYN flood blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002683 || [SONICWALL] Firewall logging - Maximum events per second threshold exceeded || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002684 || [SONICWALL] PPP dialup - Maximum sequential failed dial attempts || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002685 || [SONICWALL] Firewall logging - Maximum syslog data per second threshold exceeded || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002686 || [SONICWALL] Multiple DHCP servers detected on network || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002687 || [SONICWALL] Intrusion Detection - Net Spy attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002688 || [SONICWALL] Intrusion Detection - NetBus attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002689 || [SONICWALL] Wireless - Packet dropped by WLAN || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002690 || [SONICWALL] No firewall rule exists for VPN policy || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002691 || [SONICWALL] Intrusion Detection - Ping of Death dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002692 || [SONICWALL] Intrusion Detection - Possible DNS rebind attack detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002693 || [SONICWALL] Intrusion Detection - Possible FIN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002694 || [SONICWALL] Intrusion Detection - Possible port scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002695 || [SONICWALL] Intrusion Detection - Possible RST Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002696 || [SONICWALL] Intrusion Detection - Possible SYN Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002697 || [SONICWALL] Intrusion Detection - Priority attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002698 || [SONICWALL] Intrusion Detection - Probable port scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002699 || [SONICWALL] Intrusion Detection - Probable TCP FIN scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002700 || [SONICWALL] Intrusion Detection - Probable TCP NULL scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002701 || [SONICWALL] Intrusion Detection - Probable TCP XMAS scan detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002702 || [SONICWALL] Wan Failover - Possible recon attempt || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002703 || [SONICWALL] Wan Failover - Recon attempt || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002704 || [SONICWALL] Firewall Hardware - Clock battery has failed || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002705 || [SONICWALL] Wan Failover - Possible recon || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002706 || [SONICWALL] Sonicwall License Expired || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002707 || [SONICWALL] Firewall rebooting || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002708 || [SONICWALL] Intrusion Detection - RIPper attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002709 || [SONICWALL] Intrusion Detection - RST Flood Blacklist || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002710 || [SONICWALL] Intrusion Detection - RST Flood || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002711 || [SONICWALL] Intrusion Detection - Senna Spy attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002712 || [SONICWALL] Firewall activated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002713 || [SONICWALL] Firewall starting up || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002714 || [SONICWALL] SonicWALL SSO agent is down || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002715 || [SONICWALL] SonicWALL SSO agent is up || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002716 || [SONICWALL] Domain name too long || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002717 || [SONICWALL] SSO agent returned error || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002718 || [SONICWALL] User name too long || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002719 || [SONICWALL] Intrusion Detection - Source routed IP packet dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002720 || [SONICWALL] Intrusion Detection - Spank attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002721 || [SONICWALL] VPN policy enforced || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002722 || [SONICWALL] Intrusion Detection - Striker attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002723 || [SONICWALL] Intrusion Detection - Sub Seven attack dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002724 || [SONICWALL] Intrusion Detection - SYN Flood blacklisting enabled by user || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002725 || [SONICWALL] Intrusion Detection - SYN flood ceased or flooding machines blacklisted || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002726 || [SONICWALL] Intrusion Detection - SYN Flood Mode changed by user || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002727 || [SONICWALL] System clock manually updated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002728 || [SONICWALL] Intrusion Detection - TCP Xmas Tree dropped || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002729 || [SONICWALL] Virtual Access Point is disabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002730 || [SONICWALL] Virtual Access Point is enabled || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002731 || [SONICWALL] Hardware failure - Voltages Out of Tolerance || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002732 || [SONICWALL] WLAN firmware image has been updated || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002733 || [SONICWALL] Radio frequency threat detected || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002734 || [SONICWALL] WLAN sequence number out of order - sequencing error/EMF interference/rogue AP || url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf 5002735 || [YUBIKEY] Invalid OTP || url,wiki.quadrantsec.com/bin/view/Main/5002735 5002736 || [WEB-ATTACKS] RFI Attempt || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002737 || [WEB-ATTACKS] Possible LFI Attempt || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002738 || [WEB-ATTACKS] Attempt to Access Default WordPress Login Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002739 || [WEB-ATTACKS] Attempt to Access a Webshell via WordPress || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002740 || [WEB-ATTACKS] Attempt to Access Default Cacti Login Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002741 || [WEB-ATTACKS] Attempt to Access PHPMyAdmin Changelog Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002742 || [WEB-ATTACKS] Attempt to Access robots.txt File || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002743 || [WEB-ATTACKS] Possible SQL Injection || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002744 || [WEB-ATTACKS] Attempt to Access Default Drupal DB Config File || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002745 || [WEB-ATTACKS] Attempt to Access Default Joomla Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002746 || [WEB-ATTACKS] Attempt to Access PHP Timeclock Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002747 || [WEB-ATTACKS] Attempt to Access default DeV!L`s ClanPortal Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002748 || [WEB-ATTACKS] Attempt to Access IISamples Page || url,www.doomedraven.com/2013/05/cheat-sheet-web-application-exploitation.html 5002749 || [PALO-ALTO] Malware URL Blocked || url,www.brightcloud.com/tools/url-ip-lookup.php 5002750 || [PALO-ALTO] Phishing URL Blocked || url,www.brightcloud.com/tools/url-ip-lookup.php 5002751 || [PALO-ALTO] Spyware or Adware URL Blocked || url,www.brightcloud.com/tools/url-ip-lookup.php 5002752 || [PALO-ALTO] Url Blocked by policy or category || url,www.brightcloud.com/tools/url-ip-lookup.php 5002753 || [PALO-ALTO] Foreign URL of unknown category || url,www.brightcloud.com/tools/url-ip-lookup.php 5002754 || [PALO-ALTO] Url silent xbit set || url,www.brightcloud.com/tools/url-ip-lookup.php 5002755 || [PALO-ALTO] Virus Detected || url,threatvault.paloaltonetworks.com 5002756 || [PALO-ALTO] Critical Severity Exploit Inbound || url,threatvault.paloaltonetworks.com 5002757 || [PALO-ALTO] Critical Severity Exploit Outbound || url,threatvault.paloaltonetworks.com 5002758 || [PALO-ALTO] High Severity Exploit Inbound || url,threatvault.paloaltonetworks.com 5002759 || [PALO-ALTO] High Severity Exploit Outbound || url,threatvault.paloaltonetworks.com 5002760 || [PALO-ALTO] Medium Severity Exploit Inbound || url,threatvault.paloaltonetworks.com 5002761 || [PALO-ALTO] Medium Severity Exploit Outbound || url,threatvault.paloaltonetworks.com 5002762 || [PALO-ALTO] Executable File Download 5002763 || [PALO-ALTO] Suspicious DNS Request || url,threatvault.paloaltonetworks.com 5002764 || [FIPAYPIN] Connection failed to Fipay [5/2] || url,wiki.quadrantsec.com/bin/view/Main/sid:5002764 5002765 || [FIPAYPIN] Slow send! || url,wiki.quadrantsec.com/bin/view/Main/sid:5002765 5002766 || [FIPAYPIN] Invalid credit card detected || url,wiki.quadrantsec.com/bin/view/Main/sid:5002766 5002767 || [FIPAYPIN] Bad/No Pin Block and KSN returned || url,wiki.quadrantsec.com/bin/view/Main/sid:5002767 5002768 || [FIPAYPIN] Blocked the response to POS || url,wiki.quadrantsec.com/bin/view/Main/sid:5002768 5002769 || [FIPAYPIN] Failed to open pinpad [0/2] || url,wiki.quadrantsec.com/bin/view/Main/sid:5002769 5002770 || [FIPAYPIN] Replace macro from outside RFC1918 || url,wiki.quadrantsec.com/bin/view/Main/sid:5002770 5002771 || [ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - system || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755 5002772 || [ScreenOS] Juniper ScreenOS Login for Suspicious Admin user - username || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755 5002773 || [ScreenOS-GEOIP] Juniper ScreenOS Admin Login from Outside of Home Country || url, wiki.quadrantsec.com/bin/view/Main/5002773 || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search 5002774 || [JUNIPER-BLUEDOT] Juniper ScreenOS Admin Login from a known malicious IP || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search || cve,2015-7755 5002775 || [WINDOWS-MISC] Domain policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5002775 5002776 || [F5-BIG-IP-GEOIP] Command-line Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002776 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002777 || [F5-BIG-IP-GEOIP] Command-line Logout from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002777 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002778 || [F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002778 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002779 || [F5-BIG-IP-GEOIP] Unsuccessful Command-line Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002779 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002780 || [F5-BIG-IP-GEOIP] Successful Configuration Utility Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002780 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002781 || [F5-BIG-IP-GEOIP] Unsuccessful Configuration Utility Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002781 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002782 || [Barracuda] Last Auto Backup Time Changed || url,wiki.quadrantsec.com/bin/view/Main/5002782 5002783 || [Barracuda] Spyware Exploit || url,wiki.quadrantsec.com/bin/view/Main/5002783 5002784 || [Barracuda] AdWare Win32 Agent || url,wiki.quadrantsec.com/bin/view/Main/5002784 5002785 || [Barracuda] Login || url,wiki.quadrantsec.com/bin/view/Main/5002785 5002786 || [Barracuda] Failed Login || url,wiki.quadrantsec.com/bin/view/Main/5002786 5002787 || [Barracuda] Spyware Filter Change || url,wiki.quadrantsec.com/bin/view/Main/5002787 5002788 || [Barracuda] Snort Enabled || url,wiki.quadrantsec.com/bin/view/Main/5002788 5002789 || [Barracuda] Ipoque Enabled || url,wiki.quadrantsec.com/bin/view/Main/5002789 5002790 || [Barracuda] Failed Login Log Change || url,wiki.quadrantsec.com/bin/view/Main/5002790 5002791 || [Barracuda] Change to URL Whitelist || url,wiki.quadrantsec.com/bin/view/Main/5002791 5002792 || [Barracuda] Change to URL Blacklist || url,wiki.quadrantsec.com/bin/view/Main/5002792 5002793 || [Barracuda] Policy Block Change || url,wiki.quadrantsec.com/bin/view/Main/5002793 5002794 || [Barracuda] User Password Changed || url,wiki.quadrantsec.com/bin/view/Main/5002794 5002795 || [Barracuda] System Password Changed || url,wiki.quadrantsec.com/bin/view/Main/5002795 5002796 || [Barracuda] System Shutdown || url,wiki.quadrantsec.com/bin/view/Main/5002796 5002797 || [Trendmicro] Virus Found Unable to Quarantine || url,wiki.quadrantsec.com/bin/view/Main/5002797 5002798 || [BRO] RFC1918 address scanning the network || url,wiki.quadrantsec.com/bin/view/Main/5002798 5002799 || [WINDOWS-SYSMON] PSExec execution detected || url,wiki.quadrantsec.com/bin/view/Main/sid:5002799 5002801 || [WINDOWS-MALWARE] Locky or AutoLocky ransomware extension detected. || url,decrypter.emsisoft.com || url,wiki.quadrantsec.com/bin/view/Main/5002801 5002802 || [WINDOWS-SYSMON] Locky/CrypoMix ransomware instructions detected! || url,wiki.quadrantsec.com/bin/view/Main/sid:5002802 5002803 || [WINDOWS-SYSMON] vssadmin.exe execution. Possible ransomware || url,wiki.quadrantsec.com/bin/view/Main/sid:5002803 5002804 || [WINDOWS-MALWARE] Locky ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002804 || url,http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/ 5002805 || [WINDOWS-MALWARE] Cryptowall 4.0 ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002805 || url,http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#cryptowall4 5002806 || [WINDOWS-MALWARE] Cryptowall ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002806 5002807 || [WINDOWS-MALWARE] CryptInfinite/DecryptorMax ransomware note detected. || url,decrypter.emsisoft.com || url,wiki.quadrantsec.com/bin/view/Main/5002807 || url,http://www.bleepingcomputer.com/news/security/cryptinfinite-or-decryptormax-ransomware-decrypted/ 5002808 || [WINDOWS-MALWARE] TeslaCrypt ransomware note detected. || url,wiki.quadrantsec.com/bin/view/Main/5002808 || url,www.pcrisk.com/removal-guides/8724-teslacrypt-virus 5002809 || [WINDOWS-MALWARE] Teslacrypt ransomware note type 2 detected. || url,wiki.quadrantsec.com/bin/view/Main/5002809 || url,www.virustotal.com/en/file/161d1b77a6867603745046e81e52a186ea764ba8c723c9698da707c245505e95/analysis/1458765163/ 5002810 || [WINDOWS-SYSMON] Suspicious WMIC call - shadowcopy delete || url,wiki.quadrantsec.com/bin/view/Main/sid:5002810 5002811 || [WINDOWS-SYSMON] Suspicious WMIC call - csproduct GET UUID || url,wiki.quadrantsec.com/bin/view/Main/sid:5002811 5002812 || [WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber || url,wiki.quadrantsec.com/bin/view/Main/sid:5002812 5002813 || [WINDOWS-SYSMON] Suspicious WMIC call - bios Get Version || url,wiki.quadrantsec.com/bin/view/Main/sid:5002813 5002814 || [WINDOWS-SYSMON] Suspicious WMIC call - bios Get SerialNumber || url,wiki.quadrantsec.com/bin/view/Main/sid:5002814 5002815 || [WINDOWS-SYSMON] Suspicious WMIC call - csproduct Get Name || url,wiki.quadrantsec.com/bin/view/Main/sid:5002815 5002816 || [WINDOWS-SYSMON] Suspicious WMIC call - computersystem get model || url,wiki.quadrantsec.com/bin/view/Main/sid:5002816 5002817 || [WINDOWS-MISC] Installation of service via SCM || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5002817 5002818 || [WINDOWS-MISC] Installation of new service via Security Audit || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5002818 5002819 || [WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002819 5002820 || [WINDOWS-MALWARE] .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransom note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002820 5002821 || [WINDOWS-MALWARE] 7ev3n - Ransom:Win32/Empercrypt.A ransomware extension detected. || url, https://github.com/hasherezade/malware_analysis/tree/master/7ev3n || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002821 5002822 || [WINDOWS-MALWARE] Win32/Cribit or MSIL/Vaultlock.A ransomware extension detected. || url,noransom.kaspersky.com || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002822 5002823 || [WINDOWS-MALWARE] Cerber - Win32/Cerber ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002823 5002824 || [WINDOWS-MALWARE] Chimera - Win32/Chicrypt ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002824 5002825 || [WINDOWS-MALWARE] Coverton ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002825 5002826 || [WINDOWS-MALWARE] CryptInfinite ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002826 5002827 || [WINDOWS-MALWARE] CryptInfinite ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002827 5002828 || [WINDOWS-MALWARE] CryptoTorLocker2015 ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002828 5002829 || [WINDOWS-MALWARE] CryptXXX or Gomasom ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002829 5002830 || [WINDOWS-MALWARE] Hi Buddy! or Rakhni ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002830 5002831 || [WINDOWS-MALWARE] iLock, iLockLight or Lortok ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002831 5002832 || [WINDOWS-MALWARE] Jigsaw - MSIL/JigsawLocker.A || url,www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002832 5002833 || [WINDOWS-MALWARE] EDA2,HiddenTear,Job Crypter,KimcilWare,SkidLocker,Pompous,Strictor or Rakhni ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002833 5002834 || [WINDOWS-MALWARE] KeyBTC - Win32/Isda - BAT/Xibow ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002834 5002835 || [WINDOWS-MALWARE] KimcilWare ransomware extension detected. || url,blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002835 5002836 || [WINDOWS-MALWARE] LeChiffre ransomware extension detected. || url,decrypter.emsisoft.com/lechiffre || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002836 5002837 || [WINDOWS-MALWARE] Magic ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002837 5002838 || [WINDOWS-MALWARE] MireWare ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002838 5002839 || [WINDOWS-MALWARE] Nemucod ransomware extension detected. || url,github.com/Antelox/NemucodFR || url,decrypter.emsisoft.com || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002839 5002840 || [WINDOWS-MALWARE] Offline ransomware ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002840 5002841 || [WINDOWS-MALWARE] OMG! ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002841 5002842 || [WINDOWS-MALWARE] Radamant ransomware extension detected. || url,decrypter.emsisoft.com || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002842 5002843 || [WINDOWS-MALWARE] Coverton or Torrentlocker ransomware extension detected. || url,support.kaspersky.com/us/viruses/disinfection/10556 || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002843 5002844 || [WINDOWS-MALWARE] RemindMe ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002844 5002845 || [WINDOWS-MALWARE] Rokku ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002845 5002846 || [WINDOWS-MALWARE] Samas-Samsam ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002846 5002847 || [WINDOWS-MALWARE] LowLevel04 ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002847 5002848 || [WINDOWS-MALWARE] Sanction ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002848 5002849 || [WINDOWS-MALWARE] Sport ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002849 5002850 || [WINDOWS-MALWARE] Surprise ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002850 5002851 || [WINDOWS-MALWARE] TeslaCrypt 0.x - 2.2.0 ransomware extension detected. || url,www.talosintel.com/teslacrypt_tool || url,www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002851 5002852 || [WINDOWS-MALWARE] TeslaCrypt 3.0+ ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002852 5002853 || [WINDOWS-MALWARE] Troldesh ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002853 5002854 || [WINDOWS-MALWARE] Zlader / Russian or VaultCrypt ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002854 5002855 || [WINDOWS-MALWARE] Virus-Encoder ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002855 5002856 || [WINDOWS-MALWARE] Xorist ransomware extension detected. || url,support.kaspersky.com/viruses/disinfection/2911 || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002856 5002857 || [WINDOWS-MALWARE] XRTN ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002857 5002858 || [WINDOWS-MALWARE] CryptFIle2 ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002858 5002859 || [WINDOWS-MALWARE] Cryaki ransomware extension detected. || url,support.kaspersky.com/viruses/disinfection/8547 || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002859 5002860 || [WINDOWS-MALWARE] CTB-Locker ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002860 5002861 || [WINDOWS-MALWARE] El-Polocker ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002861 5002862 || [WINDOWS-MALWARE] Mobef ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002862 5002863 || [WINDOWS-MALWARE] Alpha ransomware extension detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002863 5002864 || [WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002864 5002865 || [WINDOWS-MALWARE] Zeta ransomware note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002865 5002866 || [WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002866 5002867 || [WINDOWS-MALWARE] Possible unknown strain ransomware extension or note detected. || url,www.nyxbone.com/malware/RansomwareOverview.html || url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g || url,wiki.quadrantsec.com/bin/view/Main/5002867 5002868 || [CISCO-BLUEDOT] Suspicious TCP connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002868 5002869 || [CISCO-BLUEDOT] Suspicious UDP connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002869 5002870 || [CISCO-BLUEDOT] VPN Login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002870 5002871 || [CISCO-BLUEDOT] Console login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002871 5002872 || [CISCO-BLUEDOT] Login permitted from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002872 5002873 || [CISCO-BLUEDOT] VPN login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002873 5002874 || [CISCO-BLUEDOT] VPN disconnect from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002874 5002875 || [CISCO-BLUEDOT] VPN/AnyConnect login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002875 5002876 || [CISCO-BLUEDOT] ACS Login success from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002876 5002877 || [CISCO-BLUEDOT] VPN login from suspicious source [2] || url, wiki.quadrantsec.com/bin/view/Main/5002877 5002878 || [CISCO-BLUEDOT] FTP file transfer from or to suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002878 5002879 || [CISCO-BLUEDOT] Suspicious ICMP connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002879 5002880 || [CISCO-BLUEDOT] Suspicious GRE connection detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002880 5002881 || [FORTINET-BLUEDOT] Login accepted from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002881 5002882 || [FORTINET-BLUEDOT] Administrator Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002882 5002883 || [FORTINET-BLUEDOT] Admin authentication success suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002883 5002884 || [FORTINET-BLUEDOT] SSH traffic detected from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002884 5002885 || [COURIER-BLUEDOT] Authentication failure from suspicius source || url,wiki.quadrantsec.com/bin/view/Main/5002885 5002886 || [COURIER-BLUEDOT] Logout/disconnect from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002886 5002887 || [COURIER-BLUEDOT] User login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002887 5002888 || [COURIER-BLUEDOT] Timeout from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002888 5002889 || [F5-BIG-IP-BLUEDOT] Command-line Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002889 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002890 || [F5-BIG-IP-BLUEDOT] Command-line Logout from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002890 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002891 || [F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002891 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002892 || [F5-BIG-IP-BLUEDOT] Unsuccessful Command-line Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002892 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002893 || [F5-BIG-IP-BLUEDOT] Successful Configuration Utility Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002893 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002894 || [F5-BIG-IP-BLUEDOT] Unsuccessful Configuration Utility Login from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002894 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002895 || [FATPIPE-BLUEDOT] Login Success from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002895 5002896 || [FATPIPE-BLUEDOT] Login Success - ADMINISTRATOR - from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002896 5002897 || [IMAPD-BLUEDOT] Login from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002897 5002898 || [IMAPD-BLUEDOT] Logout from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002898 5002899 || [IMAPD-BLUEDOT] Timeout from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002899 5002900 || [IMAPD-BLUEDOT] Disconnect from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002900 5002901 || [IMAPD-BLUEDOT] Connection from suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002901 5002905 || [OPENSSH-BLUEDOT] Authentication success via password from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002905 5002906 || [OPENSSH-BLUEDOT] Authentication success via publickey from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002906 5002907 || [OPENSSH-BLUEDOT] Authentication success via keyboard from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002907 5002908 || [PROFTPD-BLUEDOT] Authentication success from suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002908 5002909 || [RIVERBED-BLUEDOT] Administrator Login a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002909 5002910 || [FILE-BLUEDOT] Executable Downloaded from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002910 5002911 || [FILE-BLUEDOT] Java Downloaded from a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002911 5002912 || [FILE-BLUEDOT] Jar/Zip Downloaded a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002912 5002913 || [FILE-BLUEDOT] PDF Downloaded a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002913 5002914 || [FILE-BLUEDOT] Flash Downloaded a suspicious source || url, wiki.quadrantsec.com/bin/view/Main/5002914 5002915 || [SSH-TECTIA-SERVER-BLUEDOT] Authentication success from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002915 5002916 || [VMWARE-BLUEDOT] User login successful from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002916 5002917 || [VMWARE-BLUEDOT] User login successful from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002917 5002918 || [VMWARE-BLUEDOT] User login successful from a suspicious source || url,wiki.quadrantsec.com/bin/view/Main/5002918 5002919 || [VSFTPD-BLUEDOT] Authentication successful from a suspicious IP || url,wiki.quadrantsec.com/bin/view/Main/5002919 5002920 || [VSFTPD-BLUEDOT] File uploaded from a suspicious IP || url,wiki.quadrantsec.com/bin/view/Main/5002920 5002921 || [CARBONBLACK] Non-System Filemods to system32 5002922 || [CARBONBLACK] Newly Loaded Modules 5002923 || [CARBONBLACK] A new device was mounted 5002924 || [CARBONBLACK] File was executed for the first time 5002925 || [CARBONBLACK] Computer reported that signature on file is invalid 5002926 || [CARBONBLACK] Server discovered new certificate 5002927 || [CARBONBLACK] Disk configuration change detected 5002928 || [CARBONBLACK] Agent blocked an attempt to create file 5002929 || [CARBONBLACK] Agent blocked an attempt to delete file 5002930 || [CARBONBLACK] Permission change was blocked 5002931 || [CARBONBLACK] Modification of registry was blocked 5002932 || [CARBONBLACK] Agent failed a health check 5002933 || [CARBONBLACK] File was identified by Software Reputation Service as a potential risk 5002934 || [CARBONBLACK] Server detected revocation of certificate 5002935 || [CARBONBLACK] Agent detected a problem 5002936 || [CARBONBLACK] Exclusive access to a file was blocked because of tamper protection 5002937 || [CARBONBLACK] Agent had to rebuild its primary database cache and now has to re-initialize 5002938 || [CARBONBLACK] Computer failed to receive Notifier Logo 5002939 || [CARBONBLACK] Agent had to restore its primary database cache 5002940 || [BLUEDOT] Suspicious file hash detected || url,wiki.quadrantsec.com/bin/view/Main/5002940 5002941 || [WINDOWS-MISC] Suspicious event logging service shut down. || url,wiki.quadrantsec.com/bin/view/Main/5002941 5002942 || [ASTERISK] Brute force login session failed [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002942 5002943 || [ASTERISK] Brute force login session failed [invalid user] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002943 5002944 || [ASTERISK] Brute force login session failed [invalid extension] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002944 5002945 || [Barracuda] Brute force login attempt [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002945 5002946 || [F5-BIG-IP] Brute force Attempt [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5002946 || url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html 5002947 || [IMAPD] Brute force attack [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5002947 5002948 || [NGINX] Nginx brute force authentication attempt [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5002948 5002949 || [ORACLE] Brute force authentication failure [5/1] || url, wiki.quadrantsec.com/bin/view/Main/5002949 5002950 || [FTPD] FTPCHK3 file accessed by user || url,blog.ftptoday.com/ftp-password-stealing-malware || url,wiki.quadrantsec.com/bin/view/Main/5002950 5002951 || [PROFTP] FTPCHK3 file accessed by user || url,wiki.quadrantsec.com/bin/view/Main/5002951 || url,blog.ftptoday.com/ftp-password-stealing-malware 5002952 || [PUREFTPD] FTPCHK3 file accessed by user || url,wiki.quadrantsec.com/bin/view/Main/5002952 || url,blog.ftptoday.com/ftp-password-stealing-malware 5002953 || [VSFTPD] FTPCHK3 file accessed by user || url,wiki.quadrantsec.com/bin/view/Main/5002953 || url,blog.ftptoday.com/ftp-password-stealing-malware 5002954 || [WINDOWS-MISC] Event log has been cleared. || url,wiki.quadrantsec.com/bin/view/Main/5002954 5002955 || [WINDOWS-MISC] Logging has been stopped on this device || url,wiki.quadrantsec.com/bin/view/Main/5002955 5002956 || [WINDOWS-MALWARE] Suspicious Service Control Manager Call || url,twitter.com/jackcr/status/779716898296520704 5002957 || [WINDOWS-CORRELATED] Successful RDP login after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5002957 5002958 || [WINDOWS-CORRELATED] Successful RDP login after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5002958 5002959 || [DYNAMIC] APC-EMU logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002959 5002960 || [DYNAMIC] Arpalert or Arpwatch logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002960 5002961 || [DYNAMIC] Artillery logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002961 5002962 || [DYNAMIC] Asterisk logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002962 5002963 || [DYNAMIC] Bash logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002963 5002964 || [DYNAMIC] Bind logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002964 5002965 || [DYNAMIC] Bit9 logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002965 5002966 || [DYNAMIC] Bro logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002966 5002967 || [DYNAMIC] Cisco ASA logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002967 5002968 || [DYNAMIC] Courier/IMAP logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002968 5002969 || [DYNAMIC] OpenSSH logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002969 5002970 || [DYNAMIC] DigitalPersona logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002970 5002971 || [DYNAMIC] Dovecot logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002971 5002972 || [DYNAMIC] FIPAYPIN logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002972 5002973 || [DYNAMIC] FTPD logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002973 5002974 || [DYNAMIC] Grsec logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002974 5002975 || [DYNAMIC] Honeyd logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002975 5002976 || [DYNAMIC] Horde logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002976 5002977 || [DYNAMIC] Hostapd logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002977 5002978 || [DYNAMIC] IMAPD logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002978 5002979 || [DYNAMIC] IPOP3D logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002979 5002980 || [DYNAMIC] Kismet_Server logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002980 5002981 || [DYNAMIC] Knockd logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002981 5002982 || [DYNAMIC] Linux kernel logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002982 5002983 || [DYNAMIC] SMTP milter logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002983 5002984 || [DYNAMIC] MongoDB logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002984 5002985 || [DYNAMIC] MySQL logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002985 5002986 || [DYNAMIC] NeXpose logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002986 5002987 || [DYNAMIC] Nfcapd logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002987 5002988 || [DYNAMIC] Nginx logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002988 5002989 || [DYNAMIC] OpenVPN logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002989 5002990 || [DYNAMIC] OSSEC logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002990 5002991 || [DYNAMIC] Postfix logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002991 5002992 || [DYNAMIC] Postgres logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002992 5002993 || [DYNAMIC] pptpd logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002993 5002994 || [DYNAMIC] Pure-FTP logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002994 5002995 || [DYNAMIC] Racoon logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002995 5002996 || [DYNAMIC] Riverbed logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002996 5002998 || [DYNAMIC] Roundcube logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002998 5002999 || [DYNAMIC] Rsync logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5002999 5003000 || [DYNAMIC] Samba logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003000 5003001 || [DYNAMIC] Sendmail logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003001 5003002 || [DYNAMIC] Snort logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003002 5003004 || [DYNAMIC] SSH-Tectia-Server logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003004 5003005 || [DYNAMIC] su/sudo logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003005 5003006 || [DYNAMIC] Symantec EMS logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003006 5003007 || [DYNAMIC] Telnet logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003007 5003008 || [DYNAMIC] Trendmicro Antivirus logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003008 5003009 || [DYNAMIC] Tripwire logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003009 5003010 || [DYNAMIC] Vmpop3d logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003010 5003011 || [DYNAMIC] VMWare ESXi logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003011 5003012 || [DYNAMIC] VPopmail logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003012 5003013 || [DYNAMIC] VSFTPD logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003013 5003014 || [DYNAMIC] Weblabyrinth logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003014 5003015 || [DYNAMIC] MSSQL logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003015 5003016 || [DYNAMIC] Windows Sysmon logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003016 5003017 || [DYNAMIC] Wordpress logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003017 5003018 || [DYNAMIC] xinetd logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003018 5003019 || [DYNAMIC] Yubikey logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003019 5003020 || [DYNAMIC] Zeus logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003020 5003021 || [DYNAMIC] Juniper logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003021 5003022 || [DYNAMIC] Proftp logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003022 5003023 || [DYNAMIC] Apache logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003023 5003024 || [WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected. || url,www.virustotal.com/en/file/be3afa19c76c2270ccac7eacf68f89603032c0588f721215e15a9d1421567969/analysis/ || url, || url,wiki.quadrantsec.com/bin/view/Main/5003024 5003025 || [FORTINET-MALWARE] Potential malware traffic detected 5003026 || [CISCO-MERAKI] SSID Spoofing Detected || url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf 5003027 || [ZIMBRA] Postfix/SMTPS/SMTPD - Brute force [5/3] || url,wiki.quadrantsec.com/bin/view/Main/5003027 5003028 || [ZIMBRA] SASLAUTHD - Brute force [5/3] || url,wiki.quadrantsec.com/bin/view/Main/5003028 5003029 || [ZIMBRA] SOAP Invalid user - Brute force account not found [5/3] || url,wiki.quadrantsec.com/bin/view/Main/5003029 5003030 || [ZIMBRA] SOAP Invalid user - Brute force invalid password [5/3] || url,wiki.quadrantsec.com/bin/view/Main/5003030 5003031 || [ZIMBRA] MS ActiveSync - Brute force invalid password [5/3] || url,wiki.quadrantsec.com/bin/view/Main/5003031 5003032 || [DYNAMIC] Squid logs detected via program. || url,wiki.quadrantsec.com/bin/view/Main/5003003 5003033 || [ZIMBRA] SYNC - Brute force invalid username or password [5/3] || url,wiki.quadrantsec.com/bin/view/Main/5003033 5003034 || [ZIMBRA-GEOIP] SASL Authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003034 5003035 || [ZIMBRA-GEOIP] NGNIX Authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003035 5003036 || [ZIMBRA-GEOIP] EWS Authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003036 5003037 || [ZIMBRA] SYNC - User password mismatch [5/3] || url,wiki.quadrantsec.com/bin/view/Main/5003037 5003038 || [ZIMBRA] Clamd - Threat Detected || url,wiki.quadrantsec.com/bin/view/Main/5003038 5003039 || [WINDOWS-AUTH] Successful Administrator Logon Detected || url,wiki.quadrantsec.com/bin/view/Main/5003039 5003040 || [WINDOWS-MISC] Fan failure detected || url,wiki.quadrantsec.com/bin/view/Main/5003040 5003042 || [CISCO-MERAKI] VPN connectivity change 5003043 || [CISCO-MERAKI] Uplink connectivity change 5003044 || [CISCO-MERAKI] Uplink connectivity change 5003045 || [CISCO-MERAKI] Malicious file blocked by amp || url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/ 5003046 || [CISCO-MERAKI] File issued retrospective malicious disposition || url,documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/ 5003047 || [CISCO-MERAKI] WPA failed authentication attempt 5003048 || [CISCO-MERAKI] 802.1x failed authentication attempt 5003049 || [CISCO-MERAKI] WPA failed authentication attempt || url,meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf 5003050 || [CISCO-MERAKI] Flow denied by Layer 3 firewall 5003051 || [CISCO-MERAKI] Port status changed 5003052 || [CISCO-MERAKI] Virtual router collision 5003053 || [CISCO-MERAKI] VRRP transition 5003054 || [CISCO-MERAKI] Blocked DHCP server response 5003055 || [WATCHGUARD] IPv4 source route attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003056 || [WATCHGUARD] IPv4 SYN flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003057 || [WATCHGUARD] IPv4 ICMP flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003058 || [WATCHGUARD] IPv4 UDP flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003059 || [WATCHGUARD] IPv4 IPSEC flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003060 || [WATCHGUARD] IPv4 IKE flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003061 || [WATCHGUARD] IPv4 scan attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003062 || [WATCHGUARD] IPv4 port scan attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003063 || [WATCHGUARD] IPv4 DDOS attack against a server was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003064 || [WATCHGUARD] IPv4 DDOS attack from a client was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003065 || [WATCHGUARD] IPv6 SYN flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003066 || [WATCHGUARD] IPv6 ICMP flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003067 || [WATCHGUARD] IPv6 UDP flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003068 || [WATCHGUARD] IPv6 IPSEC flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003069 || [WATCHGUARD] IPv6 IKE flood attack was detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003070 || [WATCHGUARD] Traffic was detected to or from a blocked site || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003071 || [WATCHGUARD] IP spoofing was detected from the IP address specified || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003072 || [WATCHGUARD] Possible loop or ARP spoofing detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003073 || [WATCHGUARD] Firewall is shutting down || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003074 || [WATCHGUARD] Detected an ARP spoofing attack || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003075 || [WATCHGUARD] Feature key for Application Control subscription has expired || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003076 || [WATCHGUARD] Feature key for Intrusion Prevention Services subscription has expired || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003077 || [WATCHGUARD] Capture stopped due to the specified reason || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003078 || [WATCHGUARD] Starting wireless AP service || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003079 || [WATCHGUARD] Wireless access point model mismatch || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003080 || [WATCHGUARD] Wireless access point activation failure || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003081 || [WATCHGUARD] APT threat identification and notification || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003082 || [WATCHGUARD] Gateway AntiVirus (GAV) detected a virus or malware in an email attachment. || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003083 || [WATCHGUARD] Gateway AntiVirus (GAV) cannot perform scan || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003084 || [WATCHGUARD] APT threat detected || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003085 || [WATCHGUARD] Gateway AntiVirus (GAV) virus found - FTP || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003086 || [WATCHGUARD] Gateway AntiVirus (GAV) scan error || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003087 || [WATCHGUARD] Gateway AntiVirus (GAV) virus found - POP3 || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003088 || [WATCHGUARD] Administrative accounts reset to default || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003089 || [WATCHGUARD] LIVESECURITY feature not found || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003090 || [WATCHGUARD] Member promoted to master || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003091 || [WATCHGUARD] Failed to start the signature update for the specified services || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003092 || [WATCHGUARD] VPN - User login || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003093 || [WATCHGUARD] VPN (SSL) - User login || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003094 || [WATCHGUARD] Failed Login Attempt - Brute force [WATCHGUARD] [5/5] || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003095 || [WATCHGUARD-GEOIP] VPN login from outside HOME_COUNTRY || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003096 || [WATCHGUARD-GEOIP] FTP file transfer to outside HOME_COUNTRY || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003097 || [WATCHGUARD] Signature update process for the specified version failed || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003098 || [WATCHGUARD] IP spoofing was detected from the IP address specified || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003099 || [WATCHGUARD] Wireless Access Point Model Mismatch || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003100 || [WATCHGUARD] IPS detected an intrusion in the client request or server response content body || url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html 5003101 || [WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5003101 5003102 || [WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5003102 5003103 || [WINDOWS-AUTH] Possible Windows Broken Domain Trust [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5003103 5003104 || [WINDOWS-AUTH] User added to Schema Admins || url,wiki.quadrantsec.com/bin/view/Main/5003104 5003105 || [WINDOWS-MISC] Installation of PSEXEC service via Security Audit || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5003105 5003106 || [WINDOWS-MISC] Installation of PSEXEC service via SCM || url,pastebin.com/raw/0SNSvyjJ || url,wiki.quadrantsec.com/bin/view/Main/5003106 5003107 || [SYSLOG] Possible Windows Broken Domain Trust [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5003107 5003108 || [NXLOG] Unable to read eventlog || url,wiki.quadrantsec.com/bin/view/Main/5003108 5003109 || [NXLOG] Service stopping || url,wiki.quadrantsec.com/bin/view/Main/5003109 5003110 || [NXLOG] Termination Request || url,wiki.quadrantsec.com/bin/view/Main/5003110 5003111 || [NXLOG] Missing Windows Log Message || url,wiki.quadrantsec.com/bin/view/Main/5003111 5003112 || [JUNIPER-BLUEDOT] VPN Login from a known malicious source || url, wiki.quadrantsec.com/bin/view/Main/5003112 5003113 || [JUNIPER-GEOIP] VPN Logout from a known malicious source || url, wiki.quadrantsec.com/bin/view/Main/5003113 5003114 || [JUNIPER-BLUEDOT] Juniper ScreenOS Admin Login from a known malicous source || url, wiki.quadrantsec.com/bin/view/Main/5003114 || url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search 5003115 || [LINUX-KERNEL] Bad UDP checksum || url,wiki.quadrantsec.com/bin/view/Main/5003115 5003116 || [WINDOWS-MALWARE] Adylkuzz Trojan service installation detected || url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2 || url,wiki.quadrantsec.com/bin/view/Main/5003117 5003117 || [WINDOWS-MALWARE] Adylkuzz Trojan log file detected || url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2 || url,wiki.quadrantsec.com/bin/view/Main/5003117 5003118 || [BLUEDOT] Malicious MD5 hash detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002288 5003119 || [BLUEDOT] Malicious SHA1 hash detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002288 5003120 || [BLUEDOT] Malicious SHA256 hash detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002288 5003121 || [WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source || url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/ || url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 5003122 || [WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source || url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/ || url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 5003123 || [WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source || url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/ || url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 5003124 || [WINDOWS-MALWARE] Petya detected by filename - Open source || url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/ || url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 5003125 || [NXLOG] Service restart to correct problem [CLEAR XBIT] || url,wiki.quadrantsec.com/bin/view/Main/5003125 5003126 || [ZSCALER] known Malicious user agent - MSIE 9.0 in version 10 format || url,www.virustotal.com/en/file/aaf9b99314eb5201407bc82ee948c0a3a1c6b0a3288e230bc03e4c2a2b4287e3/analysis/ 5003127 || [ZSCALER] known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface || url,www.virustotal.com/en/file/ef420005a10d73b840604b517c4760400ccfc6c5baba0ae5d05ec6f88e56821e/analysis/ 5003128 || [ZSCALER] known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor || url,www.virustotal.com/en/file/0F45FB61856437CB3123C4DEAC68942C17ADC6534719E583F22E3DE1F31C1CA5/analysis/ 5003129 || [ZSCALER] known malicious User-Agent string - HttpCall - Win.Trojan.Rukypee || url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/ 5003130 || [ZSCALER] known malicious User-Agent string - MyProgramm - Win.Trojan.Rukypee || url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/ 5003131 || [ZSCALER] known malicious User-Agent string - Skypee - Win.Trojan.Rukypee || url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/ 5003132 || [ZSCALER] known malicous user agent string - XAgent - Operation Pawn Storm || url,www.virustotal.com/en/file/7313eaf95a8a8b4c206b9afe306e7c0675a21999921a71a5a16456894571d21d/analysis/ 5003133 || [ZSCALER] known malicious user-agent string crackim || url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/ 5003134 || [ZSCALER] Win.Trojan.Darkcpn outbound connection || url,virustotal.com/file/cab7cd418b1114c277f84c4fe59d05bcf53babf64f16ebe86ab11641bd6bbd94/analysis/ 5003135 || [ZSCALER] known malicious User-Agent string - MyIE 3.01 || url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/ 5003136 || [ZSCALER] Suspicious User Agent (agent) || url,doc.emergingthreats.net/bin/view/Main/2001891 5003137 || [ZSCALER] Drivecleaner.com Spyware User-Agent (DriveCleaner Updater) || url,doc.emergingthreats.net/2003486 || url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533 || url,www.drivecleaner.com 5003138 || [ZSCALER] Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master) || url,doc.emergingthreats.net/2003545 5003139 || [ZSCALER] Vaccineprogram.co.kr Related Spyware User-Agent (Museon) || url,doc.emergingthreats.net/2006418 5003140 || [ZSCALER] Vaccineprogram.co.kr Related Spyware User Agent (pcsafe) || url,doc.emergingthreats.net/2006420 5003141 || [ZSCALER] klm123.com Spyware User Agent || url,doc.emergingthreats.net/2007616 5003142 || [ZSCALER] Suspicious User Agent (_) || url,doc.emergingthreats.net/bin/view/Main/2007942 5003143 || [ZSCALER] Casino Related Spyware User-Agent Detected (Viper 4.0) || url,doc.emergingthreats.net/2008586 5003144 || [ZSCALER] Suspicious User Agent (BlackSun) || url,doc.emergingthreats.net/bin/view/Main/2008983 || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html 5003145 || [ZSCALER] Win32.Tdss User Agent Detected (Mozzila) || url,doc.emergingthreats.net/2010889 5003146 || [ZSCALER] Suspicious User Agent (ScrapeBox) 5003147 || [ZSCALER] Malware Related msndown || url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1 5003148 || [ZSCALER] W32/Goolbot.E Checkin UA Detected iamx 5003149 || [ZSCALER] Suspicious Win32 User Agent 5003150 || [ZSCALER] Suspicious User-Agent (Our_Agent) 5003151 || [ZSCALER] suspicious user-agent (REKOM) 5003152 || [ZSCALER] Suspicious User-Agent Moxilla 5003153 || [ZSCALER] Suspicious User-Agent VCTestClient 5003154 || [ZSCALER] Suspicious User-Agent PrivacyInfoUpdate 5003155 || [ZSCALER] Suspicious User-Agent (VMozilla) || url,www.avira.com/en/support-threats-description/tid/6259/tlang/en || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF 5003156 || [ZSCALER] Suspicious User-Agent Sample 5003157 || [ZSCALER] Suspicious User-Agent Mozilla/3.0 5003158 || [ZSCALER] Optimum Installer User-Agent IE6 on Windows XP 5003159 || [ZSCALER] suspicious User Agent (Lotto) 5003160 || [ZSCALER] Suspicious User-Agent String (AskPartnerCobranding) 5003161 || [ZSCALER] Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET) || url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2 5003162 || [ZSCALER] suspicious user agent string (changhuatong) 5003163 || [ZSCALER] suspicious user agent string (CholTBAgent) 5003164 || [ZSCALER] Suspicious user agent (mdms) 5003165 || [ZSCALER] Suspicious user agent (asd) 5003166 || [ZSCALER] Suspicious User-Agent SimpleClient 1.0 || url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html 5003167 || [ZSCALER] Known Skunkx DDOS Bot User-Agent Cyberdog || url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/ 5003168 || [ZSCALER] EmailSiphon Suspicious User-Agent Inbound || url,www.useragentstring.com/pages/useragentstring.php 5003169 || [ZSCALER] EmailSiphon Suspicious User-Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php 5003170 || [ZSCALER] Binget PHP Library User Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php || url,www.bin-co.com/php/scripts/load/ 5003171 || [ZSCALER] pxyscand/ Suspicious User Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php 5003172 || [ZSCALER] PyCurl Suspicious User Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php 5003173 || [ZSCALER] Atomic_Email_Hunter User-Agent Inbound || url,www.useragentstring.com/pages/useragentstring.php 5003174 || [ZSCALER] Atomic_Email_Hunter User-Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php 5003175 || [ZSCALER] Avzhan DDoS Bot User-Agent MyIE || url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html || url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/ 5003176 || [ZSCALER] Win32/OnLineGames User-Agent (Revolution Win32) || url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9 5003177 || [ZSCALER] Trojan Downloader User-Agent BGroom 5003178 || [ZSCALER] Trojan Downloader User-Agent (Tiny) 5003179 || [ZSCALER] Suspicious User-Agent (adlib) || url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/ 5003180 || [ZSCALER] W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon 5003181 || [ZSCALER] W32/Renos.Downloader User Agent zeroup || md5,35ba53f6aeb6b38c1107018f271189af || url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml 5003182 || [ZSCALER] Suspicious User-Agent (DownloadMR) || md5,0da0d8e664f44400c19898b4c9e71456 || url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/ 5003183 || [ZSCALER] User-Agent (ChilkatUpload) || url,chilkatsoft.com 5003184 || [ZSCALER] Suspicious user agent (Google page) 5003185 || [ZSCALER] FOCA User-Agent || url,blog.bannasties.com/2013/08/vulnerability-scans/ 5003186 || [ZSCALER] MSF Meterpreter Default User Agent || url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings 5003187 || [ZSCALER] WildTangent User-Agent (WT Games App) 5003188 || [ZSCALER] BLEXBot User-Agent || url,webmeup.com/about.html 5003189 || [ZSCALER] Microsoft Edge on Windows 10 SET 5003190 || [ZSCALER] Fake Opera 8.11 UA related to Trojan Activity 5003191 || [ZSCALER] Gator Agent Traffic || url,doc.emergingthreats.net/2000026 5003192 || [ZSCALER] ISearchTech.com XXXPornToolbar Activity (IST) || url,doc.emergingthreats.net/2001493 || url,www.isearchtech.com 5003193 || [ZSCALER] Better Internet Spyware User-Agent (poller) || url,doc.emergingthreats.net/2002005 5003194 || [ZSCALER] SideStep User-Agent || url,github.com/chetan51/sidestep/ || url,doc.emergingthreats.net/2002078 5003195 || [ZSCALER] 180 Solutions (Zango Installer) User Agent || url,doc.emergingthreats.net/2003062 5003196 || [ZSCALER] Suspicious User-Agent Fragment (WORKED) 5003197 || [ZSCALER] Detected known Malware Category 5003198 || [ZSCALER] Detected known Threat Name 5003199 || [ZSCALER] Suspicious IP detected via Bluedo 5003201 || [WINDOWS-MALWARE] CryptoMix ransomware extension detected. || url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/ || url,wiki.quadrantsec.com/bin/view/Main/5003202 5003202 || [WINDOWS-MALWARE] Locky/CryptoMix ransomware note detected || url,www.bleepingcomputer.com/news/security/new-error-cryptomix-ransomware-variant-released/ || url,wiki.quadrantsec.com/bin/view/Main/5003202 5003203 || [WINDOWS-AUTH] SAM Database Unable to Lock Account || url,technet.microsoft.com/en-us/library/cc733228(v=ws.10).aspx || url,wiki.quadrantsec.com/bin/view/Main/5003203 5003204 || [WINDOWS-MALWARE] Bad Rabbit Malware scheduled task detected || url,wiki.quadrantsec.com/bin/view/Main/5003204 || url,blog.talosintelligence.com/2017/10/bad-rabbit.html 5003205 || [HP-E-SERIES-L3-SWITCH] Invalid username/password - Brute Force [5/1] || url,wiki.quadrantsec.com/bin/view/Main/5003205 5003206 || [WINDOWS-MALWARE] Bad Rabbit payload delivery SHA256 hash detected || url,wiki.quadrantsec.com/bin/view/Main/5003206 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100 || url,bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/ 5003207 || [WINDOWS-MALWARE] Bad Rabbit payload delivery SHA1 hash detected || url,wiki.quadrantsec.com/bin/view/Main/5003207 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100 5003208 || [WINDOWS-MALWARE] Bad Rabbit payload delivery MD5 hash detected || url,wiki.quadrantsec.com/bin/view/Main/5003208 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100 5003209 || [WINDOWS-MALWARE] Bad Rabbit detected by filename || url,wiki.quadrantsec.com/bin/view/Main/5003209 || url,hybrid-analysis.com/sample/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93?environmentId=100 5003210 || [CISCO-CORRELATED] Console login after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003210 5003211 || [CISCO-CORRELATED] Console login after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003211 5003212 || [CISCO-CORRELATED] Console login after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003212 5003213 || [CISCO-CORRELATED] Login permitted after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003213 5003214 || [CISCO-CORRELATED] Login permitted after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003214 5003215 || [CISCO-CORRELATED] Login permitted after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003215 5003216 || [CISCO-CORRELATED] VPN login after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003216 5003217 || [CISCO-CORRELATED] VPN login after honey activity || url, wiki.quadrantsec.com/bin/view/Main/5003217 5003218 || [CISCO-CORRELATED] VPN login after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003218 5003219 || [CISCO-CORRELATED] VPN disconnect after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003219 5003220 || [CISCO-CORRELATED] VPN disconnect after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003220 5003221 || [CISCO-CORRELATED] VPN disconnect after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003221 5003222 || [CISCO-CORRELATED] ACS Login success after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003222 5003223 || [CISCO-CORRELATED] ACS Login success after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003223 5003224 || [CISCO-CORRELATED] ACS Login success after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003224 5003225 || [CISCO-CORRELATED] FTP file transfer after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003225 5003226 || [CISCO-CORRELATED] FTP file transfer after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003226 5003227 || [CISCO-CORRELATED] FTP file transfer after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003227 5003228 || [CITRIX-CORRELATED] Login after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003228 || url,support.citrix.com/article/CTX123875 5003229 || [CITRIX-CORRELATED] Login after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003229 || url,support.citrix.com/article/CTX123875 5003230 || [CITRIX-CORRELATED] Login after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003230 || url,support.citrix.com/article/CTX123875 5003231 || [CITRIX-CORRELATED] Login after brute force attempt || url,wiki.quadrantsec.com/bin/view/Main/5003231 || url,support.citrix.com/article/CTX123875 5003232 || [CISCO-CORRELATED] Console login after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003232 5003233 || [CISCO-CORRELATED] Login permitted after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003233 5003234 || [CISCO-CORRELATED] VPN login after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003234 5003235 || [CISCO-CORRELATED] VPN disconnect after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003235 5003236 || [CISCO-CORRELATED] ACS Login success brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003236 5003237 || [CISCO-CORRELATED] FTP file transfer after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003237 5003238 || [CITRIX-CORRELATED] AAA LOGIN_FAILED after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003238 || url,support.citrix.com/article/CTX123875 5003239 || [CITRIX-CORRELATED] AAA LOGIN_FAILED after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003239 || url,support.citrix.com/article/CTX123875 5003240 || [CITRIX-CORRELATED] AAA LOGIN_FAILED after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003240 || url,support.citrix.com/article/CTX123875 5003241 || [CITRIX-CORRELATED] SSLVPN HTTPREQUEST after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003241 || url,support.citrix.com/article/CTX123875 5003242 || [CITRIX-CORRELATED] SSLVPN HTTPREQUEST after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003242 || url,support.citrix.com/article/CTX123875 5003243 || [CITRIX-CORRELATED] SSLVPN HTTPREQUEST after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003243 || url,support.citrix.com/article/CTX123875 5003244 || [CITRIX-CORRELATED] SSLVPN HTTPREQUEST after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003244 || url,support.citrix.com/article/CTX123875 5003245 || [COURIER-CORRELATED] Logout/disconnect after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003245 5003246 || [COURIER-CORRELATED] Logout/disconnect after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003246 5003247 || [COURIER-CORRELATED] Logout/disconnect after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003247 5003248 || [COURIER-CORRELATED] Logout/disconnect after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003248 5003249 || [COURIER-CORRELATED] User login after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003249 5003250 || [COURIER-CORRELATED] User login after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003250 5003251 || [COURIER-CORRELATED] User login after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003251 5003252 || [COURIER-CORRELATED] User login after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003252 5003253 || [COURIER-CORRELATED] Timeout after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003253 5003254 || [COURIER-CORRELATED] Timeout after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003254 5003255 || [COURIER-CORRELATED] Timeout after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003255 5003256 || [COURIER-CORRELATED] Timeout after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003256 5003257 || [FATPIPE-CORRELATED] Login Success after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003257 5003258 || [FATPIPE-CORRELATED] Login Success after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003258 5003259 || [FATPIPE-CORRELATED] Login Success after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003259 5003260 || [FATPIPE-CORRELATED] Login Success after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003260 5003261 || [FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003261 5003262 || [FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003262 5003263 || [FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003263 5003264 || [FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003264 5003265 || [FORTINET-CORRELATED] Login accepted after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003265 5003266 || [FORTINET-CORRELATED] Login accepted after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003266 5003267 || [FORTINET-CORRELATED] Login accepted after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003267 5003268 || [FORTINET-CORRELATED] Login accepted brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003268 5003269 || [FORTINET-CORRELATED] Administrator Login after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003269 5003270 || [FORTINET-CORRELATED] Administrator Login after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003270 5003271 || [FORTINET-CORRELATED] Administrator Login after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003271 5003272 || [FORTINET-CORRELATED] Administrator Login after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003272 5003273 || [FORTINET-CORRELATED] Admin authentication success after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003273 5003274 || [FORTINET-CORRELATED] Admin authentication success after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003274 5003275 || [FORTINET-CORRELATED] Admin authentication success after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003275 5003276 || [FORTINET-CORRELATED] Admin authentication success after brute force || url,wiki.quadrantsec.com/bin/view/Main/5003276 5003277 || [FORTINET-CORRELATED] SSH traffic detected after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003277 5003278 || [FORTINET-CORRELATED] SSH traffic detected after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003278 5003279 || [FORTINET-CORRELATED] SSH traffic detected after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003279 5003280 || [FORTINET-CORRELATED] SSH traffic detected after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003280 5003281 || [IMAPD-CORRELATED] Login after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003281 5003282 || [IMAPD-CORRELATED] Login after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003282 5003283 || [IMAPD-CORRELATED] Login after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003283 5003284 || [IMAPD-CORRELATED] Login after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003284 5003285 || [IMAPD-CORRELATED] Logout after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003285 5003286 || [IMAPD-CORRELATED] Logout after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003286 5003287 || [IMAPD-CORRELATED] Logout after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003287 5003288 || [IMAPD-CORRELATED] Logout after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003288 5003289 || [IMAPD-CORRELATED] Timeout after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003289 5003290 || [IMAPD-CORRELATED] Timeout after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003290 5003291 || [IMAPD-CORRELATED] Timeout after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003291 5003292 || [IMAPD-CORRELATED] Timeout after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003292 5003293 || [IMAPD-CORRELATED] Disconnect after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003293 5003294 || [IMAPD-CORRELATED] Disconnect after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003294 5003295 || [IMAPD-CORRELATED] Disconnect after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003295 5003296 || [IMAPD-CORRELATED] Disconnect after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003296 5003297 || [IMAPD-CORRELATED] Connection after recon activity || url, wiki.quadrantsec.com/bin/view/Main/5003297 5003298 || [IMAPD-CORRELATED] Connection after honeypot activity || url, wiki.quadrantsec.com/bin/view/Main/5003298 5003299 || [IMAPD-CORRELATED] Connection after exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5003299 5003300 || [IMAPD-CORRELATED] Connection after brute force activity || url, wiki.quadrantsec.com/bin/view/Main/5003300 5003301 || [OPENSSH-CORRELATED] Authentication success via password after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003301 5003302 || [OPENSSH-CORRELATED] Authentication success via password after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003302 5003303 || [OPENSSH-CORRELATED] Authentication success via password after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003303 5003304 || [OPENSSH-CORRELATED] Authentication success via password after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003304 5003305 || [OPENSSH-CORRELATED] Authentication success via public key after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003305 5003306 || [OPENSSH-CORRELATED] Authentication success via public key after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003306 5003307 || [OPENSSH-CORRELATED] Authentication success via public key after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003307 5003308 || [OPENSSH-CORRELATED] Authentication success via public key after brute force || url,wiki.quadrantsec.com/bin/view/Main/5003308 5003309 || [OPENSSH-CORRELATED] Authentication success via keyboard-interactive after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003309 5003310 || [OPENSSH-CORRELATED] Authentication success via keyboard-interactive after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003310 5003311 || [OPENSSH-CORRELATED] Authentication success via keyboard-interactive after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003311 5003312 || [OPENSSH-CORRELATED] Authentication success via keyboard-interactive after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003312 5003313 || [SSH-TECTIA-SERVER-CORRELATED] Authentication success after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003313 5003314 || [SSH-TECTIA-SERVER-CORRELATED] Authentication success after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003314 5003315 || [SSH-TECTIA-SERVER-CORRELATED] Authentication success after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003315 5003316 || [SSH-TECTIA-SERVER-CORRELATED] Authentication success after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003316 5003317 || [VMWARE-CORRELATED] User login successful after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003317 5003318 || [VMWARE-CORRELATED] User login successful after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003318 5003319 || [VMWARE-CORRELATED] User login successful after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003319 5003320 || [VMWARE-CORRELATED] User login successful after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003320 5003321 || [VMWARE-CORRELATED] User login successful after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003321 5003322 || [VMWARE-CORRELATED] User login successful after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003322 5003323 || [VMWARE-CORRELATED] User login successful after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003323 5003324 || [VMWARE-CORRELATED] User login successful after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003324 5003325 || [VMWARE-CORRELATED] User login successful after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003325 5003326 || [VMWARE-CORRELATED] User login successful after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003326 5003327 || [VMWARE-CORRELATED] User login successful after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003327 5003328 || [VMWARE-CORRELATED] User login successful after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003328 5003329 || [VSFTPD-CORRELATED] Authentication after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003329 5003330 || [VSFTPD-CORRELATED] Authentication after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003330 5003331 || [VSFTPD-CORRELATED] Authentication after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003331 5003332 || [VSFTPD-CORRELATED] Authentication after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003332 5003333 || [VSFTPD-CORRELATED] File uploaded after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003333 5003334 || [VSFTPD-CORRELATED] File uploaded after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003334 5003335 || [VSFTPD-CORRELATED] File uploaded after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003335 5003336 || [VSFTPD-CORRELATED] File uploaded after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003336 5003337 || [WINDOWS-OWA-CORRELATED] Login failure after recon activity || url,wiki.quadrantsec.com/bin/view/Main/5003336 5003338 || [WINDOWS-OWA-CORRELATED] Login failure after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003338 5003339 || [WINDOWS-OWA-CORRELATED] Login failure after exploit attempt || url,wiki.quadrantsec.com/bin/view/Main/5003339 5003340 || [WINDOWS-OWA-CORRELATED] Login failure after brute force activity || url,wiki.quadrantsec.com/bin/view/Main/5003340 5003341 || [WINDOWS-CORRELATED] Successful RDP login after honeypot activity || url,wiki.quadrantsec.com/bin/view/Main/5003341 5003342 || [PasswordState] Access was Granted || url,wiki.quadrantsec.com/bin/view/Main/5003342 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003343 || [PasswordState] Access has been Removed || url,wiki.quadrantsec.com/bin/view/Main/5003343 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003344 || [PasswordState] All Passwords Exported || url,wiki.quadrantsec.com/bin/view/Main/5003344 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003345 || [PasswordState] Audit Records Purged || url,wiki.quadrantsec.com/bin/view/Main/5003345 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003346 || [PasswordState] Password Reset Task Deleted || url,wiki.quadrantsec.com/bin/view/Main/5003346 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003347 || [PasswordState] Discovery Job Updated || url,wiki.quadrantsec.com/bin/view/Main/5003347 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003348 || [PasswordState] Discovery Job Permissions Added || url,wiki.quadrantsec.com/bin/view/Main/5003348 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003349 || [PasswordState] Discovery Job Removed || url,wiki.quadrantsec.com/bin/view/Main/5003349 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003350 || [PasswordState] Discovery Job Deleted || url,wiki.quadrantsec.com/bin/view/Main/5003350 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003351 || [PasswordState] Document Deleted || url,wiki.quadrantsec.com/bin/view/Main/5003351 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003352 || [PasswordState] Encryption Keys Exported || url,wiki.quadrantsec.com/bin/view/Main/5003352 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003353 || [PasswordState] Password Updated || url,wiki.quadrantsec.com/bin/view/Main/5003353 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003354 || [PasswordState] Login Attempt Failed || url,wiki.quadrantsec.com/bin/view/Main/5003354 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003355 || [PasswordState] Privileged Account Credentials Deleted || url,wiki.quadrantsec.com/bin/view/Main/5003355 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003356 || [PasswordState] Privileged Account Credentials Permissions Added || url,wiki.quadrantsec.com/bin/view/Main/5003356 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003357 || [PasswordState] Privileged Account Credentials Permissions Removed || url,wiki.quadrantsec.com/bin/view/Main/5003357 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003358 || [PasswordState] Security Administrator Added || url,wiki.quadrantsec.com/bin/view/Main/5003358 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003359 || [PasswordState] Security Administrator Removed || url,wiki.quadrantsec.com/bin/view/Main/5003359 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003360 || [PasswordState] Security Administrator Role Updated || url,wiki.quadrantsec.com/bin/view/Main/5003360 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003361 || [PasswordState] Security Group Added || url,wiki.quadrantsec.com/bin/view/Main/5003361 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003362 || [PasswordState] Security Group Updated || url,wiki.quadrantsec.com/bin/view/Main/5003362 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003363 || [PasswordState] Security Group Deleted || url,wiki.quadrantsec.com/bin/view/Main/5003363 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003364 || [PasswordState] User Account Added to Security Group || url,wiki.quadrantsec.com/bin/view/Main/5003364 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003365 || [PasswordState] User Account Disabled || url,wiki.quadrantsec.com/bin/view/Main/5003365 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003366 || [PasswordState] User Removed From Security Group || url,wiki.quadrantsec.com/bin/view/Main/5003366 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003367 || [PasswordState] Password Copied Between Password Lists || url,wiki.quadrantsec.com/bin/view/Main/5003367 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003368 || [PasswordState] Password Deleted || url,wiki.quadrantsec.com/bin/view/Main/5003368 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003369 || [PasswordState] Password History Exported || url,wiki.quadrantsec.com/bin/view/Main/5003369 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003370 || [PasswordState] Password List Deleted || url,wiki.quadrantsec.com/bin/view/Main/5003370 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003371 || [PasswordState] Password Moved || url,wiki.quadrantsec.com/bin/view/Main/5003371 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003372 || [PasswordState] Password Reset Failed || url,wiki.quadrantsec.com/bin/view/Main/5003372 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003373 || [PasswordState] Password Reset Removed from Queue || url,wiki.quadrantsec.com/bin/view/Main/5003373 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003374 || [PasswordState] Password Reset Task Updated || url,wiki.quadrantsec.com/bin/view/Main/5003374 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003375 || [PasswordState] Brute Force Login Attempt [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5003375 || url,www.clickstudios.com.au/downloads/version8/Passwordstate_Security_Administrators_Manual.pdf 5003376 || [WINDOWS-AUTH] Suspicious network login || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003376 || url,indingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003377 || [WINDOWS-AUTH] Suspicious network login from non-RFC1918 || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003377 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003378 || [WINDOWS-SYSMON] IP detect in command line || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003378 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003379 || [WINDOWS-SYSMON] Command line $\\ type request || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan sid:5003379 || url,wiki.quadrantsec.com/bin/view/Main/5003379 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003380 || [WINDOWS-SYSMON] Powershell execution || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003380 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003381 || [WINDOWS-CORRELATED] Suspicious file copy to a share [dst -> src] || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003381 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003382 || [WINDOWS-CORRELATED] Suspicious file copy to a share [XBIT SET] || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003382 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003383 || [WINDOWS-CORRELATED] Suspicious file copy to a share [src -> dst] || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003383 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003384 || [WINDOWS-CORRELATED] Suspicious file copy to a share [XBIT SET] || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003384 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003385 || [WINDOWS-CORRELATED] wmiprvse.exe [XBIT SET] || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003385 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003386 || [WINDOWS-CORRELATED] Possible remote WMIC command execution || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003386 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003387 || [WINDOWS-AUTH] Suspicious WMIC/Net/Powershell execution || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003387 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003388 || [WINDOWS-SYSMON] SYSMON Possible CMD detected || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003388 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003389 || [WINDOWS-AUTH] Suspicious Mount of a $ share || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003389 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003390 || [WINDOWS-SYSMON] Possible credential dumper execution || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003390 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003391 || [WINDOWS-SYSMON] Possible credential dumper execution || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003391 || url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html 5003392 || [WINDOWS-SECURITY] The audit log was cleared || url,wiki.quadrantsec.com/bin/view/Main/5003392 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003393 || [WINDOWS-SECURITY] Administrator recovered system from CrashOnAuditFail || url,wiki.quadrantsec.com/bin/view/Main/5003393 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003394 || [WINDOWS-SECURITY] SIDs were filtered || url,wiki.quadrantsec.com/bin/view/Main/5003394 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003395 || [WINDOWS-SECURITY] Backup of data protection master key was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003395 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003396 || [WINDOWS-SECURITY] Recovery of data protection master key was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003396 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003397 || [WINDOWS-SECURITY] A new trust was created to a domain || url,wiki.quadrantsec.com/bin/view/Main/5003397 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003398 || [WINDOWS-SECURITY] Kerberos policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5003398 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003399 || [WINDOWS-SECURITY] Encrypted data recovery policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5003399 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003400 || [WINDOWS-SECURITY] The audit policy (SACL) on an object was changed || url,wiki.quadrantsec.com/bin/view/Main/5003400 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003401 || [WINDOWS-SECURITY] Trusted domain information was modified || url,wiki.quadrantsec.com/bin/view/Main/5003401 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003402 || [WINDOWS-SECURITY] An attempt was made to reset an account's password || url,wiki.quadrantsec.com/bin/view/Main/5003402 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003403 || [WINDOWS-SECURITY] A security-enabled global group was created || url,wiki.quadrantsec.com/bin/view/Main/5003403 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003404 || [WINDOWS-SECURITY] A security-enabled local group was changed || url,wiki.quadrantsec.com/bin/view/Main/5003404 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003405 || [WINDOWS-SECURITY] A security-enabled global group was changed || url,wiki.quadrantsec.com/bin/view/Main/5003405 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003406 || [WINDOWS-SECURITY] Domain Policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5003406 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003407 || [WINDOWS-SECURITY] A security-enabled universal group was created || url,wiki.quadrantsec.com/bin/view/Main/5003407 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003408 || [WINDOWS-SECURITY] A security-enabled universal group was changed || url,wiki.quadrantsec.com/bin/view/Main/5003408 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003409 || [WINDOWS-SECURITY] A security-disabled group was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003409 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003410 || [WINDOWS-SECURITY] A group's type was changed || url,wiki.quadrantsec.com/bin/view/Main/5003410 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003411 || [WINDOWS-SECURITY] The ACL was set on accounts which are members of administrators groups || url,wiki.quadrantsec.com/bin/view/Main/5003411 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003412 || [WINDOWS-SECURITY] RPC detected an integrity violation while decrypting an incoming message || url,wiki.quadrantsec.com/bin/view/Main/5003412 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003413 || [WINDOWS-SECURITY] A trusted forest information entry was added || url,wiki.quadrantsec.com/bin/view/Main/5003413 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003414 || [WINDOWS-SECURITY] A trusted forest information entry was removed || url,wiki.quadrantsec.com/bin/view/Main/5003414 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003415 || [WINDOWS-SECURITY] A trusted forest information entry was modified || url,wiki.quadrantsec.com/bin/view/Main/5003415 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003416 || [WINDOWS-SECURITY] The certificate manager denied a pending certificate request || url,wiki.quadrantsec.com/bin/view/Main/5003416 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003417 || [WINDOWS-SECURITY] Certificate Services revoked a certificate || url,wiki.quadrantsec.com/bin/view/Main/5003417 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003418 || [WINDOWS-SECURITY] The security permissions for Certificate Services changed || url,wiki.quadrantsec.com/bin/view/Main/5003418 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003419 || [WINDOWS-SECURITY] The audit filter for Certificate Services changed || url,wiki.quadrantsec.com/bin/view/Main/5003419 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003420 || [WINDOWS-SECURITY] The certificate manager settings for Certificate Services changed || url,wiki.quadrantsec.com/bin/view/Main/5003420 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003421 || [WINDOWS-SECURITY] A property of Certificate Services changed || url,wiki.quadrantsec.com/bin/view/Main/5003421 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003422 || [WINDOWS-SECURITY] One or more rows have been deleted from the certificate database || url,wiki.quadrantsec.com/bin/view/Main/5003422 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003423 || [WINDOWS-SECURITY] The CrashOnAuditFail value has changed || url,wiki.quadrantsec.com/bin/view/Main/5003423 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003424 || [WINDOWS-SECURITY] Auditing settings on object were changed || url,wiki.quadrantsec.com/bin/view/Main/5003424 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003425 || [WINDOWS-SECURITY] Special Groups Logon table modified || url,wiki.quadrantsec.com/bin/view/Main/5003425 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003426 || [WINDOWS-SECURITY] Per User Audit Policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5003426 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003427 || [WINDOWS-SECURITY] IPsec dropped an inbound packet that failed an integrity check || url,wiki.quadrantsec.com/bin/view/Main/5003427 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003428 || [WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check || url,wiki.quadrantsec.com/bin/view/Main/5003428 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003429 || [WINDOWS-SECURITY] IPsec dropped an inbound packet that failed a replay check || url,wiki.quadrantsec.com/bin/view/Main/5003429 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003430 || [WINDOWS-SECURITY] IPsec dropped an inbound clear text packet that should have been secured || url,wiki.quadrantsec.com/bin/view/Main/5003430 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003431 || [WINDOWS-SECURITY] IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI) || url,wiki.quadrantsec.com/bin/view/Main/5003431 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003432 || [WINDOWS-SECURITY] During Main Mode negotiation || url,wiki.quadrantsec.com/bin/view/Main/5003432 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003433 || [WINDOWS-SECURITY] During Quick Mode negotiation || url,wiki.quadrantsec.com/bin/view/Main/5003433 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003434 || [WINDOWS-SECURITY] During Extended Mode negotiation || url,wiki.quadrantsec.com/bin/view/Main/5003434 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003435 || [WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed || url,wiki.quadrantsec.com/bin/view/Main/5003435 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003436 || [WINDOWS-SECURITY] An IPsec Extended Mode negotiation failed || url,wiki.quadrantsec.com/bin/view/Main/5003436 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003437 || [WINDOWS-SECURITY] The Windows Firewall Service was unable to retrieve the security policy from the local storage || url,wiki.quadrantsec.com/bin/view/Main/5003437 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003438 || [WINDOWS-SECURITY] The Windows Firewall Service was unable to parse the new security policy || url,wiki.quadrantsec.com/bin/view/Main/5003438 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003439 || [WINDOWS-SECURITY] The Windows Firewall Service failed to initialize the driver || url,wiki.quadrantsec.com/bin/view/Main/5003439 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003440 || [WINDOWS-SECURITY] The Windows Firewall Service failed to start || url,wiki.quadrantsec.com/bin/view/Main/5003440 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003441 || [WINDOWS-SECURITY] The Windows Firewall Driver failed to start || url,wiki.quadrantsec.com/bin/view/Main/5003441 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003442 || [WINDOWS-SECURITY] The Windows Firewall Driver detected critical runtime error || url,wiki.quadrantsec.com/bin/view/Main/5003442 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003443 || [WINDOWS-SECURITY] Code integrity determined that the image hash of a file is not valid || url,wiki.quadrantsec.com/bin/view/Main/5003443 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003444 || [WINDOWS-SECURITY] OCSP Responder Service Started || url,wiki.quadrantsec.com/bin/view/Main/5003444 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003445 || [WINDOWS-SECURITY] OCSP Responder Service Stopped || url,wiki.quadrantsec.com/bin/view/Main/5003445 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003446 || [WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service || url,wiki.quadrantsec.com/bin/view/Main/5003446 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003447 || [WINDOWS-SECURITY] A configuration entry changed in OCSP Responder Service || url,wiki.quadrantsec.com/bin/view/Main/5003447 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003448 || [WINDOWS-SECURITY] Credential Manager credentials were backed up || url,wiki.quadrantsec.com/bin/view/Main/5003448 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003449 || [WINDOWS-SECURITY] Credential Manager credentials were restored from a backup || url,wiki.quadrantsec.com/bin/view/Main/5003449 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003450 || [WINDOWS-SECURITY] An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started || url,wiki.quadrantsec.com/bin/view/Main/5003450 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003451 || [WINDOWS-SECURITY] IPsec Services failed to get the complete list of network interfaces on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003451 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003452 || [WINDOWS-SECURITY] IPsec Services failed to initialize RPC server || url,wiki.quadrantsec.com/bin/view/Main/5003452 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003453 || [WINDOWS-SECURITY] IPsec Services has experienced a critical failure and has been shut down || url,wiki.quadrantsec.com/bin/view/Main/5003453 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003454 || [WINDOWS-SECURITY] IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces || url,wiki.quadrantsec.com/bin/view/Main/5003454 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003455 || [WINDOWS-SECURITY] One or more errors occurred while processing security policy in the Group Policy objects || url,wiki.quadrantsec.com/bin/view/Main/5003455 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003456 || [WINDOWS-SECURITY] Network Policy Server denied access to a user || url,wiki.quadrantsec.com/bin/view/Main/5003456 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003457 || [WINDOWS-SECURITY] Network Policy Server discarded the request for a user || url,wiki.quadrantsec.com/bin/view/Main/5003457 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003458 || [WINDOWS-SECURITY] Network Policy Server discarded the accounting request for a user || url,wiki.quadrantsec.com/bin/view/Main/5003458 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003459 || [WINDOWS-SECURITY] Network Policy Server quarantined a user || url,wiki.quadrantsec.com/bin/view/Main/5003459 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003460 || [WINDOWS-SECURITY] Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy || url,wiki.quadrantsec.com/bin/view/Main/5003460 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003461 || [WINDOWS-SECURITY] Network Policy Server granted full access to a user because the host met the defined health policy || url,wiki.quadrantsec.com/bin/view/Main/5003461 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003462 || [WINDOWS-SECURITY] Network Policy Server locked the user account due to repeated failed authentication attempts || url,wiki.quadrantsec.com/bin/view/Main/5003462 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003463 || [WINDOWS-SECURITY] Network Policy Server unlocked the user account || url,wiki.quadrantsec.com/bin/view/Main/5003463 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003464 || [WINDOWS-SECURITY] General account database changed || url,wiki.quadrantsec.com/bin/view/Main/5003464 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003465 || [WINDOWS-SECURITY] Quality of Service Policy changed || url,wiki.quadrantsec.com/bin/view/Main/5003465 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003466 || [WINDOWS-SECURITY] An error was encountered converting volume || url,wiki.quadrantsec.com/bin/view/Main/5003466 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003467 || [WINDOWS-SECURITY] An attempt to automatically restart conversion on volume failed || url,wiki.quadrantsec.com/bin/view/Main/5003467 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003468 || [WINDOWS-SECURITY] Metadata write: Volume returning errors while trying to modify metadata || url,wiki.quadrantsec.com/bin/view/Main/5003468 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003469 || [WINDOWS-SECURITY] Metadata rebuild: An attempt to write a copy of metadata on volume failed and may appear as disk corruption || url,wiki.quadrantsec.com/bin/view/Main/5003469 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003470 || [WINDOWS-SECURITY] Windows is starting up || url,wiki.quadrantsec.com/bin/view/Main/5003470 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003471 || [WINDOWS-SECURITY] Windows is shutting down || url,wiki.quadrantsec.com/bin/view/Main/5003471 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003472 || [WINDOWS-SECURITY] An authentication package has been loaded by the Local Security Authority || url,wiki.quadrantsec.com/bin/view/Main/5003472 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003473 || [WINDOWS-SECURITY] A trusted logon process has been registered with the Local Security Authority || url,wiki.quadrantsec.com/bin/view/Main/5003473 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003474 || [WINDOWS-SECURITY] Internal resources allocated for the queuing of audit messages have been exhausted || url,wiki.quadrantsec.com/bin/view/Main/5003474 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003475 || [WINDOWS-SECURITY] A notification package has been loaded by the Security Account Manager || url,wiki.quadrantsec.com/bin/view/Main/5003475 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003476 || [WINDOWS-SECURITY] Invalid use of LPC port || url,wiki.quadrantsec.com/bin/view/Main/5003476 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003477 || [WINDOWS-SECURITY] The system time was changed || url,wiki.quadrantsec.com/bin/view/Main/5003477 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003478 || [WINDOWS-SECURITY] A security package has been loaded by the Local Security Authority || url,wiki.quadrantsec.com/bin/view/Main/5003478 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003479 || [WINDOWS-SECURITY] Low || url,wiki.quadrantsec.com/bin/view/Main/5003479 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003480 || [WINDOWS-SECURITY] Low || url,wiki.quadrantsec.com/bin/view/Main/5003480 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003481 || [WINDOWS-SECURITY] An account was logged off || url,wiki.quadrantsec.com/bin/view/Main/5003481 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003482 || [WINDOWS-SECURITY] IKE DoS-prevention mode started || url,wiki.quadrantsec.com/bin/view/Main/5003482 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003483 || [WINDOWS-SECURITY] User initiated logoff || url,wiki.quadrantsec.com/bin/view/Main/5003483 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003484 || [WINDOWS-SECURITY] A logon was attempted using explicit credentials || url,wiki.quadrantsec.com/bin/view/Main/5003484 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003485 || [WINDOWS-SECURITY] An IPsec Main Mode security association was established || url,wiki.quadrantsec.com/bin/view/Main/5003485 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003486 || [WINDOWS-SECURITY] An IPsec Main Mode security association was established || url,wiki.quadrantsec.com/bin/view/Main/5003486 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003487 || [WINDOWS-SECURITY] An IPsec Main Mode negotiation failed || url,wiki.quadrantsec.com/bin/view/Main/5003487 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003488 || [WINDOWS-SECURITY] An IPsec Main Mode negotiation failed || url,wiki.quadrantsec.com/bin/view/Main/5003488 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003489 || [WINDOWS-SECURITY] An IPsec Quick Mode negotiation failed || url,wiki.quadrantsec.com/bin/view/Main/5003489 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003490 || [WINDOWS-SECURITY] An IPsec Main Mode security association ended || url,wiki.quadrantsec.com/bin/view/Main/5003490 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003491 || [WINDOWS-SECURITY] A handle to an object was requested || url,wiki.quadrantsec.com/bin/view/Main/5003491 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003492 || [WINDOWS-SECURITY] A registry value was modified || url,wiki.quadrantsec.com/bin/view/Main/5003492 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003493 || [WINDOWS-SECURITY] The handle to an object was closed || url,wiki.quadrantsec.com/bin/view/Main/5003493 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003494 || [WINDOWS-SECURITY] A handle to an object was requested with intent to delete || url,wiki.quadrantsec.com/bin/view/Main/5003494 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003495 || [WINDOWS-SECURITY] An object was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003495 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003496 || [WINDOWS-SECURITY] A handle to an object was requested || url,wiki.quadrantsec.com/bin/view/Main/5003496 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003497 || [WINDOWS-SECURITY] An operation was performed on an object || url,wiki.quadrantsec.com/bin/view/Main/5003497 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003498 || [WINDOWS-SECURITY] An attempt was made to access an object || url,wiki.quadrantsec.com/bin/view/Main/5003498 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003499 || [WINDOWS-SECURITY] An attempt was made to create a hard link || url,wiki.quadrantsec.com/bin/view/Main/5003499 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003500 || [WINDOWS-SECURITY] An attempt was made to create an application client context || url,wiki.quadrantsec.com/bin/view/Main/5003500 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003501 || [WINDOWS-SECURITY] An application attempted an operation: || url,wiki.quadrantsec.com/bin/view/Main/5003501 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003502 || [WINDOWS-SECURITY] An application client context was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003502 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003503 || [WINDOWS-SECURITY] An application was initialized || url,wiki.quadrantsec.com/bin/view/Main/5003503 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003504 || [WINDOWS-SECURITY] Permissions on an object were changed || url,wiki.quadrantsec.com/bin/view/Main/5003504 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003505 || [WINDOWS-SECURITY] An application attempted to access a blocked ordinal through the TBS || url,wiki.quadrantsec.com/bin/view/Main/5003505 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003506 || [WINDOWS-SECURITY] Special privileges assigned to new logon || url,wiki.quadrantsec.com/bin/view/Main/5003506 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003507 || [WINDOWS-SECURITY] A privileged service was called || url,wiki.quadrantsec.com/bin/view/Main/5003507 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003508 || [WINDOWS-SECURITY] An operation was attempted on a privileged object || url,wiki.quadrantsec.com/bin/view/Main/5003508 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003509 || [WINDOWS-SECURITY] A new process has been created || url,wiki.quadrantsec.com/bin/view/Main/5003509 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003510 || [WINDOWS-SECURITY] A process has exited || url,wiki.quadrantsec.com/bin/view/Main/5003510 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003511 || [WINDOWS-SECURITY] An attempt was made to duplicate a handle to an object || url,wiki.quadrantsec.com/bin/view/Main/5003511 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003512 || [WINDOWS-SECURITY] Indirect access to an object was requested || url,wiki.quadrantsec.com/bin/view/Main/5003512 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003513 || [WINDOWS-SECURITY] Protection of auditable protected data was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003513 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003514 || [WINDOWS-SECURITY] Unprotection of auditable protected data was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003514 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003515 || [WINDOWS-SECURITY] A primary token was assigned to process || url,wiki.quadrantsec.com/bin/view/Main/5003515 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003516 || [WINDOWS-SECURITY] Attempt to install a service || url,wiki.quadrantsec.com/bin/view/Main/5003516 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003517 || [WINDOWS-SECURITY] A scheduled task was created || url,wiki.quadrantsec.com/bin/view/Main/5003517 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003518 || [WINDOWS-SECURITY] A scheduled task was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003518 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003519 || [WINDOWS-SECURITY] A scheduled task was enabled || url,wiki.quadrantsec.com/bin/view/Main/5003519 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003520 || [WINDOWS-SECURITY] A scheduled task was disabled || url,wiki.quadrantsec.com/bin/view/Main/5003520 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003521 || [WINDOWS-SECURITY] A scheduled task was updated || url,wiki.quadrantsec.com/bin/view/Main/5003521 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003522 || [WINDOWS-SECURITY] A user right was assigned || url,wiki.quadrantsec.com/bin/view/Main/5003522 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003523 || [WINDOWS-SECURITY] A user right was removed || url,wiki.quadrantsec.com/bin/view/Main/5003523 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003524 || [WINDOWS-SECURITY] A trust to a domain was removed || url,wiki.quadrantsec.com/bin/view/Main/5003524 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003525 || [WINDOWS-SECURITY] IPsec Services was started || url,wiki.quadrantsec.com/bin/view/Main/5003525 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003526 || [WINDOWS-SECURITY] IPsec Services was disabled || url,wiki.quadrantsec.com/bin/view/Main/5003526 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003527 || [WINDOWS-SECURITY] PAStore Engine Activity Detected || url,wiki.quadrantsec.com/bin/view/Main/5003527 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003528 || [WINDOWS-SECURITY] IPsec Services encountered a potentially serious failure || url,wiki.quadrantsec.com/bin/view/Main/5003528 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003529 || [WINDOWS-SECURITY] System security access was granted to an account || url,wiki.quadrantsec.com/bin/view/Main/5003529 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003530 || [WINDOWS-SECURITY] System security access was removed from an account || url,wiki.quadrantsec.com/bin/view/Main/5003530 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003531 || [WINDOWS-SECURITY] A user account was created || url,wiki.quadrantsec.com/bin/view/Main/5003531 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003532 || [WINDOWS-SECURITY] A user account was enabled || url,wiki.quadrantsec.com/bin/view/Main/5003532 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003533 || [WINDOWS-SECURITY] An attempt was made to change an account's password || url,wiki.quadrantsec.com/bin/view/Main/5003533 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003534 || [WINDOWS-SECURITY] A user account was disabled || url,wiki.quadrantsec.com/bin/view/Main/5003534 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003535 || [WINDOWS-SECURITY] A user account was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003535 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003536 || [WINDOWS-SECURITY] A member was added to a security-enabled global group || url,wiki.quadrantsec.com/bin/view/Main/5003536 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003537 || [WINDOWS-SECURITY] A member was removed from a security-enabled global group || url,wiki.quadrantsec.com/bin/view/Main/5003537 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003538 || [WINDOWS-SECURITY] A security-enabled global group was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003538 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003539 || [WINDOWS-SECURITY] A security-enabled local group was created || url,wiki.quadrantsec.com/bin/view/Main/5003539 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003540 || [WINDOWS-SECURITY] A member was added to a security-enabled local group || url,wiki.quadrantsec.com/bin/view/Main/5003540 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003541 || [WINDOWS-SECURITY] A member was removed from a security-enabled local group || url,wiki.quadrantsec.com/bin/view/Main/5003541 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003542 || [WINDOWS-SECURITY] A security-enabled local group was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003542 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003543 || [WINDOWS-SECURITY] A user account was changed || url,wiki.quadrantsec.com/bin/view/Main/5003543 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003544 || [WINDOWS-SECURITY] A user account was locked out || url,wiki.quadrantsec.com/bin/view/Main/5003544 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003545 || [WINDOWS-SECURITY] A computer account was changed || url,wiki.quadrantsec.com/bin/view/Main/5003545 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003546 || [WINDOWS-SECURITY] A computer account was changed || url,wiki.quadrantsec.com/bin/view/Main/5003546 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003547 || [WINDOWS-SECURITY] A computer account was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003547 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003548 || [WINDOWS-SECURITY] A security-disabled local group was created || url,wiki.quadrantsec.com/bin/view/Main/5003548 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003549 || [WINDOWS-SECURITY] A security-disabled local group was changed || url,wiki.quadrantsec.com/bin/view/Main/5003549 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003550 || [WINDOWS-SECURITY] A member was added to a security-disabled local group || url,wiki.quadrantsec.com/bin/view/Main/5003550 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003551 || [WINDOWS-SECURITY] A member was removed from a security-disabled local group || url,wiki.quadrantsec.com/bin/view/Main/5003551 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003552 || [WINDOWS-SECURITY] A security-disabled local group was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003552 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003553 || [WINDOWS-SECURITY] A security-disabled global group was created || url,wiki.quadrantsec.com/bin/view/Main/5003553 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003554 || [WINDOWS-SECURITY] A security-disabled global group was changed || url,wiki.quadrantsec.com/bin/view/Main/5003554 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003555 || [WINDOWS-SECURITY] A member was added to a security-disabled global group || url,wiki.quadrantsec.com/bin/view/Main/5003555 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003556 || [WINDOWS-SECURITY] A member was removed from a security-disabled global group || url,wiki.quadrantsec.com/bin/view/Main/5003556 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003557 || [WINDOWS-SECURITY] A security-disabled global group was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003557 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003558 || [WINDOWS-SECURITY] A member was added to a security-enabled universal group || url,wiki.quadrantsec.com/bin/view/Main/5003558 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003559 || [WINDOWS-SECURITY] A member was removed from a security-enabled universal group || url,wiki.quadrantsec.com/bin/view/Main/5003559 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003560 || [WINDOWS-SECURITY] A security-enabled universal group was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003560 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003561 || [WINDOWS-SECURITY] A security-disabled universal group was created || url,wiki.quadrantsec.com/bin/view/Main/5003561 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003562 || [WINDOWS-SECURITY] A security-disabled universal group was changed || url,wiki.quadrantsec.com/bin/view/Main/5003562 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003563 || [WINDOWS-SECURITY] A member was added to a security-disabled universal group || url,wiki.quadrantsec.com/bin/view/Main/5003563 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003564 || [WINDOWS-SECURITY] A member was removed from a security-disabled universal group || url,wiki.quadrantsec.com/bin/view/Main/5003564 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003565 || [WINDOWS-SECURITY] A user account was unlocked || url,wiki.quadrantsec.com/bin/view/Main/5003565 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003567 || [WINDOWS-SECURITY] A Kerberos service ticket was requested || url,wiki.quadrantsec.com/bin/view/Main/5003567 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003568 || [WINDOWS-SECURITY] A Kerberos service ticket was renewed || url,wiki.quadrantsec.com/bin/view/Main/5003568 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003569 || [WINDOWS-SECURITY] Kerberos pre-authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5003569 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003570 || [WINDOWS-SECURITY] A Kerberos authentication ticket request failed || url,wiki.quadrantsec.com/bin/view/Main/5003570 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003571 || [WINDOWS-SECURITY] An account was mapped for logon || url,wiki.quadrantsec.com/bin/view/Main/5003571 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003572 || [WINDOWS-SECURITY] An account could not be mapped for logon || url,wiki.quadrantsec.com/bin/view/Main/5003572 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003574 || [WINDOWS-SECURITY] The domain controller failed to validate the credentials for an account || url,wiki.quadrantsec.com/bin/view/Main/5003574 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003575 || [WINDOWS-SECURITY] A session was reconnected to a Window Station || url,wiki.quadrantsec.com/bin/view/Main/5003575 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003576 || [WINDOWS-SECURITY] A session was disconnected from a Window Station || url,wiki.quadrantsec.com/bin/view/Main/5003576 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003577 || [WINDOWS-SECURITY] The name of an account was changed: || url,wiki.quadrantsec.com/bin/view/Main/5003577 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003578 || [WINDOWS-SECURITY] The password hash an account was accessed || url,wiki.quadrantsec.com/bin/view/Main/5003578 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003579 || [WINDOWS-SECURITY] A basic application group was created || url,wiki.quadrantsec.com/bin/view/Main/5003579 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003580 || [WINDOWS-SECURITY] A basic application group was changed || url,wiki.quadrantsec.com/bin/view/Main/5003580 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003581 || [WINDOWS-SECURITY] A member was added to a basic application group || url,wiki.quadrantsec.com/bin/view/Main/5003581 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003582 || [WINDOWS-SECURITY] A member was removed from a basic application group || url,wiki.quadrantsec.com/bin/view/Main/5003582 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003583 || [WINDOWS-SECURITY] A nonmember was added to a basic application group || url,wiki.quadrantsec.com/bin/view/Main/5003583 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003584 || [WINDOWS-SECURITY] A nonmember was removed from a basic application group || url,wiki.quadrantsec.com/bin/view/Main/5003584 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003585 || [WINDOWS-SECURITY] A basic application group was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003585 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003586 || [WINDOWS-SECURITY] An LDAP query group was created || url,wiki.quadrantsec.com/bin/view/Main/5003586 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003587 || [WINDOWS-SECURITY] The Password Policy Checking API was called || url,wiki.quadrantsec.com/bin/view/Main/5003587 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003588 || [WINDOWS-SECURITY] The workstation was locked || url,wiki.quadrantsec.com/bin/view/Main/5003588 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003589 || [WINDOWS-SECURITY] The workstation was unlocked || url,wiki.quadrantsec.com/bin/view/Main/5003589 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003590 || [WINDOWS-SECURITY] The screen saver was invoked || url,wiki.quadrantsec.com/bin/view/Main/5003590 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003591 || [WINDOWS-SECURITY] The screen saver was dismissed || url,wiki.quadrantsec.com/bin/view/Main/5003591 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003592 || [WINDOWS-SECURITY] A namespace collision was detected || url,wiki.quadrantsec.com/bin/view/Main/5003592 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003593 || [WINDOWS-SECURITY] Certificate Services received a resubmitted certificate request || url,wiki.quadrantsec.com/bin/view/Main/5003593 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003594 || [WINDOWS-SECURITY] Certificate Services received a request to publish the certificate revocation list (CRL) || url,wiki.quadrantsec.com/bin/view/Main/5003594 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003595 || [WINDOWS-SECURITY] Certificate Services published the certificate revocation list (CRL) || url,wiki.quadrantsec.com/bin/view/Main/5003595 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003596 || [WINDOWS-SECURITY] A certificate request extension changed || url,wiki.quadrantsec.com/bin/view/Main/5003596 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003597 || [WINDOWS-SECURITY] One or more certificate request attributes changed || url,wiki.quadrantsec.com/bin/view/Main/5003597 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003598 || [WINDOWS-SECURITY] Certificate Services received a request to shut down || url,wiki.quadrantsec.com/bin/view/Main/5003598 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003599 || [WINDOWS-SECURITY] Certificate Services backup started || url,wiki.quadrantsec.com/bin/view/Main/5003599 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003600 || [WINDOWS-SECURITY] Certificate Services backup completed || url,wiki.quadrantsec.com/bin/view/Main/5003600 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003601 || [WINDOWS-SECURITY] Certificate Services restore started || url,wiki.quadrantsec.com/bin/view/Main/5003601 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003602 || [WINDOWS-SECURITY] Certificate Services restore completed || url,wiki.quadrantsec.com/bin/view/Main/5003602 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003603 || [WINDOWS-SECURITY] Certificate Services started || url,wiki.quadrantsec.com/bin/view/Main/5003603 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003604 || [WINDOWS-SECURITY] Certificate Services stopped || url,wiki.quadrantsec.com/bin/view/Main/5003604 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003605 || [WINDOWS-SECURITY] Certificate Services retrieved an archived key || url,wiki.quadrantsec.com/bin/view/Main/5003605 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003606 || [WINDOWS-SECURITY] Certificate Services imported a certificate into its database || url,wiki.quadrantsec.com/bin/view/Main/5003606 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003607 || [WINDOWS-SECURITY] Certificate Services received a certificate request || url,wiki.quadrantsec.com/bin/view/Main/5003607 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003608 || [WINDOWS-SECURITY] Certificate Services approved a certificate request and issued a certificate || url,wiki.quadrantsec.com/bin/view/Main/5003608 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003609 || [WINDOWS-SECURITY] Certificate Services denied a certificate request || url,wiki.quadrantsec.com/bin/view/Main/5003609 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003610 || [WINDOWS-SECURITY] Certificate Services set the status of a certificate request to pending || url,wiki.quadrantsec.com/bin/view/Main/5003610 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003611 || [WINDOWS-SECURITY] A configuration entry changed in Certificate Services || url,wiki.quadrantsec.com/bin/view/Main/5003611 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003612 || [WINDOWS-SECURITY] Certificate Services archived a key || url,wiki.quadrantsec.com/bin/view/Main/5003612 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003613 || [WINDOWS-SECURITY] Certificate Services imported and archived a key || url,wiki.quadrantsec.com/bin/view/Main/5003613 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003614 || [WINDOWS-SECURITY] Certificate Services published the CA certificate to Active Directory Domain Services || url,wiki.quadrantsec.com/bin/view/Main/5003614 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003615 || [WINDOWS-SECURITY] Certificate Services loaded a template || url,wiki.quadrantsec.com/bin/view/Main/5003615 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003616 || [WINDOWS-SECURITY] The Per-user audit policy table was created || url,wiki.quadrantsec.com/bin/view/Main/5003616 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003617 || [WINDOWS-SECURITY] An attempt was made to register a security event source || url,wiki.quadrantsec.com/bin/view/Main/5003617 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003618 || [WINDOWS-SECURITY] An attempt was made to unregister a security event source || url,wiki.quadrantsec.com/bin/view/Main/5003618 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003619 || [WINDOWS-SECURITY] The local policy settings for the TBS were changed || url,wiki.quadrantsec.com/bin/view/Main/5003619 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003620 || [WINDOWS-SECURITY] The Group Policy settings for the TBS were changed || url,wiki.quadrantsec.com/bin/view/Main/5003620 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003621 || [WINDOWS-SECURITY] An Active Directory replica source naming context was established || url,wiki.quadrantsec.com/bin/view/Main/5003621 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003622 || [WINDOWS-SECURITY] An Active Directory replica source naming context was removed || url,wiki.quadrantsec.com/bin/view/Main/5003622 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003623 || [WINDOWS-SECURITY] An Active Directory replica source naming context was modified || url,wiki.quadrantsec.com/bin/view/Main/5003623 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003624 || [WINDOWS-SECURITY] An Active Directory replica destination naming context was modified || url,wiki.quadrantsec.com/bin/view/Main/5003624 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003625 || [WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has begun || url,wiki.quadrantsec.com/bin/view/Main/5003625 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003626 || [WINDOWS-SECURITY] Synchronization of a replica of an Active Directory naming context has ended || url,wiki.quadrantsec.com/bin/view/Main/5003626 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003627 || [WINDOWS-SECURITY] Attributes of an Active Directory object were replicated || url,wiki.quadrantsec.com/bin/view/Main/5003627 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003628 || [WINDOWS-SECURITY] Replication failure begins || url,wiki.quadrantsec.com/bin/view/Main/5003628 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003629 || [WINDOWS-SECURITY] Replication failure ends || url,wiki.quadrantsec.com/bin/view/Main/5003629 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003630 || [WINDOWS-SECURITY] A lingering object was removed from a replica || url,wiki.quadrantsec.com/bin/view/Main/5003630 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003631 || [WINDOWS-SECURITY] The following policy was active when the Windows Firewall started || url,wiki.quadrantsec.com/bin/view/Main/5003631 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003632 || [WINDOWS-SECURITY] A rule was listed when the Windows Firewall started || url,wiki.quadrantsec.com/bin/view/Main/5003632 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003633 || [WINDOWS-SECURITY] A change has been made to Windows Firewall exception list || url,wiki.quadrantsec.com/bin/view/Main/5003633 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003634 || [WINDOWS-SECURITY] A change has been made to Windows Firewall exception list || url,wiki.quadrantsec.com/bin/view/Main/5003634 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003635 || [WINDOWS-SECURITY] A change has been made to Windows Firewall exception list || url,wiki.quadrantsec.com/bin/view/Main/5003635 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003636 || [WINDOWS-SECURITY] Windows Firewall settings were restored to the default values || url,wiki.quadrantsec.com/bin/view/Main/5003636 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003637 || [WINDOWS-SECURITY] A Windows Firewall setting has changed || url,wiki.quadrantsec.com/bin/view/Main/5003637 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003638 || [WINDOWS-SECURITY] A rule has been ignored because its major version number was not recognized by Windows Firewall || url,wiki.quadrantsec.com/bin/view/Main/5003638 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003639 || [WINDOWS-SECURITY] Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall || url,wiki.quadrantsec.com/bin/view/Main/5003639 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003640 || [WINDOWS-SECURITY] A rule has been ignored by Windows Firewall because it could not parse the rule || url,wiki.quadrantsec.com/bin/view/Main/5003640 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003641 || [WINDOWS-SECURITY] Windows Firewall Group Policy settings have changed || url,wiki.quadrantsec.com/bin/view/Main/5003641 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003642 || [WINDOWS-SECURITY] Windows Firewall has changed the active profile || url,wiki.quadrantsec.com/bin/view/Main/5003642 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003643 || [WINDOWS-SECURITY] Windows Firewall did not apply the following rule: || url,wiki.quadrantsec.com/bin/view/Main/5003643 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003644 || [WINDOWS-SECURITY] Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: || url,wiki.quadrantsec.com/bin/view/Main/5003644 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003645 || [WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established || url,wiki.quadrantsec.com/bin/view/Main/5003645 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003646 || [WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established || url,wiki.quadrantsec.com/bin/view/Main/5003646 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003647 || [WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established || url,wiki.quadrantsec.com/bin/view/Main/5003647 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003648 || [WINDOWS-SECURITY] IPsec Main Mode and Extended Mode security associations were established || url,wiki.quadrantsec.com/bin/view/Main/5003648 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003649 || [WINDOWS-SECURITY] The state of a transaction has changed || url,wiki.quadrantsec.com/bin/view/Main/5003649 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003650 || [WINDOWS-SECURITY] The Windows Firewall Service has started successfully || url,wiki.quadrantsec.com/bin/view/Main/5003650 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003651 || [WINDOWS-SECURITY] The Windows Firewall Service has been stopped || url,wiki.quadrantsec.com/bin/view/Main/5003651 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003652 || [WINDOWS-SECURITY] The Windows Firewall Service blocked an application from accepting incoming connections on the network || url,wiki.quadrantsec.com/bin/view/Main/5003652 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003653 || [WINDOWS-SECURITY] Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network || url,wiki.quadrantsec.com/bin/view/Main/5003653 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003654 || [WINDOWS-SECURITY] The Windows Firewall Driver has started successfully || url,wiki.quadrantsec.com/bin/view/Main/5003654 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003655 || [WINDOWS-SECURITY] The Windows Firewall Driver has been stopped || url,wiki.quadrantsec.com/bin/view/Main/5003655 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003656 || [WINDOWS-SECURITY] A registry key was virtualized || url,wiki.quadrantsec.com/bin/view/Main/5003656 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003657 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003657 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003658 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003658 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003659 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003659 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003660 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003660 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003661 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003661 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003662 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003662 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003663 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003663 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003664 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003664 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003665 || [WINDOWS-SECURITY] A change has been made to IPsec settings || url,wiki.quadrantsec.com/bin/view/Main/5003665 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003666 || [WINDOWS-SECURITY] An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile || url,wiki.quadrantsec.com/bin/view/Main/5003666 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003667 || [WINDOWS-SECURITY] A file was virtualized || url,wiki.quadrantsec.com/bin/view/Main/5003667 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003668 || [WINDOWS-SECURITY] A cryptographic self test was performed || url,wiki.quadrantsec.com/bin/view/Main/5003668 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003669 || [WINDOWS-SECURITY] A cryptographic primitive operation failed || url,wiki.quadrantsec.com/bin/view/Main/5003669 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003670 || [WINDOWS-SECURITY] Key file operation || url,wiki.quadrantsec.com/bin/view/Main/5003670 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003671 || [WINDOWS-SECURITY] Key migration operation || url,wiki.quadrantsec.com/bin/view/Main/5003671 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003672 || [WINDOWS-SECURITY] Verification operation failed || url,wiki.quadrantsec.com/bin/view/Main/5003672 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003673 || [WINDOWS-SECURITY] Cryptographic operation || url,wiki.quadrantsec.com/bin/view/Main/5003673 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003674 || [WINDOWS-SECURITY] A kernel-mode cryptographic self test was performed || url,wiki.quadrantsec.com/bin/view/Main/5003674 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003675 || [WINDOWS-SECURITY] A cryptographic provider operation was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003675 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003676 || [WINDOWS-SECURITY] A cryptographic context operation was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003676 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003677 || [WINDOWS-SECURITY] A cryptographic context modification was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003677 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003678 || [WINDOWS-SECURITY] A cryptographic function operation was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003678 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003679 || [WINDOWS-SECURITY] A cryptographic function modification was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003679 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003680 || [WINDOWS-SECURITY] A cryptographic function provider operation was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003680 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003681 || [WINDOWS-SECURITY] A cryptographic function property operation was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003681 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003682 || [WINDOWS-SECURITY] A cryptographic function property modification was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003682 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003683 || [WINDOWS-SECURITY] A request was submitted to the OCSP Responder Service || url,wiki.quadrantsec.com/bin/view/Main/5003683 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003684 || [WINDOWS-SECURITY] Signing Certificate was automatically updated by the OCSP Responder Service || url,wiki.quadrantsec.com/bin/view/Main/5003684 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003685 || [WINDOWS-SECURITY] The OCSP Revocation Provider successfully updated the revocation information || url,wiki.quadrantsec.com/bin/view/Main/5003685 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003686 || [WINDOWS-SECURITY] A directory service object was modified || url,wiki.quadrantsec.com/bin/view/Main/5003686 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003687 || [WINDOWS-SECURITY] A directory service object was created || url,wiki.quadrantsec.com/bin/view/Main/5003687 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003688 || [WINDOWS-SECURITY] A directory service object was undeleted || url,wiki.quadrantsec.com/bin/view/Main/5003688 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003689 || [WINDOWS-SECURITY] A directory service object was moved || url,wiki.quadrantsec.com/bin/view/Main/5003689 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003690 || [WINDOWS-SECURITY] A network share object was accessed || url,wiki.quadrantsec.com/bin/view/Main/5003690 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003691 || [WINDOWS-SECURITY] A directory service object was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003691 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003692 || [WINDOWS-SECURITY] The Windows Filtering Platform blocked a packet || url,wiki.quadrantsec.com/bin/view/Main/5003692 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003693 || [WINDOWS-SECURITY] A more restrictive Windows Filtering Platform filter has blocked a packet || url,wiki.quadrantsec.com/bin/view/Main/5003693 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003694 || [WINDOWS-SECURITY] The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections || url,wiki.quadrantsec.com/bin/view/Main/5003694 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003695 || [WINDOWS-SECURITY] The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections || url,wiki.quadrantsec.com/bin/view/Main/5003695 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003696 || [WINDOWS-SECURITY] The Windows Filtering Platform has allowed a connection || url,wiki.quadrantsec.com/bin/view/Main/5003696 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003697 || [WINDOWS-SECURITY] The Windows Filtering Platform has blocked a connection || url,wiki.quadrantsec.com/bin/view/Main/5003697 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003698 || [WINDOWS-SECURITY] The Windows Filtering Platform has permitted a bind to a local port || url,wiki.quadrantsec.com/bin/view/Main/5003698 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003699 || [WINDOWS-SECURITY] The Windows Filtering Platform has blocked a bind to a local port || url,wiki.quadrantsec.com/bin/view/Main/5003699 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003700 || [WINDOWS-SECURITY] The requested credentials delegation was disallowed by policy || url,wiki.quadrantsec.com/bin/view/Main/5003700 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003701 || [WINDOWS-SECURITY] The following callout was present when the Windows Filtering Platform Base Filtering Engine started || url,wiki.quadrantsec.com/bin/view/Main/5003701 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003702 || [WINDOWS-SECURITY] The following filter was present when the Windows Filtering Platform Base Filtering Engine started || url,wiki.quadrantsec.com/bin/view/Main/5003702 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003703 || [WINDOWS-SECURITY] The following provider was present when the Windows Filtering Platform Base Filtering Engine started || url,wiki.quadrantsec.com/bin/view/Main/5003703 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003704 || [WINDOWS-SECURITY] The following provider context was present when the Windows Filtering Platform Base Filtering Engine started || url,wiki.quadrantsec.com/bin/view/Main/5003704 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003705 || [WINDOWS-SECURITY] The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started || url,wiki.quadrantsec.com/bin/view/Main/5003705 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003706 || [WINDOWS-SECURITY] A Windows Filtering Platform callout has been changed || url,wiki.quadrantsec.com/bin/view/Main/5003706 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003707 || [WINDOWS-SECURITY] A Windows Filtering Platform filter has been changed || url,wiki.quadrantsec.com/bin/view/Main/5003707 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003708 || [WINDOWS-SECURITY] A Windows Filtering Platform provider has been changed || url,wiki.quadrantsec.com/bin/view/Main/5003708 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003709 || [WINDOWS-SECURITY] A Windows Filtering Platform provider context has been changed || url,wiki.quadrantsec.com/bin/view/Main/5003709 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003710 || [WINDOWS-SECURITY] A Windows Filtering Platform sublayer has been changed || url,wiki.quadrantsec.com/bin/view/Main/5003710 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003711 || [WINDOWS-SECURITY] An IPsec Quick Mode security association was established || url,wiki.quadrantsec.com/bin/view/Main/5003711 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003712 || [WINDOWS-SECURITY] An IPsec Quick Mode security association ended || url,wiki.quadrantsec.com/bin/view/Main/5003712 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003713 || [WINDOWS-SECURITY] PAStore Engine applied Active Directory storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003713 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003714 || [WINDOWS-SECURITY] PAStore Engine failed to apply Active Directory storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003714 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003715 || [WINDOWS-SECURITY] PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003715 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003716 || [WINDOWS-SECURITY] PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003716 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003717 || [WINDOWS-SECURITY] PAStore Engine applied local registry storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003717 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003718 || [WINDOWS-SECURITY] PAStore Engine failed to apply local registry storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003718 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003719 || [WINDOWS-SECURITY] PAStore Engine failed to apply some rules of the active IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003719 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003720 || [WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy and detected no changes || url,wiki.quadrantsec.com/bin/view/Main/5003720 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003721 || [WINDOWS-SECURITY] PAStore Engine polled for changes to the active IPsec policy || url,wiki.quadrantsec.com/bin/view/Main/5003721 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003722 || [WINDOWS-SECURITY] PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully || url,wiki.quadrantsec.com/bin/view/Main/5003722 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003723 || [WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy || url,wiki.quadrantsec.com/bin/view/Main/5003723 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003724 || [WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy || url,wiki.quadrantsec.com/bin/view/Main/5003724 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003725 || [WINDOWS-SECURITY] PAStore Engine polled for changes to the Active Directory IPsec policy || url,wiki.quadrantsec.com/bin/view/Main/5003725 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003726 || [WINDOWS-SECURITY] PAStore Engine loaded local storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003726 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003727 || [WINDOWS-SECURITY] PAStore Engine failed to load local storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003727 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003728 || [WINDOWS-SECURITY] PAStore Engine loaded directory storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003728 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003729 || [WINDOWS-SECURITY] PAStore Engine failed to load directory storage IPsec policy on the computer || url,wiki.quadrantsec.com/bin/view/Main/5003729 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003730 || [WINDOWS-SECURITY] PAStore Engine failed to add quick mode filter || url,wiki.quadrantsec.com/bin/view/Main/5003730 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003731 || [WINDOWS-SECURITY] IPsec Services has been shut down successfully || url,wiki.quadrantsec.com/bin/view/Main/5003731 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003732 || [WINDOWS-SECURITY] A request was made to authenticate to a wireless network || url,wiki.quadrantsec.com/bin/view/Main/5003732 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003733 || [WINDOWS-SECURITY] A request was made to authenticate to a wired network || url,wiki.quadrantsec.com/bin/view/Main/5003733 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003734 || [WINDOWS-SECURITY] A Remote Procedure Call (RPC) was attempted || url,wiki.quadrantsec.com/bin/view/Main/5003734 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003735 || [WINDOWS-SECURITY] An object in the COM+ Catalog was modified || url,wiki.quadrantsec.com/bin/view/Main/5003735 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003736 || [WINDOWS-SECURITY] An object was deleted from the COM+ Catalog || url,wiki.quadrantsec.com/bin/view/Main/5003736 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003737 || [WINDOWS-SECURITY] An object was added to the COM+ Catalog || url,wiki.quadrantsec.com/bin/view/Main/5003737 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003738 || [WINDOWS-SECURITY] The previous system shutdown was unexpected || url,wiki.quadrantsec.com/bin/view/Main/5003738 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003739 || [WINDOWS-SECURITY] Security policy in the Group Policy objects has been applied successfully || url,wiki.quadrantsec.com/bin/view/Main/5003739 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003740 || [WINDOWS-SECURITY] Network Policy Server granted access to a user || url,wiki.quadrantsec.com/bin/view/Main/5003740 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003741 || [WINDOWS-SECURITY] A handle to an object was requested || url,wiki.quadrantsec.com/bin/view/Main/5003741 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003742 || [WINDOWS-SECURITY] Object open for delete || url,wiki.quadrantsec.com/bin/view/Main/5003742 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003743 || [WINDOWS-SECURITY] User Account Type Changed || url,wiki.quadrantsec.com/bin/view/Main/5003743 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003744 || [WINDOWS-SECURITY] IPsec policy agent started || url,wiki.quadrantsec.com/bin/view/Main/5003744 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003745 || [WINDOWS-SECURITY] IPsec policy agent disabled || url,wiki.quadrantsec.com/bin/view/Main/5003745 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003746 || [WINDOWS-SECURITY] IPsec policy agent || url,wiki.quadrantsec.com/bin/view/Main/5003746 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003747 || [WINDOWS-SECURITY] IPsec policy agent encountered a potential serious failure || url,wiki.quadrantsec.com/bin/view/Main/5003747 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003748 || [WINDOWS-SECURITY] Encryption of volume started || url,wiki.quadrantsec.com/bin/view/Main/5003748 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003749 || [WINDOWS-SECURITY] Encryption of volume stopped || url,wiki.quadrantsec.com/bin/view/Main/5003749 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003750 || [WINDOWS-SECURITY] Encryption of volume completed || url,wiki.quadrantsec.com/bin/view/Main/5003750 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003751 || [WINDOWS-SECURITY] Decryption of volume started || url,wiki.quadrantsec.com/bin/view/Main/5003751 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003752 || [WINDOWS-SECURITY] Decryption of volume stopped || url,wiki.quadrantsec.com/bin/view/Main/5003752 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003753 || [WINDOWS-SECURITY] Decryption of volume completed || url,wiki.quadrantsec.com/bin/view/Main/5003753 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003754 || [WINDOWS-SECURITY] Conversion worker thread for volume started || url,wiki.quadrantsec.com/bin/view/Main/5003754 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003755 || [WINDOWS-SECURITY] Conversion worker thread for volume temporarily stopped || url,wiki.quadrantsec.com/bin/view/Main/5003755 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003756 || [WINDOWS-SECURITY] The conversion operation on volume encountered a bad sector error || url,wiki.quadrantsec.com/bin/view/Main/5003756 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003757 || [WINDOWS-SECURITY] Volume contains bad clusters || url,wiki.quadrantsec.com/bin/view/Main/5003757 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003758 || [WINDOWS-SECURITY] Initial state check: Rolling volume conversion transaction on || url,wiki.quadrantsec.com/bin/view/Main/5003758 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003759 || [WINDOWS-SECURITY] An IPsec Security Association was deleted || url,wiki.quadrantsec.com/bin/view/Main/5003759 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003760 || [WINDOWS-SECURITY] IPsec Services has started successfully || url,wiki.quadrantsec.com/bin/view/Main/5003760 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003761 || [WINDOWS-SECURITY] Role separation enabled: || url,wiki.quadrantsec.com/bin/view/Main/5003761 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003762 || [WINDOWS-SECURITY] A security setting was updated on the OCSP Responder Service || url,wiki.quadrantsec.com/bin/view/Main/5003762 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003763 || [WINDOWS-SECURITY] Possible denial-of-service (DoS) attack || url,wiki.quadrantsec.com/bin/view/Main/5003763 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003764 || [WINDOWS-SECURITY] An attempt was made to set the Directory Services Restore Mode Administrator Password || url,wiki.quadrantsec.com/bin/view/Main/5003764 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003765 || [WINDOWS-SECURITY] Special groups have been assigned to a new logon || url,wiki.quadrantsec.com/bin/view/Main/5003765 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003766 || [WINDOWS-SECURITY] A monitored security event pattern has occurred || url,wiki.quadrantsec.com/bin/view/Main/5003766 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003767 || [WINDOWS-SECURITY] A replay attack was detected || url,wiki.quadrantsec.com/bin/view/Main/5003767 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003768 || [WINDOWS-SECURITY] System audit policy was changed || url,wiki.quadrantsec.com/bin/view/Main/5003768 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003769 || [WINDOWS-SECURITY] SID History was added to an account || url,wiki.quadrantsec.com/bin/view/Main/5003769 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003770 || [WINDOWS-SECURITY] An attempt to add SID History to an account failed || url,wiki.quadrantsec.com/bin/view/Main/5003770 || url,github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/plan/Appendix-L--Events-to-Monitor.md 5003771 || [AS400] AUTFAIL An incorrect password was entered || url,wiki.quadrantsec.com/bin/view/Main/5003771 5003772 || [AS400] AUTFAIL fail - password expired [no username] || url,wiki.quadrantsec.com/bin/view/Main/5003772 5003773 || [AS400] AUTFAIL - incorrect network password was used; content: " MVP1600 || url,wiki.quadrantsec.com/bin/view/Main/5003773 5003774 || [AS400] AUTFAIL - Not authorized to object || url,wiki.quadrantsec.com/bin/view/Main/5003774 5003775 || [AS400] AUTFAIL - User name not valid || url,wiki.quadrantsec.com/bin/view/Main/5003775 5003776 || [AS400] AUTFAIL - Operation SVRPGM wihtout authority || url,wiki.quadrantsec.com/bin/view/Main/5003776 5003777 || [AS400] AUTFAIL - Failed because profile was disabled || url,wiki.quadrantsec.com/bin/view/Main/5003777 5003778 || [AS400] AUTFAIL - User not authorized to object || url,wiki.quadrantsec.com/bin/view/Main/5003778 5003779 || [AS400] AUTFAIL - Changed audit status of user || url,wiki.quadrantsec.com/bin/view/Main/5003779 5003781 || [CISCO-ISE-GEOIP] Successful authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003781 5003782 || [CISCO-ISE-BLUEDOT] Successful authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003782 5003783 || [CISCO-ISE-BLACKLIST] Successful authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003783 5003784 || [CISCO-ISE-BROINTEL] Successful authentication from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5003784 5003785 || [DYNAMIC] Cisco ISE detected via program || url,wiki.quadrantsec.com/bin/view/Main/5003785 5003786 || [WINDOWS-AUTH] LDAP authentication error - Account expired. || url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan || url,wiki.quadrantsec.com/bin/view/Main/5003786 5003787 || [WINDOWS-AUTH] LDAP authentication error - Account locked. || url,wiki.quadrantsec.com/bin/view/Main/5003787 6000510 || [OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec) 6000513 || [OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec) 6000518 || [OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec) 6000531 || [OSSEC] Level 7 - Partition usage reached 100% (disk space monitor). (ossec_rules.xml:ossec) 6000550 || [OSSEC] Level 7 - Integrity checksum changed. (ossec_rules.xml:ossec) 6000551 || [OSSEC] Level 7 - Integrity checksum changed again (2nd time). (ossec_rules.xml:ossec) 6000552 || [OSSEC] Level 7 - Integrity checksum changed again (3rd time). (ossec_rules.xml:ossec) 6000553 || [OSSEC] Level 7 - File deleted. Unable to retrieve checksum. (ossec_rules.xml:ossec) 6000555 || [OSSEC] Level 7 - Integrity checksum for agentless device changed. (ossec_rules.xml:ossec) 6000580 || [OSSEC] Level 8 - Host information changed. (ossec_rules.xml:ossec) 6000581 || [OSSEC] Level 8 - Host information added. (ossec_rules.xml:ossec) 6000592 || [OSSEC] Level 8 - Log file size reduced. (ossec_rules.xml:ossec) 6000593 || [OSSEC] Level 9 - Microsoft Event log cleared. (ossec_rules.xml:ossec) 6001003 || [OSSEC] Level 13 - Non standard syslog message (size too large). (syslog_rules.xml:syslog,errors) 6001004 || [OSSEC] Level 5 - Syslogd exiting (logging stopped). (syslog_rules.xml:syslog,errors) 6001005 || [OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors) 6001006 || [OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors) 6001007 || [OSSEC] Level 7 - File system full. (syslog_rules.xml:syslog,errors) 6001008 || [OSSEC] Level 5 - Process exiting (killed). (syslog_rules.xml:syslog,errors) 6002301 || [OSSEC] Level 10 - Excessive number connections to a service. (syslog_rules.xml:syslog,xinetd) 6002551 || [OSSEC] Level 10 - Connection to rshd from unprivileged port. Possible network scan. (syslog_rules.xml:syslog,access_control) 6002832 || [OSSEC] Level 5 - Crontab entry changed. (syslog_rules.xml:syslog,cron) 6002833 || [OSSEC] Level 8 - Root's crontab entry changed. (syslog_rules.xml:syslog,cron) 6002834 || [OSSEC] Level 5 - Crontab opened for editing. (syslog_rules.xml:syslog,cron) 6002902 || [OSSEC] Level 7 - New dpkg (Debian Package) installed. (syslog_rules.xml:syslog,dpkg) 6002903 || [OSSEC] Level 7 - Dpkg (Debian Package) removed. (syslog_rules.xml:syslog,dpkg) 6002932 || [OSSEC] Level 7 - New Yum package installed. (syslog_rules.xml:syslog,yum) 6002933 || [OSSEC] Level 7 - Yum package updated. (syslog_rules.xml:syslog,yum) 6002934 || [OSSEC] Level 7 - Yum package deleted. (syslog_rules.xml:syslog,yum) 6003102 || [OSSEC] Level 5 - Sender domain does not have any valid MX record (Requested action aborted). (sendmail_rules.xml:syslog,sendmail) 6003103 || [OSSEC] Level 6 - Rejected by access list (55x: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003104 || [OSSEC] Level 6 - Attepmt to use mail server as relay (550: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003105 || [OSSEC] Level 5 - Sender domain is not found (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003106 || [OSSEC] Level 5 - Sender address does not have domain (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003108 || [OSSEC] Level 6 - Sendmail rejected due to pre-greeting. (sendmail_rules.xml:syslog,sendmail) 6003109 || [OSSEC] Level 8 - Sendmail save mail panic. (sendmail_rules.xml:syslog,sendmail) 6003151 || [OSSEC] Level 10 - Sender domain has bogus MX record. It should not be sending e-mail. (sendmail_rules.xml:syslog,sendmail) 6003152 || [OSSEC] Level 6 - Multiple attempts to send e-mail from a previously rejected sender (access). (sendmail_rules.xml:syslog,sendmail) 6003153 || [OSSEC] Level 6 - Multiple relaying attempts of spam. (sendmail_rules.xml:syslog,sendmail) 6003154 || [OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (sendmail_rules.xml:syslog,sendmail) 6003155 || [OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender. (sendmail_rules.xml:syslog,sendmail) 6003156 || [OSSEC] Level 10 - Multiple rejected e-mails from same source ip. (sendmail_rules.xml:syslog,sendmail) 6003158 || [OSSEC] Level 10 - Multiple pre-greetings rejects. (sendmail_rules.xml:syslog,sendmail) 6003191 || [OSSEC] Level 6 - SMF-SAV sendmail milter unable to verify address (REJECTED). (sendmail_rules.xml:syslog,sendmail) 6003301 || [OSSEC] Level 6 - Attempt to use mail server as relay (client host rejected). (postfix_rules.xml:syslog,postfix) 6003302 || [OSSEC] Level 6 - Rejected by access list (Requested action not taken). (postfix_rules.xml:syslog,postfix) 6003303 || [OSSEC] Level 5 - Sender domain is not found (450: Requested mail action not taken). (postfix_rules.xml:syslog,postfix) 6003304 || [OSSEC] Level 5 - Improper use of SMTP command pipelining (503: Bad sequence of commands). (postfix_rules.xml:syslog,postfix) 6003305 || [OSSEC] Level 5 - Receipent address must contain FQDN (504: Command parameter not implemented). (postfix_rules.xml:syslog,postfix) 6003306 || [OSSEC] Level 6 - IP Address black-listed by anti-spam (blocked). (postfix_rules.xml:syslog,postfix) 6003330 || [OSSEC] Level 10 - Postfix process error. (postfix_rules.xml:syslog,postfix) 6003331 || [OSSEC] Level 10 - Postfix insufficient disk space error. (postfix_rules.xml:syslog,postfix) 6003332 || [OSSEC] Level 5 - Postfix SASL authentication failure. (postfix_rules.xml:syslog,postfix) 6003333 || [OSSEC] Level 7 - Postfix stopped. (postfix_rules.xml:syslog,postfix) 6003351 || [OSSEC] Level 6 - Multiple relaying attempts of spam. (postfix_rules.xml:syslog,postfix) 6003352 || [OSSEC] Level 6 - Multiple attempts to send e-mail from a rejected sender IP (access). (postfix_rules.xml:syslog,postfix) 6003353 || [OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (postfix_rules.xml:syslog,postfix) 6003354 || [OSSEC] Level 12 - Multiple misuse of SMTP service (bad sequence of commands). (postfix_rules.xml:syslog,postfix) 6003355 || [OSSEC] Level 10 - Multiple attempts to send e-mail to invalid recipient or from unknown sender domain. (postfix_rules.xml:syslog,postfix) 6003356 || [OSSEC] Level 10 - Multiple attempts to send e-mail from black-listed IP address (blocked). (postfix_rules.xml:syslog,postfix) 6003357 || [OSSEC] Level 10 - Multiple SASL authentication failures. (postfix_rules.xml:syslog,postfix) 6003601 || [OSSEC] Level 5 - Imapd user login failed. (imapd_rules.xml:syslog,imapd) 6003651 || [OSSEC] Level 10 - Multiple failed logins from same source ip. (imapd_rules.xml:syslog,imapd) 6003702 || [OSSEC] Level 5 - Mail Scanner spam detected. (mailscanner_rules.xml:syslog,mailscanner) 6003751 || [OSSEC] Level 6 - Multiple attempts of spam. (mailscanner_rules.xml:syslog,mailscanner) 6003851 || [OSSEC] Level 9 - Multiple e-mail attempts to an invalid account. (ms-exchange_rules.xml:ms,exchange) 6003852 || [OSSEC] Level 9 - Multiple e-mail 500 error code (spam). (ms-exchange_rules.xml:ms,exchange) 6003902 || [OSSEC] Level 5 - Courier (imap/pop3) authentication failed. (courier_rules.xml:syslog,courier) 6003910 || [OSSEC] Level 10 - Courier brute force (multiple failed logins). (courier_rules.xml:syslog,courier) 6003911 || [OSSEC] Level 10 - Multiple connection attempts from same source. (courier_rules.xml:syslog,courier) 6004101 || [OSSEC] Level 5 - Firewall drop event. (firewall_rules.xml:firewall) 6004151 || [OSSEC] Level 10 - Multiple Firewall drop events from same source. (firewall_rules.xml:firewall) 6004310 || [OSSEC] Level 5 - PIX alert message. (pix_rules.xml:syslog,pix) 6004311 || [OSSEC] Level 5 - PIX critical message. (pix_rules.xml:syslog,pix) 6004321 || [OSSEC] Level 9 - Failed login attempt at the PIX firewall. (pix_rules.xml:syslog,pix) 6004324 || [OSSEC] Level 9 - Password mismatch while running 'enable' on the PIX. (pix_rules.xml:syslog,pix) 6004325 || [OSSEC] Level 8 - ARP collision detected by the PIX. (pix_rules.xml:syslog,pix) 6004326 || [OSSEC] Level 8 - Attempt to connect from a blocked (shunned) IP. (pix_rules.xml:syslog,pix) 6004327 || [OSSEC] Level 8 - Connection limit exceeded. (pix_rules.xml:syslog,pix) 6004330 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004331 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004332 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004333 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004334 || [OSSEC] Level 5 - AAA (VPN) authentication failed. (pix_rules.xml:syslog,pix) 6004336 || [OSSEC] Level 8 - AAA (VPN) user locked out. (pix_rules.xml:syslog,pix) 6004337 || [OSSEC] Level 8 - The PIX is disallowing new connections. (pix_rules.xml:syslog,pix) 6004338 || [OSSEC] Level 8 - Firewall failover pair communication problem. (pix_rules.xml:syslog,pix) 6004339 || [OSSEC] Level 8 - Firewall configuration deleted. (pix_rules.xml:syslog,pix) 6004340 || [OSSEC] Level 8 - Firewall configuration changed. (pix_rules.xml:syslog,pix) 6004342 || [OSSEC] Level 8 - User created or modified on the Firewall. (pix_rules.xml:syslog,pix) 6004380 || [OSSEC] Level 10 - Multiple PIX alert messages. (pix_rules.xml:syslog,pix) 6004381 || [OSSEC] Level 10 - Multiple PIX critical messages. (pix_rules.xml:syslog,pix) 6004382 || [OSSEC] Level 10 - Multiple PIX error messages. (pix_rules.xml:syslog,pix) 6004383 || [OSSEC] Level 10 - Multiple PIX warning messages. (pix_rules.xml:syslog,pix) 6004385 || [OSSEC] Level 10 - Multiple attack in progress messages. (pix_rules.xml:syslog,pix) 6004386 || [OSSEC] Level 10 - Nultiple AAA (VPN) authentication failures. (pix_rules.xml:syslog,pix) 6004503 || [OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw) 6004504 || [OSSEC] Level 5 - Netscreen informational message. (netscreenfw_rules.xml:netscreenfw) 6004505 || [OSSEC] Level 11 - Netscreen Erase sequence started. (netscreenfw_rules.xml:netscreenfw) 6004506 || [OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw) 6004507 || [OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw) 6004508 || [OSSEC] Level 8 - Firewall policy changed. (netscreenfw_rules.xml:netscreenfw) 6004509 || [OSSEC] Level 8 - Firewall configuration changed. (netscreenfw_rules.xml:netscreenfw) 6004513 || [OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw) 6004550 || [OSSEC] Level 10 - Multiple Netscreen critical messages from same source IP. (netscreenfw_rules.xml:netscreenfw) 6004551 || [OSSEC] Level 10 - Multiple Netscreen critical messages. (netscreenfw_rules.xml:netscreenfw) 6004552 || [OSSEC] Level 10 - Multiple Netscreen alert messages from same source IP. (netscreenfw_rules.xml:netscreenfw) 6004553 || [OSSEC] Level 10 - Multiple Netscreen alert messages. (netscreenfw_rules.xml:netscreenfw) 6004710 || [OSSEC] Level 9 - Cisco IOS emergency message. (cisco-ios_rules.xml:syslog,cisco_ios) 6004711 || [OSSEC] Level 5 - Cisco IOS alert message. (cisco-ios_rules.xml:syslog,cisco_ios) 6004712 || [OSSEC] Level 5 - Cisco IOS critical message. (cisco-ios_rules.xml:syslog,cisco_ios) 6004724 || [OSSEC] Level 9 - Failed login to the router. (cisco-ios_rules.xml:syslog,cisco_ios) 6004801 || [OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall) 6004802 || [OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall) 6004811 || [OSSEC] Level 9 - Firewall authentication failure. (sonicwall_rules.xml:syslog,sonicwall) 6004850 || [OSSEC] Level 10 - Multiple firewall warning messages. (sonicwall_rules.xml:syslog,sonicwall) 6004851 || [OSSEC] Level 10 - Multiple firewall error messages. (sonicwall_rules.xml:syslog,sonicwall) 6005103 || [OSSEC] Level 9 - Error message from the kernel. Ping of death attack. (syslog_rules.xml:syslog,linuxkernel) 6005104 || [OSSEC] Level 8 - Interface entered in promiscuous(sniffing) mode. (syslog_rules.xml:syslog,linuxkernel) 6005108 || [OSSEC] Level 12 - System running out of memory. Availability of the system is in risk. (syslog_rules.xml:syslog,linuxkernel) 6005113 || [OSSEC] Level 7 - System is shutting down. (syslog_rules.xml:syslog,linuxkernel) 6005130 || [OSSEC] Level 7 - Monitor ADSL line is down. (syslog_rules.xml:syslog,linuxkernel) 6005301 || [OSSEC] Level 5 - User missed the password to change UID (user id). (syslog_rules.xml:syslog, su) 6005302 || [OSSEC] Level 9 - User missed the password to change UID to root. (syslog_rules.xml:syslog, su) 6005401 || [OSSEC] Level 10 - Three failed attempts to run sudo (syslog_rules.xml:syslog,sudo) 6005503 || [OSSEC] Level 5 - User login failed. (pam_rules.xml:pam,syslog) 6005504 || [OSSEC] Level 5 - Attempt to login with an invalid user. (pam_rules.xml:pam,syslog) 6005551 || [OSSEC] Level 10 - Multiple failed logins in a small period of time. (pam_rules.xml:pam,syslog) 6005601 || [OSSEC] Level 5 - Connection refused by TCP Wrappers. (telnetd_rules.xml:syslog,telnetd) 6005603 || [OSSEC] Level 5 - Remote host invalid connection. (telnetd_rules.xml:syslog,telnetd) 6005604 || [OSSEC] Level 5 - Reverse lookup error (bad hostname config). (telnetd_rules.xml:syslog,telnetd) 6005631 || [OSSEC] Level 10 - Multiple connection attempts from same source (possible scan). (telnetd_rules.xml:syslog,telnetd) 6005701 || [OSSEC] Level 8 - Possible attack on the ssh server (or version gathering). (sshd_rules.xml:syslog,sshd) 6005702 || [OSSEC] Level 5 - Reverse lookup error (bad ISP or attack). (sshd_rules.xml:syslog,sshd) 6005703 || [OSSEC] Level 10 - Possible breakin attempt (high number of reverse lookup errors). (sshd_rules.xml:syslog,sshd) 6005705 || [OSSEC] Level 10 - Possible scan or breakin attempt (high number of login timeouts). (sshd_rules.xml:syslog,sshd) 6005706 || [OSSEC] Level 6 - SSH insecure connection attempt (scan). (sshd_rules.xml:syslog,sshd) 6005707 || [OSSEC] Level 14 - OpenSSH challenge-response exploit. (sshd_rules.xml:syslog,sshd) 6005710 || [OSSEC] Level 5 - Attempt to login using a non-existent user (sshd_rules.xml:syslog,sshd) 6005712 || [OSSEC] Level 10 - SSHD brute force trying to get access to the system. (sshd_rules.xml:syslog,sshd) 6005713 || [OSSEC] Level 6 - Corrupted bytes on SSHD. (sshd_rules.xml:syslog,sshd) 6005714 || [OSSEC] Level 14 - SSH CRC-32 Compensation attack (sshd_rules.xml:syslog,sshd) 6005716 || [OSSEC] Level 5 - SSHD authentication failed. (sshd_rules.xml:syslog,sshd) 6005718 || [OSSEC] Level 5 - Attempt to login using a denied user. (sshd_rules.xml:syslog,sshd) 6005719 || [OSSEC] Level 10 - Multiple access attempts using a denied user. (sshd_rules.xml:syslog,sshd) 6005720 || [OSSEC] Level 10 - Multiple SSHD authentication failures. (sshd_rules.xml:syslog,sshd) 6005901 || [OSSEC] Level 8 - New group added to the system (syslog_rules.xml:syslog,adduser) 6005902 || [OSSEC] Level 8 - New user added to the system (syslog_rules.xml:syslog,adduser) 6005904 || [OSSEC] Level 8 - Information from the user was changed (syslog_rules.xml:syslog,adduser) 6006101 || [OSSEC] Level 5 - Auditing session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm) 6006104 || [OSSEC] Level 5 - Login session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm) 6006106 || [OSSEC] Level 5 - User failed to change UID (user id). (solaris_bsm_rules.xml:syslog,solaris_bsm) 6006210 || [OSSEC] Level 5 - Login session failed. (asterisk_rules.xml:syslog,asterisk) 6006211 || [OSSEC] Level 5 - Login session failed (invalid user). (asterisk_rules.xml:syslog,asterisk) 6006212 || [OSSEC] Level 5 - Login session failed (invalid extension). (asterisk_rules.xml:syslog,asterisk) 6006250 || [OSSEC] Level 10 - Multiple failed logins (user enumeration in process). (asterisk_rules.xml:syslog,asterisk) 6006251 || [OSSEC] Level 10 - Multiple failed logins. (asterisk_rules.xml:syslog,asterisk) 6006252 || [OSSEC] Level 10 - Extension enumeration. (asterisk_rules.xml:syslog,asterisk) 6006303 || [OSSEC] Level 10 - The log was temporarily paused due to low disk space. (ms_dhcp_rules.xml:windows,dhcp) 6006308 || [OSSEC] Level 12 - A lease request could not be satisfied because the scope's address pool was exhausted. (ms_dhcp_rules.xml:windows,dhcp) 6006309 || [OSSEC] Level 7 - A lease was denied. (ms_dhcp_rules.xml:windows,dhcp) 6006314 || [OSSEC] Level 10 - A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. (ms_dhcp_rules.xml:windows,dhcp) 6006319 || [OSSEC] Level 7 - DNS update failed. (ms_dhcp_rules.xml:windows,dhcp) 6006321 || [OSSEC] Level 12 - Codes above 50 are used for Rogue Server Detection information. (ms_dhcp_rules.xml:windows,dhcp) 6006323 || [OSSEC] Level 12 - Packet dropped due to NAP policy. (ms_dhcp_rules.xml:windows,dhcp) 6006357 || [OSSEC] Level 7 - DHCP Decline. (ms_dhcp_rules.xml:windows,dhcp) 6006360 || [OSSEC] Level 12 - Scope Full. (ms_dhcp_rules.xml:windows,dhcp) 6006362 || [OSSEC] Level 7 - Stopped. (ms_dhcp_rules.xml:windows,dhcp) 6006363 || [OSSEC] Level 10 - Audit log paused. (ms_dhcp_rules.xml:windows,dhcp) 6006364 || [OSSEC] Level 7 - DHCP Log File. (ms_dhcp_rules.xml:windows,dhcp) 6006365 || [OSSEC] Level 7 - Bad Address. (ms_dhcp_rules.xml:windows,dhcp) 6006373 || [OSSEC] Level 12 - Service not authorized in AD. (ms_dhcp_rules.xml:windows,dhcp) 6006376 || [OSSEC] Level 12 - Service has not determined if it is authorized in AD. (ms_dhcp_rules.xml:windows,dhcp) 6007101 || [OSSEC] Level 8 - Problems with the tripwire checking (syslog_rules.xml:syslog,tripwire) 6007202 || [OSSEC] Level 9 - Arpwatch "flip flop" message. IP address/MAC relation changing too often. (arpwatch_rules.xml:syslog,arpwatch) 6007204 || [OSSEC] Level 9 - Changed network interface for ip address. (arpwatch_rules.xml:syslog,arpwatch) 6007310 || [OSSEC] Level 9 - Virus detected. (symantec-av_rules.xml:symantec) 6007410 || [OSSEC] Level 5 - Login failed accessing the web proxy. (symantec-ws_rules.xml:symantec) 6007504 || [OSSEC] Level 12 - McAfee Windows AV - Virus detected and not removed. (mcafee_av_rules.xml:mcafee) 6007505 || [OSSEC] Level 7 - McAfee Windows AV - Virus detected and properly removed. (mcafee_av_rules.xml:mcafee) 6007506 || [OSSEC] Level 7 - McAfee Windows AV - Virus detected and file will be deleted. (mcafee_av_rules.xml:mcafee) 6007509 || [OSSEC] Level 7 - McAfee Windows AV - Virus scan cancelled. (mcafee_av_rules.xml:mcafee) 6007510 || [OSSEC] Level 5 - McAfee Windows AV - Virus scan cancelled due to shutdown. (mcafee_av_rules.xml:mcafee) 6007512 || [OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update failed. (mcafee_av_rules.xml:mcafee) 6007513 || [OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update cancelled. (mcafee_av_rules.xml:mcafee) 6007514 || [OSSEC] Level 5 - McAfee Windows AV - EICAR test file detected. (mcafee_av_rules.xml:mcafee) 6007550 || [OSSEC] Level 10 - Multiple McAfee AV warning events. (mcafee_av_rules.xml:mcafee) 6007610 || [OSSEC] Level 5 - Virus detected and cleaned/quarantined/remved (trend-osce_rules.xml:trend_micro,ocse) 6007611 || [OSSEC] Level 9 - Virus detected and unable to clean up. (trend-osce_rules.xml:trend_micro,ocse) 6007613 || [OSSEC] Level 5 - Virus scan passed by found potential security risk. (trend-osce_rules.xml:trend_micro,ocse) 6007710 || [OSSEC] Level 12 - Microsoft Security Essentials - Virus detected, but unable to remove. (ms-se_rules.xml:windows,mse) 6007711 || [OSSEC] Level 7 - Microsoft Security Essentials - Virus detected and properly removed. (ms-se_rules.xml:windows,mse) 6007712 || [OSSEC] Level 7 - Microsoft Security Essentials - Virus detected. (ms-se_rules.xml:windows,mse) 6007731 || [OSSEC] Level 5 - Microsoft Security Essentials - EICAR test file detected. (ms-se_rules.xml:windows,mse) 6007750 || [OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse) 6007751 || [OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse) 6009303 || [OSSEC] Level 5 - Horde IMP error message. (hordeimp_rules.xml:syslog,hordeimp) 6009304 || [OSSEC] Level 9 - Horde IMP emergency message. (hordeimp_rules.xml:syslog,hordeimp) 6009306 || [OSSEC] Level 5 - Horde IMP Failed login. (hordeimp_rules.xml:syslog,hordeimp) 6009351 || [OSSEC] Level 10 - Horde brute force (multiple failed logins). (hordeimp_rules.xml:syslog,hordeimp) 6009352 || [OSSEC] Level 10 - Multiple Horde emergency messages. (hordeimp_rules.xml:syslog,hordeimp) 6009401 || [OSSEC] Level 5 - Roundcube authentication failed. (roundcube_rules.xml:syslog,roundcube) 6009501 || [OSSEC] Level 5 - Wordpress authentication failed. (wordpress_rules.xml:syslog,wordpress) 6009505 || [OSSEC] Level 7 - Wordpress Comment Flood Attempt. (wordpress_rules.xml:syslog,wordpress) 6009510 || [OSSEC] Level 7 - Attack against Wordpress detected. (wordpress_rules.xml:syslog,wordpress) 6009551 || [OSSEC] Level 10 - Multiple wordpress authentication failures. (wordpress_rules.xml:syslog,wordpress) 6009610 || [OSSEC] Level 5 - Compaq Insight Manager authentication failure. (cimserver_rules.xml:syslog,cimserver) 6009611 || [OSSEC] Level 12 - Compaq Insight Manager stopped. (cimserver_rules.xml:syslog,cimserver) 6009702 || [OSSEC] Level 5 - Dovecot Authentication Failed. (dovecot_rules.xml:dovecot) 6009705 || [OSSEC] Level 5 - Dovecot Invalid User Login Attempt. (dovecot_rules.xml:dovecot) 6009707 || [OSSEC] Level 5 - Dovecot Aborted Login. (dovecot_rules.xml:dovecot) 6009750 || [OSSEC] Level 10 - Dovecot Multiple Authentication Failures. (dovecot_rules.xml:dovecot) 6009751 || [OSSEC] Level 10 - Dovecot brute force attack (multiple auth failures). (dovecot_rules.xml:dovecot) 6009801 || [OSSEC] Level 5 - Login failed accessing the pop3 server. (vmpop3d_rules.xml:syslog,vm-pop3d) 6009820 || [OSSEC] Level 10 - POP3 brute force (multiple failed logins). (vmpop3d_rules.xml:syslog,vm-pop3d) 6009901 || [OSSEC] Level 5 - Login failed for vpopmail. (vpopmail_rules.xml:syslog,vpopmail) 6009902 || [OSSEC] Level 5 - Attempt to login to vpopmail with invalid username. (vpopmail_rules.xml:syslog,vpopmail) 6009903 || [OSSEC] Level 5 - Attempt to login to vpopmail with empty password. (vpopmail_rules.xml:syslog,vpopmail) 6009951 || [OSSEC] Level 10 - Vpopmail brute force (multiple failed logins). (vpopmail_rules.xml:syslog,vpopmail) 6009952 || [OSSEC] Level 10 - Vpopmail brute force (email harvesting). (vpopmail_rules.xml:syslog,vpopmail) 6009953 || [OSSEC] Level 10 - VPOPMAIL brute force (empty password). (vpopmail_rules.xml:syslog,vpopmail) 6011101 || [OSSEC] Level 5 - FTP connection refused. (ftpd_rules.xml:syslog,ftpd) 6011107 || [OSSEC] Level 5 - Connection blocked by Tcp Wrappers. (ftpd_rules.xml:syslog,ftpd) 6011108 || [OSSEC] Level 5 - Reverse lookup error (bad ISP config). (ftpd_rules.xml:syslog,ftpd) 6011109 || [OSSEC] Level 10 - Multiple FTP failed login attempts. (ftpd_rules.xml:syslog,ftpd) 6011111 || [OSSEC] Level 9 - Attempt to login with disabled account. (ftpd_rules.xml:syslog,ftpd) 6011112 || [OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd) 6011113 || [OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd) 6011203 || [OSSEC] Level 5 - Attempt to login using a non-existent user. (proftpd_rules.xml:syslog,proftpd) 6011204 || [OSSEC] Level 5 - Login failed accessing the FTP server (proftpd_rules.xml:syslog,proftpd) 6011206 || [OSSEC] Level 5 - Connection denied by ProFTPD configuration. (proftpd_rules.xml:syslog,proftpd) 6011207 || [OSSEC] Level 5 - Connection refused by TCP Wrappers. (proftpd_rules.xml:syslog,proftpd) 6011209 || [OSSEC] Level 14 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. (proftpd_rules.xml:syslog,proftpd) 6011210 || [OSSEC] Level 10 - Multiple failed login attempts. (proftpd_rules.xml:syslog,proftpd) 6011212 || [OSSEC] Level 5 - Reverse lookup error (bad ISP config). (proftpd_rules.xml:syslog,proftpd) 6011218 || [OSSEC] Level 12 - FTP process crashed. (proftpd_rules.xml:syslog,proftpd) 6011219 || [OSSEC] Level 12 - FTP server Buffer overflow attempt. (proftpd_rules.xml:syslog,proftpd) 6011251 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (proftpd_rules.xml:syslog,proftpd) 6011252 || [OSSEC] Level 10 - Multiple connection attempts from same source. (proftpd_rules.xml:syslog,proftpd) 6011253 || [OSSEC] Level 10 - Multiple timed out logins from same source. (proftpd_rules.xml:syslog,proftpd) 6011302 || [OSSEC] Level 5 - FTP Authentication failed. (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011305 || [OSSEC] Level 5 - Attempt to access invalid directory (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011306 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011307 || [OSSEC] Level 10 - Multiple connection attempts from same source. (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011403 || [OSSEC] Level 5 - Login failed accessing the FTP server. (vsftpd_rules.xml:syslog,vsftpd) 6011451 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (vsftpd_rules.xml:syslog,vsftpd) 6011452 || [OSSEC] Level 10 - Multiple FTP connection attempts from same source IP. (vsftpd_rules.xml:syslog,vsftpd) 6011502 || [OSSEC] Level 5 - FTP Authentication failed. (ms_ftpd_rules.xml:syslog,msftp) 6011510 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (ms_ftpd_rules.xml:syslog,msftp) 6011511 || [OSSEC] Level 10 - Multiple connection attempts from same source. (ms_ftpd_rules.xml:syslog,msftp) 6011512 || [OSSEC] Level 10 - Multiple FTP errors from same source. (ms_ftpd_rules.xml:syslog,msftp) 6012101 || [OSSEC] Level 12 - Invalid DNS packet. Possibility of attack. (named_rules.xml:syslog,named) 6012102 || [OSSEC] Level 9 - Failed attempt to perform a zone transfer. (named_rules.xml:syslog,named) 6012109 || [OSSEC] Level 12 - Named fatal error. DNS service going down. (named_rules.xml:syslog,named) 6012110 || [OSSEC] Level 8 - Serial number from master is lower than stored. (named_rules.xml:syslog,named) 6012111 || [OSSEC] Level 8 - Unable to perform zone transfer. (named_rules.xml:syslog,named) 6013102 || [OSSEC] Level 5 - Samba connection denied. (smbd_rules.xml:syslog,smbd) 6013104 || [OSSEC] Level 5 - User action denied by configuration. (smbd_rules.xml:syslog,smbd) 6014101 || [OSSEC] Level 5 - VPN authentication failed. (racoon_rules.xml:syslog,racoon) 6014151 || [OSSEC] Level 9 - Multiple failed VPN logins. (racoon_rules.xml:syslog,racoon) 6014202 || [OSSEC] Level 5 - VPN authentication failed. (vpn_concentrator_rules.xml:syslog,cisco_vpn) 6014251 || [OSSEC] Level 10 - Multiple VPN authentication failures. (vpn_concentrator_rules.xml:syslog,cisco_vpn) 6017101 || [OSSEC] Level 9 - Successful login during non-business hours. (policy_rules.xml:policy_violation) 6017102 || [OSSEC] Level 9 - Successful login during weekend. (policy_rules.xml:policy_violation) 6018103 || [OSSEC] Level 5 - Windows error event. (msauth_rules.xml:windows) 6018106 || [OSSEC] Level 5 - Windows Logon Failure. (msauth_rules.xml:windows) 6018110 || [OSSEC] Level 8 - User account enabled or created. (msauth_rules.xml:windows) 6018111 || [OSSEC] Level 8 - User account changed. (msauth_rules.xml:windows) 6018112 || [OSSEC] Level 8 - User account disabled or deleted. (msauth_rules.xml:windows) 6018113 || [OSSEC] Level 8 - Windows Audit Policy changed. (msauth_rules.xml:windows) 6018114 || [OSSEC] Level 5 - Group Account Changed (msauth_rules.xml:windows) 6018115 || [OSSEC] Level 8 - General account database changed. (msauth_rules.xml:windows) 6018116 || [OSSEC] Level 9 - User account locked out (multiple login errors). (msauth_rules.xml:windows) 6018117 || [OSSEC] Level 7 - Windows is shutting down. (msauth_rules.xml:windows) 6018118 || [OSSEC] Level 9 - Windows audit log was cleared. (msauth_rules.xml:windows) 6018125 || [OSSEC] Level 5 - Remote access login failure. (msauth_rules.xml:windows) 6018127 || [OSSEC] Level 8 - Computer account changed/deleted. (msauth_rules.xml:windows) 6018128 || [OSSEC] Level 8 - Group account added/changed/deleted. (msauth_rules.xml:windows) 6018129 || [OSSEC] Level 8 - Windows file system full. (msauth_rules.xml:windows) 6018130 || [OSSEC] Level 5 - Logon Failure - Unknown user or bad password. (msauth_rules.xml:windows) 6018131 || [OSSEC] Level 5 - Logon Failure - Account logon time restriction violation. (msauth_rules.xml:windows) 6018132 || [OSSEC] Level 5 - Logon Failure - Account currently disabled. (msauth_rules.xml:windows) 6018133 || [OSSEC] Level 5 - Logon Failure - Specified account expired. (msauth_rules.xml:windows) 6018134 || [OSSEC] Level 7 - Logon Failure - User not allowed to login at this computer. (msauth_rules.xml:windows) 6018135 || [OSSEC] Level 5 - Logon Failure - User not granted logon type. (msauth_rules.xml:windows) 6018136 || [OSSEC] Level 5 - Logon Failure - Account's password expired. (msauth_rules.xml:windows) 6018137 || [OSSEC] Level 5 - Logon Failure - Internal error. (msauth_rules.xml:windows) 6018138 || [OSSEC] Level 7 - Logon Failure - Account locked out. (msauth_rules.xml:windows) 6018139 || [OSSEC] Level 5 - Windows DC Logon Failure. (msauth_rules.xml:windows) 6018140 || [OSSEC] Level 7 - System time changed. (msauth_rules.xml:windows) 6018141 || [OSSEC] Level 7 - Unexpected Windows shutdown. (msauth_rules.xml:windows) 6018142 || [OSSEC] Level 5 - User account unlocked. (msauth_rules.xml:windows) 6018143 || [OSSEC] Level 8 - Security enabled group created. (msauth_rules.xml:windows) 6018144 || [OSSEC] Level 8 - Security enabled group deleted. (msauth_rules.xml:windows) 6018146 || [OSSEC] Level 5 - Application Uninstalled. (msauth_rules.xml:windows) 6018147 || [OSSEC] Level 5 - Application Installed. (msauth_rules.xml:windows) 6018151 || [OSSEC] Level 10 - Multiple failed attempts to perform a privileged operation by the same user. (msauth_rules.xml:windows) 6018152 || [OSSEC] Level 10 - Multiple Windows Logon Failures. (msauth_rules.xml:windows) 6018153 || [OSSEC] Level 10 - Multiple Windows audit failure events. (msauth_rules.xml:windows) 6018154 || [OSSEC] Level 10 - Multiple Windows error events. (msauth_rules.xml:windows) 6018155 || [OSSEC] Level 10 - Multiple Windows warning events. (msauth_rules.xml:windows) 6018156 || [OSSEC] Level 10 - Multiple remote access login failures. (msauth_rules.xml:windows) 6018170 || [OSSEC] Level 10 - Windows DC integrity check on decrypted field failed. (msauth_rules.xml:windows) 6018171 || [OSSEC] Level 10 - Windows DC - Possible replay attack. (msauth_rules.xml:windows) 6018172 || [OSSEC] Level 7 - Windows DC - Clock skew too great. (msauth_rules.xml:windows) 6018180 || [OSSEC] Level 5 - MS SQL Server Logon Failure. (msauth_rules.xml:windows) 6018200 || [OSSEC] Level 5 - Group Account Created (msauth_rules.xml:windows) 6018201 || [OSSEC] Level 5 - Group Account Deleted (msauth_rules.xml:windows) 6018202 || [OSSEC] Level 5 - Security Enabled Global Group Created (msauth_rules.xml:windows) 6018203 || [OSSEC] Level 5 - Security Enabled Global Group Member Added (msauth_rules.xml:windows) 6018204 || [OSSEC] Level 5 - Security Enabled Global Group Member Removed (msauth_rules.xml:windows) 6018205 || [OSSEC] Level 5 - Security Enabled Global Group Deleted (msauth_rules.xml:windows) 6018206 || [OSSEC] Level 5 - Security Enabled Local Group Created (msauth_rules.xml:windows) 6018207 || [OSSEC] Level 5 - Security Enabled Local Group Member Added (msauth_rules.xml:windows) 6018208 || [OSSEC] Level 5 - Security Enabled Local Group Member Removed (msauth_rules.xml:windows) 6018209 || [OSSEC] Level 5 - Security Enabled Local Group Deleted (msauth_rules.xml:windows) 6018210 || [OSSEC] Level 5 - Security Enabled Local Group Changed (msauth_rules.xml:windows) 6018211 || [OSSEC] Level 5 - Security Enabled Global Group Changed (msauth_rules.xml:windows) 6018212 || [OSSEC] Level 5 - Security Enabled Universal Group Created (msauth_rules.xml:windows) 6018213 || [OSSEC] Level 5 - Security Enabled Universal Group Changed (msauth_rules.xml:windows) 6018214 || [OSSEC] Level 5 - Security Enabled Universal Group Member Added (msauth_rules.xml:windows) 6018215 || [OSSEC] Level 5 - Security Enabled Universal Group Member Removed (msauth_rules.xml:windows) 6018216 || [OSSEC] Level 5 - Security Enabled Universal Group Deleted (msauth_rules.xml:windows) 6018217 || [OSSEC] Level 12 - Administrators Group Changed (msauth_rules.xml:windows) 6018218 || [OSSEC] Level 5 - Everyone Group Changed (msauth_rules.xml:windows) 6018219 || [OSSEC] Level 12 - Enterprise Domain Controllers Group Changed (msauth_rules.xml:windows) 6018220 || [OSSEC] Level 5 - Authenticated Users Group Changed (msauth_rules.xml:windows) 6018221 || [OSSEC] Level 5 - Terminal Server Users Group Changed (msauth_rules.xml:windows) 6018222 || [OSSEC] Level 12 - Domain Admins Group Changed (msauth_rules.xml:windows) 6018223 || [OSSEC] Level 5 - Domain Users Group Changed (msauth_rules.xml:windows) 6018225 || [OSSEC] Level 12 - Domain Guests Group Changed (msauth_rules.xml:windows) 6018226 || [OSSEC] Level 5 - Domain Computers Group Changed (msauth_rules.xml:windows) 6018227 || [OSSEC] Level 12 - Domain Controllers Group Changed (msauth_rules.xml:windows) 6018228 || [OSSEC] Level 10 - Cert Publishers Group Changed (msauth_rules.xml:windows) 6018229 || [OSSEC] Level 12 - Schema Admins Group Changed (msauth_rules.xml:windows) 6018230 || [OSSEC] Level 12 - Enterprise Admins Group Changed (msauth_rules.xml:windows) 6018231 || [OSSEC] Level 10 - Group Policy Creator Owners Group Changed (msauth_rules.xml:windows) 6018232 || [OSSEC] Level 10 - RAS and IAS Servers Group Changed (msauth_rules.xml:windows) 6018233 || [OSSEC] Level 5 - Users Group Changed (msauth_rules.xml:windows) 6018234 || [OSSEC] Level 12 - Guests Group Changed (msauth_rules.xml:windows) 6018235 || [OSSEC] Level 10 - Power Users Group Changed (msauth_rules.xml:windows) 6018236 || [OSSEC] Level 10 - Account Operators Group Changed (msauth_rules.xml:windows) 6018237 || [OSSEC] Level 10 - Server Operators Group Changed (msauth_rules.xml:windows) 6018238 || [OSSEC] Level 8 - Print Operators Group Changed (msauth_rules.xml:windows) 6018239 || [OSSEC] Level 12 - Backup Operators Group Changed (msauth_rules.xml:windows) 6018240 || [OSSEC] Level 10 - Replicators Group Changed (msauth_rules.xml:windows) 6018241 || [OSSEC] Level 8 - Pre-Windows 2000 Compatible Access Group Changed (msauth_rules.xml:windows) 6018242 || [OSSEC] Level 10 - Remote Desktop Users Group Changed (msauth_rules.xml:windows) 6018243 || [OSSEC] Level 10 - Network Configuration Operators Group Changed (msauth_rules.xml:windows) 6018244 || [OSSEC] Level 10 - Incoming Forest Trust Builders Group Changed (msauth_rules.xml:windows) 6018245 || [OSSEC] Level 8 - Performance Monitor Users Group Changed (msauth_rules.xml:windows) 6018246 || [OSSEC] Level 8 - Performance Log Users Group Changed (msauth_rules.xml:windows) 6018247 || [OSSEC] Level 8 - Windows Authorization Access Group Changed (msauth_rules.xml:windows) 6018248 || [OSSEC] Level 8 - Terminal Server License Servers Group Changed (msauth_rules.xml:windows) 6018249 || [OSSEC] Level 8 - Distributed COM Users Group Changed (msauth_rules.xml:windows) 6018250 || [OSSEC] Level 12 - Enterprise Read-only Domain Controllers Group Changed (msauth_rules.xml:windows) 6018251 || [OSSEC] Level 12 - Read-only Domain Controllers Group Changed (msauth_rules.xml:windows) 6018252 || [OSSEC] Level 12 - Cryptographic Operators Group Changed (msauth_rules.xml:windows) 6018253 || [OSSEC] Level 10 - Allowed RODC Password Replication Group Changed (msauth_rules.xml:windows) 6018254 || [OSSEC] Level 10 - Denied RODC Password Replication Group Changed (msauth_rules.xml:windows) 6018255 || [OSSEC] Level 10 - Event Log Readers Group Changed (msauth_rules.xml:windows) 6018256 || [OSSEC] Level 10 - Certificate Service DCOM Access Group Changed (msauth_rules.xml:windows) 6019102 || [OSSEC] Level 8 - VMware ESX critical message. (vmware_rules.xml:vmware) 6019111 || [OSSEC] Level 5 - VMWare ESX authentication failure. (vmware_rules.xml:vmware) 6019120 || [OSSEC] Level 8 - Virtual machine state changed to OFF. (vmware_rules.xml:vmware) 6019123 || [OSSEC] Level 5 - Virtual machine being reconfigured. (vmware_rules.xml:vmware) 6019150 || [OSSEC] Level 10 - Multiple VMWare ESX warning messages. (vmware_rules.xml:vmware) 6019151 || [OSSEC] Level 10 - Multiple VMWare ESX error messages. (vmware_rules.xml:vmware) 6019152 || [OSSEC] Level 10 - Multiple VMWare ESX authentication failures. (vmware_rules.xml:vmware) 6019153 || [OSSEC] Level 10 - Multiple VMWare ESX user authentication failures. (vmware_rules.xml:vmware) 6020100 || [OSSEC] Level 8 - First time this IDS alert is generated. (ids_rules.xml:ids) 6020101 || [OSSEC] Level 6 - IDS event. (ids_rules.xml:ids) 6020151 || [OSSEC] Level 10 - Multiple IDS events from same source ip. (ids_rules.xml:ids) 6020152 || [OSSEC] Level 10 - Multiple IDS alerts for same id. (ids_rules.xml:ids) 6020161 || [OSSEC] Level 11 - Multiple IDS events from same source ip (ignoring now this srcip and id). (ids_rules.xml:ids) 6020162 || [OSSEC] Level 11 - Multiple IDS alerts for same id (ignoring now this id). (ids_rules.xml:ids) 6030104 || [OSSEC] Level 12 - Apache segmentation fault. (apache_rules.xml:apache) 6030105 || [OSSEC] Level 5 - Attempt to access forbidden file or directory. (apache_rules.xml:apache) 6030106 || [OSSEC] Level 5 - Attempt to access forbidden directory index. (apache_rules.xml:apache) 6030107 || [OSSEC] Level 6 - Code Red attack. (apache_rules.xml:apache) 6030108 || [OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache) 6030109 || [OSSEC] Level 9 - Attempt to login using a non-existent user. (apache_rules.xml:apache) 6030110 || [OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache) 6030115 || [OSSEC] Level 5 - Invalid URI (bad client request). (apache_rules.xml:apache) 6030116 || [OSSEC] Level 10 - Multiple Invalid URI requests from same source. (apache_rules.xml:apache) 6030117 || [OSSEC] Level 10 - Invalid URI, file name too long. (apache_rules.xml:apache) 6030118 || [OSSEC] Level 6 - Access attempt blocked by Mod Security. (apache_rules.xml:apache) 6030119 || [OSSEC] Level 12 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache) 6030120 || [OSSEC] Level 12 - Apache without resources to run. (apache_rules.xml:apache) 6030200 || [OSSEC] Level 6 - Modsecurity alert. (apache_rules.xml:apache) 6030201 || [OSSEC] Level 6 - Modsecurity access denied. (apache_rules.xml:apache) 6030202 || [OSSEC] Level 10 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache) 6031101 || [OSSEC] Level 5 - Web server 400 error code. (web_rules.xml:web,accesslog) 6031103 || [OSSEC] Level 6 - SQL injection attempt. (web_rules.xml:web,accesslog) 6031104 || [OSSEC] Level 6 - Common web attack. (web_rules.xml:web,accesslog) 6031105 || [OSSEC] Level 6 - XSS (Cross Site Scripting) attempt. (web_rules.xml:web,accesslog) 6031106 || [OSSEC] Level 6 - A web attack returned code 200 (success). (web_rules.xml:web,accesslog) 6031115 || [OSSEC] Level 13 - URL too long. Higher than allowed on most browsers. Possible attack. (web_rules.xml:web,accesslog) 6031120 || [OSSEC] Level 5 - Web server 500 error code (server error). (web_rules.xml:web,accesslog) 6031122 || [OSSEC] Level 5 - Web server 500 error code (Internal Error). (web_rules.xml:web,accesslog) 6031151 || [OSSEC] Level 10 - Mutiple web server 400 error codes from same source ip. (web_rules.xml:web,accesslog) 6031152 || [OSSEC] Level 10 - Multiple SQL injection attempts from same souce ip. (web_rules.xml:web,accesslog) 6031153 || [OSSEC] Level 10 - Multiple common web attacks from same souce ip. (web_rules.xml:web,accesslog) 6031154 || [OSSEC] Level 10 - Multiple XSS (Cross Site Scripting) attempts from same souce ip. (web_rules.xml:web,accesslog) 6031161 || [OSSEC] Level 10 - Multiple web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog) 6031162 || [OSSEC] Level 10 - Multiple web server 500 error code (Internal Error). (web_rules.xml:web,accesslog) 6031163 || [OSSEC] Level 10 - Multiple web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog) 6031203 || [OSSEC] Level 9 - Zeus serious log. (zeus_rules.xml:zeus) 6031204 || [OSSEC] Level 12 - Zeus fatal log. (zeus_rules.xml:zeus) 6031205 || [OSSEC] Level 8 - Admin authentication failed. (zeus_rules.xml:zeus) 6031251 || [OSSEC] Level 10 - Multiple Zeus warnings. (zeus_rules.xml:zeus) 6031303 || [OSSEC] Level 5 - Nginx critical message. (nginx_rules.xml:apache) 6031315 || [OSSEC] Level 5 - Web authentication failed. (nginx_rules.xml:apache) 6031316 || [OSSEC] Level 10 - Multiple web authentication failures. (nginx_rules.xml:apache) 6031320 || [OSSEC] Level 10 - Invalid URI, file name too long. (nginx_rules.xml:apache) 6031411 || [OSSEC] Level 6 - PHP web attack. (php_rules.xml:apache) 6031412 || [OSSEC] Level 5 - PHP internal error (missing file). (php_rules.xml:apache) 6031420 || [OSSEC] Level 5 - PHP Fatal error. (php_rules.xml:apache) 6031421 || [OSSEC] Level 5 - PHP internal error (missing file or function). (php_rules.xml:apache) 6031430 || [OSSEC] Level 5 - PHP Parse error. (php_rules.xml:apache) 6035003 || [OSSEC] Level 5 - Bad request/Invalid syntax. (squid_rules.xml:squid) 6035004 || [OSSEC] Level 5 - Unauthorized: Failed attempt to access authorization-required file or directory. (squid_rules.xml:squid) 6035005 || [OSSEC] Level 5 - Forbidden: Attempt to access forbidden file or directory. (squid_rules.xml:squid) 6035006 || [OSSEC] Level 5 - Not Found: Attempt to access non-existent file or directory. (squid_rules.xml:squid) 6035007 || [OSSEC] Level 5 - Proxy Authentication Required: User is not authorized to use proxy. (squid_rules.xml:squid) 6035008 || [OSSEC] Level 5 - Squid 400 error code (request failed). (squid_rules.xml:squid) 6035009 || [OSSEC] Level 5 - Squid 500/600 error code (server error). (squid_rules.xml:squid) 6035021 || [OSSEC] Level 6 - Attempt to access a Beagle worm (or variant) file. (squid_rules.xml:squid) 6035022 || [OSSEC] Level 6 - Attempt to access a worm/trojan related site. (squid_rules.xml:squid) 6035051 || [OSSEC] Level 10 - Multiple attempts to access forbidden file or directory from same source ip. (squid_rules.xml:squid) 6035052 || [OSSEC] Level 10 - Multiple unauthorized attempts to use proxy. (squid_rules.xml:squid) 6035053 || [OSSEC] Level 10 - Multiple Bad requests/Invalid syntax. (squid_rules.xml:squid) 6035054 || [OSSEC] Level 12 - Infected machine with W32.Beagle.DP. (squid_rules.xml:squid) 6035055 || [OSSEC] Level 10 - Multiple attempts to access a non-existent file. (squid_rules.xml:squid) 6035056 || [OSSEC] Level 12 - Multiple attempts to access a worm/trojan/virus related web site. System probably infected. (squid_rules.xml:squid) 6035057 || [OSSEC] Level 10 - Multiple 400 error codes (requests failed). (squid_rules.xml:squid) 6035058 || [OSSEC] Level 10 - Multiple 500/600 error codes (server error). (squid_rules.xml:squid) 6040101 || [OSSEC] Level 12 - System user successfully logged to the system. (attack_rules.xml:syslog,attacks) 6040102 || [OSSEC] Level 14 - Buffer overflow attack on rpc.statd (attack_rules.xml:syslog,attacks) 6040103 || [OSSEC] Level 14 - Buffer overflow on WU-FTPD versions prior to 2.6 (attack_rules.xml:syslog,attacks) 6040104 || [OSSEC] Level 13 - Possible buffer overflow attempt. (attack_rules.xml:syslog,attacks) 6040105 || [OSSEC] Level 12 - "Null" user changed some information. (attack_rules.xml:syslog,attacks) 6040106 || [OSSEC] Level 12 - Buffer overflow attempt (probably on yppasswd). (attack_rules.xml:syslog,attacks) 6040107 || [OSSEC] Level 14 - Heap overflow in the Solaris cachefsd service. (attack_rules.xml:syslog,attacks) 6040109 || [OSSEC] Level 12 - Stack overflow attempt or program exiting with SEGV (Solaris). (attack_rules.xml:syslog,attacks) 6040111 || [OSSEC] Level 10 - Multiple authentication failures. (attack_rules.xml:syslog,attacks) 6040112 || [OSSEC] Level 12 - Multiple authentication failures followed by a success. (attack_rules.xml:syslog,attacks) 6040113 || [OSSEC] Level 12 - Multiple viruses detected - Possible outbreak. (attack_rules.xml:syslog,attacks) 6040501 || [OSSEC] Level 15 - Attacks followed by the addition of an user. (attack_rules.xml:syslog,elevation_of_privilege) 6040601 || [OSSEC] Level 10 - Network scan from same source ip. (attack_rules.xml:syslog,recon) 6050106 || [OSSEC] Level 9 - Database authentication failure. (mysql_rules.xml:mysql_log) 6050120 || [OSSEC] Level 12 - Database shutdown messge. (mysql_rules.xml:mysql_log) 6050125 || [OSSEC] Level 5 - Database error. (mysql_rules.xml:mysql_log) 6050126 || [OSSEC] Level 12 - Database fatal error. (mysql_rules.xml:mysql_log) 6050180 || [OSSEC] Level 10 - Multiple database errors. (mysql_rules.xml:mysql_log) 6050504 || [OSSEC] Level 5 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log) 6050512 || [OSSEC] Level 9 - Database authentication failure. (postgresql_rules.xml:postgresql_log) 6050520 || [OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log) 6050521 || [OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log) 6050580 || [OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log) 6050581 || [OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log) 6100000 || [CISCO-SDEE] IPS/IDS License Expiration || url,wiki.quadrantsec.com/bin/view/Main/6100000 6101000 || [CISCO-SDEE] IP options-Bad Option List || url,wiki.quadrantsec.com/bin/view/Main/6101000 6101001 || [CISCO-SDEE] IP options-Record Packet Route || url,wiki.quadrantsec.com/bin/view/Main/6101001 6101002 || [CISCO-SDEE] IP options-Timestamp || url,wiki.quadrantsec.com/bin/view/Main/6101002 6101003 || [CISCO-SDEE] IP options-Provide s,c,h,tcc || url,wiki.quadrantsec.com/bin/view/Main/6101003 6101004 || [CISCO-SDEE] IP options-Loose Source Route || url,wiki.quadrantsec.com/bin/view/Main/6101004 6101005 || [CISCO-SDEE] IP options-SATNET ID || url,wiki.quadrantsec.com/bin/view/Main/6101005 6101006 || [CISCO-SDEE] IP options-Strict Source Route || url,wiki.quadrantsec.com/bin/view/Main/6101006 6101007 || [CISCO-SDEE] IPv6 over IPv4 or IPv6 || url,wiki.quadrantsec.com/bin/view/Main/6101007 6101018 || [CISCO-SDEE] Lurk Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101018 6101019 || [CISCO-SDEE] XShellC601 Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101019 6101020 || [CISCO-SDEE] BB Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101020 6101021 || [CISCO-SDEE] Murcy Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101021 6101022 || [CISCO-SDEE] QDigit Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101022 6101027 || [CISCO-SDEE] Cisco IOS Software Smart Install Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101027 6101028 || [CISCO-SDEE] BitDefender Internet Security 2009 XSS || url,wiki.quadrantsec.com/bin/view/Main/6101028 6101029 || [CISCO-SDEE] Novell iManager Off By One Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101029 6101030 || [CISCO-SDEE] Symantic IM Manager Administrator Console Code Injection || url,wiki.quadrantsec.com/bin/view/Main/6101030 6101032 || [CISCO-SDEE] Microsoft Windows MPEG Layer-3 Audio Decoder Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101032 6101034 || [CISCO-SDEE] Slowloris Exploit || url,wiki.quadrantsec.com/bin/view/Main/6101034 6101038 || [CISCO-SDEE] Microsoft DNS server Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101038 6101039 || [CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101039 6101040 || [CISCO-SDEE] DNSChanger Malware || url,wiki.quadrantsec.com/bin/view/Main/6101040 6101044 || [CISCO-SDEE] Metasploit Shellcode Encoder || url,wiki.quadrantsec.com/bin/view/Main/6101044 6101051 || [CISCO-SDEE] Novell GroupWise Internet Agent HTTP Request Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101051 6101052 || [CISCO-SDEE] Adobe PDF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101052 6101055 || [CISCO-SDEE] Cisco WebEx WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101055 6101056 || [CISCO-SDEE] Corehttp Httpd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101056 6101057 || [CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101057 6101058 || [CISCO-SDEE] Cisco Webex WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101058 6101059 || [CISCO-SDEE] IIS Hit-Highlighting Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101059 6101060 || [CISCO-SDEE] Apache auth_ldap Format String || url,wiki.quadrantsec.com/bin/view/Main/6101060 6101062 || [CISCO-SDEE] Windows Active Directory LDAP Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101062 6101063 || [CISCO-SDEE] BIND 8 TSIG Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101063 6101067 || [CISCO-SDEE] CA BrightStor Backup Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101067 6101069 || [CISCO-SDEE] Microsoft Windows PPTP Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101069 6101076 || [CISCO-SDEE] IBM Tivoli Directory Server 6.0 Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101076 6101077 || [CISCO-SDEE] PHP File Upload GLOBAL Variable Overwrite || url,wiki.quadrantsec.com/bin/view/Main/6101077 6101079 || [CISCO-SDEE] Helix RTSP SETUP Request Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101079 6101080 || [CISCO-SDEE] IBM Informix Long Username Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101080 6101081 || [CISCO-SDEE] Libevent DNS Parsing Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101081 6101082 || [CISCO-SDEE] Libevent DNS Parsing Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101082 6101083 || [CISCO-SDEE] Microsoft Plug and Play Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101083 6101085 || [CISCO-SDEE] Cisco IOS HTTP Server Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101085 6101086 || [CISCO-SDEE] Oracle OPMN daemon Format String Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101086 6101088 || [CISCO-SDEE] Oracle XDB FTP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101088 6101089 || [CISCO-SDEE] SAP Message Server Group Parameter Remote Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101089 6101090 || [CISCO-SDEE] NTP MODE_PRIVATE Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101090 6101091 || [CISCO-SDEE] OpenSwan and StrongSwan DPD Packet Remote DoS || url,wiki.quadrantsec.com/bin/view/Main/6101091 6101096 || [CISCO-SDEE] Measuresoft ScadaPro Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6101096 6101097 || [CISCO-SDEE] Siemens FactoryLink Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101097 6101099 || [CISCO-SDEE] Siemens FactoryLink Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101099 6101101 || [CISCO-SDEE] Unknown IP Protocol || url,wiki.quadrantsec.com/bin/view/Main/6101101 6101102 || [CISCO-SDEE] Impossible IP Packet || url,wiki.quadrantsec.com/bin/view/Main/6101102 6101104 || [CISCO-SDEE] IP Localhost Source Spoof || url,wiki.quadrantsec.com/bin/view/Main/6101104 6101105 || [CISCO-SDEE] Siemens FactoryLink Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101105 6101106 || [CISCO-SDEE] Microsys PROMOTIC ActiveX SaveCfg AddTrend Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101106 6101107 || [CISCO-SDEE] RFC 1918 Addresses Seen || url,wiki.quadrantsec.com/bin/view/Main/6101107 6101108 || [CISCO-SDEE] IP Packet with Proto 11 || url,wiki.quadrantsec.com/bin/view/Main/6101108 6101109 || [CISCO-SDEE] Cisco IOS Interface DoS || url,wiki.quadrantsec.com/bin/view/Main/6101109 6101121 || [CISCO-SDEE] Siemens FactoryLink Arbitrary Files Access and Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101121 6101122 || [CISCO-SDEE] OpenOffice Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101122 6101124 || [CISCO-SDEE] Microsoft RPC DCOM ISystemActivator Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101124 6101126 || [CISCO-SDEE] WellinTech Kingview Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101126 6101127 || [CISCO-SDEE] Cisco IOS ISAKMP Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101127 6101128 || [CISCO-SDEE] Microsoft RRAS Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101128 6101129 || [CISCO-SDEE] Microsoft Internet Explorer VML Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101129 6101130 || [CISCO-SDEE] Microsoft Windows Malicous Signed Portable Executable File || url,wiki.quadrantsec.com/bin/view/Main/6101130 6101131 || [CISCO-SDEE] Microsoft MSCOMCTL ActiveX Control Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101131 6101132 || [CISCO-SDEE] Microsoft IE OnReadyStateChange Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101132 6101134 || [CISCO-SDEE] Microsoft IE SelectAll Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101134 6101135 || [CISCO-SDEE] Microsoft .NET Framework Parameter Validation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101135 6101136 || [CISCO-SDEE] Microsoft Works Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101136 6101137 || [CISCO-SDEE] Microsoft Livemesh Application || url,wiki.quadrantsec.com/bin/view/Main/6101137 6101138 || [CISCO-SDEE] Microsoft Internet Explorer VML Use After Free || url,wiki.quadrantsec.com/bin/view/Main/6101138 6101140 || [CISCO-SDEE] Samba Marshalling Code Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101140 6101142 || [CISCO-SDEE] Javascript Obfuscation Code Fragment || url,wiki.quadrantsec.com/bin/view/Main/6101142 6101143 || [CISCO-SDEE] DirectX NULL Byte Overwrite Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101143 6101144 || [CISCO-SDEE] Microsoft Office Publisher 2007 Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101144 6101152 || [CISCO-SDEE] Microsoft Office PowerPoint Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101152 6101155 || [CISCO-SDEE] Microsoft Excel 2003 Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101155 6101157 || [CISCO-SDEE] Microsoft Outlook Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101157 6101166 || [CISCO-SDEE] Apache 2.0 Encoded Backslash Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101166 6101169 || [CISCO-SDEE] Generic Alphanumeric Generated Email Address || url,wiki.quadrantsec.com/bin/view/Main/6101169 6101173 || [CISCO-SDEE] Metasploit Shellcode Encoder || url,wiki.quadrantsec.com/bin/view/Main/6101173 6101182 || [CISCO-SDEE] Visio Viewer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101182 6101183 || [CISCO-SDEE] Microsoft Word RTF Heap Overrun || url,wiki.quadrantsec.com/bin/view/Main/6101183 6101184 || [CISCO-SDEE] Adobe Acrobat Reader Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101184 6101185 || [CISCO-SDEE] Microsoft .NET Framework Serialization Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101185 6101186 || [CISCO-SDEE] Microsoft Excel Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101186 6101187 || [CISCO-SDEE] Microsoft GDI Plus Heap Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101187 6101188 || [CISCO-SDEE] Microsoft .NET Framework Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101188 6101189 || [CISCO-SDEE] Microsoft Excel MergeCells Record Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101189 6101190 || [CISCO-SDEE] Flash Player newfunction Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101190 6101191 || [CISCO-SDEE] Excel Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101191 6101192 || [CISCO-SDEE] Microsoft Excel Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101192 6101193 || [CISCO-SDEE] Microsoft .NET Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101193 6101194 || [CISCO-SDEE] Microsoft GDI Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101194 6101195 || [CISCO-SDEE] Microsoft TrueType Font Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101195 6101196 || [CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101196 6101197 || [CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101197 6101200 || [CISCO-SDEE] IP Fragmentation Buffer Full || url,wiki.quadrantsec.com/bin/view/Main/6101200 6101201 || [CISCO-SDEE] IP Fragment Overlap || url,wiki.quadrantsec.com/bin/view/Main/6101201 6101202 || [CISCO-SDEE] IP Fragment Overrun - Datagram Too Long || url,wiki.quadrantsec.com/bin/view/Main/6101202 6101203 || [CISCO-SDEE] IP Fragment Overwrite - Data is Overwritten || url,wiki.quadrantsec.com/bin/view/Main/6101203 6101204 || [CISCO-SDEE] IP Fragment Missing Initial Fragment || url,wiki.quadrantsec.com/bin/view/Main/6101204 6101205 || [CISCO-SDEE] IP Fragment Too Many Datagrams || url,wiki.quadrantsec.com/bin/view/Main/6101205 6101206 || [CISCO-SDEE] IP Fragment Too Small || url,wiki.quadrantsec.com/bin/view/Main/6101206 6101207 || [CISCO-SDEE] IP Fragment Too Many Fragments in a Datagram || url,wiki.quadrantsec.com/bin/view/Main/6101207 6101208 || [CISCO-SDEE] IP Fragment Incomplete Datagram || url,wiki.quadrantsec.com/bin/view/Main/6101208 6101210 || [CISCO-SDEE] Microsoft Windows Object Packager Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101210 6101212 || [CISCO-SDEE] Spyeye Trojan Toolkit || url,wiki.quadrantsec.com/bin/view/Main/6101212 6101213 || [CISCO-SDEE] Microsoft Internet Explorer Deflate Encoding Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101213 6101218 || [CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101218 6101220 || [CISCO-SDEE] Jolt2 Fragment Reassembly DoS attack || url,wiki.quadrantsec.com/bin/view/Main/6101220 6101221 || [CISCO-SDEE] Oracle Database Server DBMS_CDC_PUBLISH SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6101221 6101225 || [CISCO-SDEE] Fragment Flags Invalid || url,wiki.quadrantsec.com/bin/view/Main/6101225 6101250 || [CISCO-SDEE] Packet Bad Length || url,wiki.quadrantsec.com/bin/view/Main/6101250 6101256 || [CISCO-SDEE] Flame Malware || url,wiki.quadrantsec.com/bin/view/Main/6101256 6101258 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101258 6101261 || [CISCO-SDEE] MS Internet Explorer 9 Use After Free || url,wiki.quadrantsec.com/bin/view/Main/6101261 6101263 || [CISCO-SDEE] Microsoft Unauthorized Digital Certificates || url,wiki.quadrantsec.com/bin/view/Main/6101263 6101265 || [CISCO-SDEE] Microsoft Internet Explorer Memory Leak || url,wiki.quadrantsec.com/bin/view/Main/6101265 6101268 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101268 6101270 || [CISCO-SDEE] Microsoft Internet Explorer Title Element Change Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101270 6101271 || [CISCO-SDEE] Microsoft insertAdjacentText Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101271 6101272 || [CISCO-SDEE] Microsoft Internet Explorer Developer Toolbar Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101272 6101273 || [CISCO-SDEE] Microsoft Internet Explorer 8 Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101273 6101274 || [CISCO-SDEE] Microsoft .NET Framework Memory Access Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101274 6101275 || [CISCO-SDEE] Microsoft Dynamics AX Enterprise Portal Elevation of Privilege || url,wiki.quadrantsec.com/bin/view/Main/6101275 6101276 || [CISCO-SDEE] Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101276 6101277 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101277 6101279 || [CISCO-SDEE] Microsoft Internet Explorer and Lync HTML Sanitization Cross-Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6101279 6101281 || [CISCO-SDEE] Microsoft XML Core Services Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101281 6101283 || [CISCO-SDEE] Cisco WebEx Player WRF File Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101283 6101284 || [CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101284 6101285 || [CISCO-SDEE] Rockwell ControlLogix Stop Service Code || url,wiki.quadrantsec.com/bin/view/Main/6101285 6101287 || [CISCO-SDEE] Rockwell ControlLogix Reset Service Code || url,wiki.quadrantsec.com/bin/view/Main/6101287 6101288 || [CISCO-SDEE] Cisco TelePresence Recording Server Media Import Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6101288 6101289 || [CISCO-SDEE] Rockwell ControlLogix boot code dump || url,wiki.quadrantsec.com/bin/view/Main/6101289 6101290 || [CISCO-SDEE] Rockwell ControlLogix Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101290 6101291 || [CISCO-SDEE] Rockwell ControlLogix Firmware Update || url,wiki.quadrantsec.com/bin/view/Main/6101291 6101292 || [CISCO-SDEE] Rockwell ControlLogix Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101292 6101293 || [CISCO-SDEE] Rockwell ControlLogix Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101293 6101295 || [CISCO-SDEE] Novell Groupwise Messenger Server Information Leakage || url,wiki.quadrantsec.com/bin/view/Main/6101295 6101296 || [CISCO-SDEE] Cisco Webex WRF JPEG DHT Chunk Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101296 6101298 || [CISCO-SDEE] SNMP Enumeration Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6101298 6101300 || [CISCO-SDEE] TCP Segment Overwrite || url,wiki.quadrantsec.com/bin/view/Main/6101300 6101301 || [CISCO-SDEE] TCP Session Inactivity Timeout || url,wiki.quadrantsec.com/bin/view/Main/6101301 6101302 || [CISCO-SDEE] TCP Session Embryonic Timeout || url,wiki.quadrantsec.com/bin/view/Main/6101302 6101303 || [CISCO-SDEE] TCP Session Closing Timeout || url,wiki.quadrantsec.com/bin/view/Main/6101303 6101304 || [CISCO-SDEE] TCP Session Packet Queue Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101304 6101305 || [CISCO-SDEE] TCP URG flag set || url,wiki.quadrantsec.com/bin/view/Main/6101305 6101306 || [CISCO-SDEE] TCP Option Other || url,wiki.quadrantsec.com/bin/view/Main/6101306 6101307 || [CISCO-SDEE] TCP Window Variation || url,wiki.quadrantsec.com/bin/view/Main/6101307 6101308 || [CISCO-SDEE] TTL evasion || url,wiki.quadrantsec.com/bin/view/Main/6101308 6101309 || [CISCO-SDEE] TCP Reserved flags set || url,wiki.quadrantsec.com/bin/view/Main/6101309 6101310 || [CISCO-SDEE] TCP Retransmit Data Different || url,wiki.quadrantsec.com/bin/view/Main/6101310 6101311 || [CISCO-SDEE] TCP Packet Exceeds MSS || url,wiki.quadrantsec.com/bin/view/Main/6101311 6101312 || [CISCO-SDEE] TCP MSS below minimum || url,wiki.quadrantsec.com/bin/view/Main/6101312 6101313 || [CISCO-SDEE] TCP MSS exceeds maximum || url,wiki.quadrantsec.com/bin/view/Main/6101313 6101314 || [CISCO-SDEE] TCP SYN Packet With Data || url,wiki.quadrantsec.com/bin/view/Main/6101314 6101315 || [CISCO-SDEE] ACK w/o TCP Stream || url,wiki.quadrantsec.com/bin/view/Main/6101315 6101316 || [CISCO-SDEE] FIN or RST w/o TCP Stream || url,wiki.quadrantsec.com/bin/view/Main/6101316 6101317 || [CISCO-SDEE] Zero Window Probe || url,wiki.quadrantsec.com/bin/view/Main/6101317 6101326 || [CISCO-SDEE] Microsoft SharePoint Reflected List Parameter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101326 6101328 || [CISCO-SDEE] Microsoft IIS Stack Exhaustion DoS || url,wiki.quadrantsec.com/bin/view/Main/6101328 6101329 || [CISCO-SDEE] Microsoft Internet Explorer 9 Cached Object Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101329 6101330 || [CISCO-SDEE] TCP Drop - Bad Checksum || url,wiki.quadrantsec.com/bin/view/Main/6101330 6101331 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101331 6101333 || [CISCO-SDEE] Microsoft Windows Registered Application Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101333 6101334 || [CISCO-SDEE] Microsoft Windows ADO Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101334 6101335 || [CISCO-SDEE] Microsoft Sharepoint Cross Site Scripting Attack || url,wiki.quadrantsec.com/bin/view/Main/6101335 6101338 || [CISCO-SDEE] Cisco Telepresence Command Injection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101338 6101341 || [CISCO-SDEE] Joomla 1.5.12 TinyBrowser File Upload Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101341 6101343 || [CISCO-SDEE] Cisco Common Services Framework Help Servlet XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101343 6101346 || [CISCO-SDEE] Cisco IOS BGP Malformed Attribute Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101346 6101347 || [CISCO-SDEE] Skype Call Activity || url,wiki.quadrantsec.com/bin/view/Main/6101347 6101349 || [CISCO-SDEE] Javascript Trojan Iframe.F || url,wiki.quadrantsec.com/bin/view/Main/6101349 6101350 || [CISCO-SDEE] Microsoft Visio Viewer Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101350 6101353 || [CISCO-SDEE] Symantec Web Gateway Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6101353 6101356 || [CISCO-SDEE] Adobe Flash Player URL Security Domain Checking Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101356 6101358 || [CISCO-SDEE] Adobe Shockwave Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101358 6101360 || [CISCO-SDEE] IBM Lotus Domino Server Controller Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101360 6101364 || [CISCO-SDEE] Microsoft Remote Administration Protocol Read Access Violation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101364 6101366 || [CISCO-SDEE] Oracle WebCenter ActiveX Control File Creation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101366 6101367 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101367 6101369 || [CISCO-SDEE] Apple Quicktime JPEG2000 Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101369 6101370 || [CISCO-SDEE] FFmpeg 4xm Null Pointer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101370 6101371 || [CISCO-SDEE] Microsoft Internet Explorer Integer Overflow Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101371 6101372 || [CISCO-SDEE] Microsoft Internet Explorer Asynchronous NULL Object Access Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101372 6101373 || [CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101373 6101374 || [CISCO-SDEE] Trend Micro ServerProtect EarthAgent RPC Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101374 6101376 || [CISCO-SDEE] Apple Safari WebKit Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101376 6101377 || [CISCO-SDEE] Google Chrome and Apple Safari Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101377 6101378 || [CISCO-SDEE] Microsoft Visio Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101378 6101379 || [CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101379 6101380 || [CISCO-SDEE] MSCOMCTL ActiveX Control Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101380 6101381 || [CISCO-SDEE] Microsoft Networking Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101381 6101382 || [CISCO-SDEE] Microsoft Windows Print Spooler Service Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101382 6101384 || [CISCO-SDEE] Microsoft Remote Administration Protocol Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101384 6101385 || [CISCO-SDEE] Microsoft Windows IE Layout Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101385 6101386 || [CISCO-SDEE] Adobe Acrobat Reader Stack Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101386 6101387 || [CISCO-SDEE] Adobe Flash Player Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101387 6101388 || [CISCO-SDEE] OpenSSL CMS Structure OriginatorInfo Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101388 6101389 || [CISCO-SDEE] HP Database Archiving Software GIOP Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101389 6101393 || [CISCO-SDEE] Adobe Acrobat Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101393 6101394 || [CISCO-SDEE] Cisco Linksys PlayerPT ActiveX Control Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101394 6101395 || [CISCO-SDEE] Adobe Flash Player MP4 Sequence Parameter Set Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101395 6101396 || [CISCO-SDEE] Microsoft Visual Studio Cross Site Scripting (XSS) Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101396 6101397 || [CISCO-SDEE] Mozilla Firefox Array.reduceRight Integer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101397 6101398 || [CISCO-SDEE] Microsoft Outlook Web Access Cross Site Request Forgery Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101398 6101399 || [CISCO-SDEE] CA Total Defense Suite Information Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101399 6101400 || [CISCO-SDEE] GRE Over IPv6 Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101400 6101401 || [CISCO-SDEE] IPIP Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101401 6101402 || [CISCO-SDEE] MPLS Over IPv6 Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101402 6101403 || [CISCO-SDEE] IPv4 Over IPv6 Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101403 6101404 || [CISCO-SDEE] Adobe Shockwave PAMI Chunk Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101404 6101405 || [CISCO-SDEE] Teredo Destination IP Address || url,wiki.quadrantsec.com/bin/view/Main/6101405 6101406 || [CISCO-SDEE] Teredo Source Port || url,wiki.quadrantsec.com/bin/view/Main/6101406 6101407 || [CISCO-SDEE] Teredo Destination Port || url,wiki.quadrantsec.com/bin/view/Main/6101407 6101408 || [CISCO-SDEE] Teredo Data Packet || url,wiki.quadrantsec.com/bin/view/Main/6101408 6101409 || [CISCO-SDEE] GRE Tunnel Detected || url,wiki.quadrantsec.com/bin/view/Main/6101409 6101410 || [CISCO-SDEE] IPv6 Over MPLS Tunnel || url,wiki.quadrantsec.com/bin/view/Main/6101410 6101414 || [CISCO-SDEE] Advanced DNP3 - Unsolicited Response Storm || url,wiki.quadrantsec.com/bin/view/Main/6101414 6101415 || [CISCO-SDEE] Advanced DNP3 - Non-DNP3 Communication on a DNP3 Port || url,wiki.quadrantsec.com/bin/view/Main/6101415 6101417 || [CISCO-SDEE] Advanced DNP3 - Last Received Was A Broadcast Message || url,wiki.quadrantsec.com/bin/view/Main/6101417 6101421 || [CISCO-SDEE] Java 7 Applet Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101421 6101422 || [CISCO-SDEE] Advanced DNP3 - Time Synchronization Required || url,wiki.quadrantsec.com/bin/view/Main/6101422 6101423 || [CISCO-SDEE] Advanced DNP3 - Device Under Local Control || url,wiki.quadrantsec.com/bin/view/Main/6101423 6101424 || [CISCO-SDEE] Advanced DNP3 - Device In Trouble || url,wiki.quadrantsec.com/bin/view/Main/6101424 6101425 || [CISCO-SDEE] Advanced DNP3 - Attempt To Use Unsupported Function Code || url,wiki.quadrantsec.com/bin/view/Main/6101425 6101426 || [CISCO-SDEE] Advanced DNP3 - Request Object Unknown Or Errors In Application Data || url,wiki.quadrantsec.com/bin/view/Main/6101426 6101427 || [CISCO-SDEE] Advanced DNP3 - Parameters Out Of Range || url,wiki.quadrantsec.com/bin/view/Main/6101427 6101428 || [CISCO-SDEE] Advanced DNP3 - Event Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101428 6101429 || [CISCO-SDEE] Advanced DNP3 - Already Executing Request || url,wiki.quadrantsec.com/bin/view/Main/6101429 6101430 || [CISCO-SDEE] Advanced DNP3 - Corrupt Configuration Error || url,wiki.quadrantsec.com/bin/view/Main/6101430 6101431 || [CISCO-SDEE] Advanced DNP3 - Invalid Reserved IIN Flags Set || url,wiki.quadrantsec.com/bin/view/Main/6101431 6101432 || [CISCO-SDEE] Advanced DNP3 - Active Configuration || url,wiki.quadrantsec.com/bin/view/Main/6101432 6101433 || [CISCO-SDEE] Advanced DNP3 - Authentication Request || url,wiki.quadrantsec.com/bin/view/Main/6101433 6101434 || [CISCO-SDEE] Advanced DNP3 - Authentication Reply || url,wiki.quadrantsec.com/bin/view/Main/6101434 6101435 || [CISCO-SDEE] Advanced DNP3 - Authentication Error || url,wiki.quadrantsec.com/bin/view/Main/6101435 6101436 || [CISCO-SDEE] Advanced DNP3 - Authentication Response Or Authentication Challenge || url,wiki.quadrantsec.com/bin/view/Main/6101436 6101437 || [CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Challenge || url,wiki.quadrantsec.com/bin/view/Main/6101437 6101438 || [CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Response Storm || url,wiki.quadrantsec.com/bin/view/Main/6101438 6101439 || [CISCO-SDEE] Advanced DNP3 - Device Restarted || url,wiki.quadrantsec.com/bin/view/Main/6101439 6101441 || [CISCO-SDEE] Shamoon Malware Activity || url,wiki.quadrantsec.com/bin/view/Main/6101441 6101442 || [CISCO-SDEE] Microsoft Visual Studio Team Web Access XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101442 6101444 || [CISCO-SDEE] Microsoft System Center Configuration Manager Reflected XSS || url,wiki.quadrantsec.com/bin/view/Main/6101444 6101445 || [CISCO-SDEE] Adobe Reader Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101445 6101446 || [CISCO-SDEE] BaoFeng Storm ActiveX Control Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101446 6101447 || [CISCO-SDEE] Ganglia Stack Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101447 6101451 || [CISCO-SDEE] Cisco WebEx Player Player Heap Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101451 6101455 || [CISCO-SDEE] Adobe Reader Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101455 6101459 || [CISCO-SDEE] Oracle Fusion Middleware Outside In Excel File Parsing Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101459 6101460 || [CISCO-SDEE] OpenLDAP Modrdn Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101460 6101461 || [CISCO-SDEE] DATAC Control RealWin SCADA Server Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101461 6101462 || [CISCO-SDEE] RealNetworks Helix Universal Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101462 6101464 || [CISCO-SDEE] DD-WRT Arbitrary Shell Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101464 6101466 || [CISCO-SDEE] Microsoft Internet Explorer execCommand Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101466 6101468 || [CISCO-SDEE] EMC NetWorker Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101468 6101469 || [CISCO-SDEE] Microsoft Office Visio Object Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101469 6101470 || [CISCO-SDEE] Mozilla Firefox and SeaMonkey Remote Cross-Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101470 6101471 || [CISCO-SDEE] Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101471 6101472 || [CISCO-SDEE] Microsoft Windows Embedded OpenType Font Processing Heap Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101472 6101474 || [CISCO-SDEE] XDP Encoded PDF File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6101474 6101475 || [CISCO-SDEE] Webex Player Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101475 6101476 || [CISCO-SDEE] Cisco ASA and FWSM DCERPC Inspection DoS || url,wiki.quadrantsec.com/bin/view/Main/6101476 6101478 || [CISCO-SDEE] Cisco ASA PIX Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101478 6101480 || [CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101480 6101481 || [CISCO-SDEE] Microsoft Internet Explorer cloneNode Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101481 6101482 || [CISCO-SDEE] Microsoft Internet Explorer Document Layout Processing Use-After-Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101482 6101483 || [CISCO-SDEE] Microsoft Internet Explorer 9 Event Listener Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101483 6101487 || [CISCO-SDEE] Cisco WebEx Recording Format Player Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101487 6101492 || [CISCO-SDEE] CISCO ASA DCERPC Inspection Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101492 6101493 || [CISCO-SDEE] Distributed Denial of Service on Financial Institutions || url,wiki.quadrantsec.com/bin/view/Main/6101493 6101494 || [CISCO-SDEE] Cisco WebEx Recording Format Player Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101494 6101495 || [CISCO-SDEE] Microsoft Word Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101495 6101496 || [CISCO-SDEE] Microsoft Works 9 Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101496 6101497 || [CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101497 6101498 || [CISCO-SDEE] Microsoft SQL Server Report Manager Reflected Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101498 6101501 || [CISCO-SDEE] Microsoft Word PAPX Section Processing Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101501 6101503 || [CISCO-SDEE] PHP Response-Splitting Protection Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101503 6101504 || [CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101504 6101507 || [CISCO-SDEE] RealNetworks Helix Server RTSP SETUP Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101507 6101508 || [CISCO-SDEE] ImageMagick ResolutionUnit Tag Invalid Validation Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101508 6101511 || [CISCO-SDEE] Microsoft Office TIFF Image Converter Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101511 6101512 || [CISCO-SDEE] HP Easy Printer Care HPTicketMgr.dll ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101512 6101513 || [CISCO-SDEE] Adobe SWF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101513 6101514 || [CISCO-SDEE] Adobe SWF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101514 6101520 || [CISCO-SDEE] Modbus TCP - Invalid Function Code Is Used || url,wiki.quadrantsec.com/bin/view/Main/6101520 6101524 || [CISCO-SDEE] Modbus TCP - Reserved Function Code Used || url,wiki.quadrantsec.com/bin/view/Main/6101524 6101528 || [CISCO-SDEE] Adobe SWF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101528 6101532 || [CISCO-SDEE] Google Chrome and Apple Safari Use-After-Free Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101532 6101534 || [CISCO-SDEE] EMC NetWorker Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101534 6101535 || [CISCO-SDEE] Exim Mail Transfer Agent Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101535 6101536 || [CISCO-SDEE] Adobe Acrobat PDF Font Processing Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101536 6101537 || [CISCO-SDEE] Oracle Outside In JPEG 2000 Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101537 6101538 || [CISCO-SDEE] Cisco Unified MeetingPlace Web Conferencing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101538 6101540 || [CISCO-SDEE] Oracle Hyperion Strategic Finance Client Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101540 6101545 || [CISCO-SDEE] Adobe Reader Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101545 6101546 || [CISCO-SDEE] H3C and Huawei SNMP Access Control Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101546 6101547 || [CISCO-SDEE] Microsoft Office Word 2010 Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101547 6101548 || [CISCO-SDEE] Microsoft Office Picture Manager Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101548 6101550 || [CISCO-SDEE] Novell Netware XNFS.NLM xdrDecodeString Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101550 6101555 || [CISCO-SDEE] Firefox SVGTextElement.getCharNumAtPositio Use-After-Free || url,wiki.quadrantsec.com/bin/view/Main/6101555 6101556 || [CISCO-SDEE] HP Intelligent Management Center Multiple Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101556 6101563 || [CISCO-SDEE] IBM Lotus Notes URL Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101563 6101564 || [CISCO-SDEE] Microsoft Internet Explorer Cross Domain Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101564 6101565 || [CISCO-SDEE] Novell ZENworks Asset Management Web Console Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6101565 6101566 || [CISCO-SDEE] Microsoft Vista Speech Recognition ActiveX Vulnerabilities || url,wiki.quadrantsec.com/bin/view/Main/6101566 6101569 || [CISCO-SDEE] HP StorageWorks P4000 Virtual SAN Appliance Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101569 6101570 || [CISCO-SDEE] Apple iCloud Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101570 6101571 || [CISCO-SDEE] Novell File Reporter Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101571 6101572 || [CISCO-SDEE] HP Operations Agent for NonStop Server HEALTH Packet Parsing Stack Buffer || url,wiki.quadrantsec.com/bin/view/Main/6101572 6101573 || [CISCO-SDEE] Macromedia Shockwave ActiveX SwDir.dll Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101573 6101574 || [CISCO-SDEE] VMWare ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101574 6101575 || [CISCO-SDEE] Novell iPrint Client ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101575 6101577 || [CISCO-SDEE] Asterisk SIP Channel Driver Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101577 6101578 || [CISCO-SDEE] TFTPD32 Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101578 6101579 || [CISCO-SDEE] Asterisk SIP INVITE Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101579 6101580 || [CISCO-SDEE] Adobe Shockwave Player Director Record Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101580 6101584 || [CISCO-SDEE] Microsoft Windows Explorer Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101584 6101585 || [CISCO-SDEE] Microsoft Windows Explorer Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101585 6101586 || [CISCO-SDEE] VLC Media Player Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101586 6101587 || [CISCO-SDEE] Microsoft Windows File Enumeration Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101587 6101588 || [CISCO-SDEE] Microsoft Excel Stack Overflow Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101588 6101589 || [CISCO-SDEE] Microsoft Excel Invalid Length Use After Free || url,wiki.quadrantsec.com/bin/view/Main/6101589 6101591 || [CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101591 6101593 || [CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101593 6101595 || [CISCO-SDEE] Asterisk Skinny Channel Driver Capabilities_Res_Message Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101595 6101596 || [CISCO-SDEE] Microsoft Internet Explorer CFormElement Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101596 6101597 || [CISCO-SDEE] Microsoft .NET Framework Web Proxy Auto-Discovery Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101597 6101598 || [CISCO-SDEE] Oracle Business Intelligence Enterprise Edition Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6101598 6101600 || [CISCO-SDEE] ICMPv6 zero length option || url,wiki.quadrantsec.com/bin/view/Main/6101600 6101601 || [CISCO-SDEE] ICMPv6 option type 1 violation || url,wiki.quadrantsec.com/bin/view/Main/6101601 6101602 || [CISCO-SDEE] ICMPv6 option type 2 violation || url,wiki.quadrantsec.com/bin/view/Main/6101602 6101603 || [CISCO-SDEE] ICMPv6 option type 3 violation || url,wiki.quadrantsec.com/bin/view/Main/6101603 6101604 || [CISCO-SDEE] ICMPv6 option type 4 violation || url,wiki.quadrantsec.com/bin/view/Main/6101604 6101605 || [CISCO-SDEE] ICMPv6 option type 5 violation || url,wiki.quadrantsec.com/bin/view/Main/6101605 6101606 || [CISCO-SDEE] ICMPv6 short option data || url,wiki.quadrantsec.com/bin/view/Main/6101606 6101607 || [CISCO-SDEE] IPv6 multi-crafted fragments || url,wiki.quadrantsec.com/bin/view/Main/6101607 6101608 || [CISCO-SDEE] Microsoft Internet Explorer CTreePos Element Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101608 6101609 || [CISCO-SDEE] Microsoft .NET Framework Code Access Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6101609 6101610 || [CISCO-SDEE] ICMPv6 Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6101610 6101611 || [CISCO-SDEE] ICMPv6 Echo Reply || url,wiki.quadrantsec.com/bin/view/Main/6101611 6101612 || [CISCO-SDEE] ICMPv6 Destination Unreachable || url,wiki.quadrantsec.com/bin/view/Main/6101612 6101613 || [CISCO-SDEE] ICMPv6 Packet Too Big Message || url,wiki.quadrantsec.com/bin/view/Main/6101613 6101614 || [CISCO-SDEE] ICMPv6 Time Exceeded Message || url,wiki.quadrantsec.com/bin/view/Main/6101614 6101615 || [CISCO-SDEE] ICMPv6 Parameter Problem Message || url,wiki.quadrantsec.com/bin/view/Main/6101615 6101616 || [CISCO-SDEE] ICMPv6 Group Membership Query || url,wiki.quadrantsec.com/bin/view/Main/6101616 6101617 || [CISCO-SDEE] ICMPv6 Group Membership Report || url,wiki.quadrantsec.com/bin/view/Main/6101617 6101618 || [CISCO-SDEE] ICMPv6 Membership Reduction || url,wiki.quadrantsec.com/bin/view/Main/6101618 6101619 || [CISCO-SDEE] ICMPv6 Router Solicitation || url,wiki.quadrantsec.com/bin/view/Main/6101619 6101620 || [CISCO-SDEE] ICMPv6 Router Advertisement || url,wiki.quadrantsec.com/bin/view/Main/6101620 6101621 || [CISCO-SDEE] ICMPv6 Neighbor Solicitation || url,wiki.quadrantsec.com/bin/view/Main/6101621 6101622 || [CISCO-SDEE] ICMPv6 Neighbor Advertisement || url,wiki.quadrantsec.com/bin/view/Main/6101622 6101623 || [CISCO-SDEE] ICMPv6 Redirect || url,wiki.quadrantsec.com/bin/view/Main/6101623 6101624 || [CISCO-SDEE] ICMPv6 Router Renumbering || url,wiki.quadrantsec.com/bin/view/Main/6101624 6101625 || [CISCO-SDEE] ICMPv6 Membership Report V2 || url,wiki.quadrantsec.com/bin/view/Main/6101625 6101626 || [CISCO-SDEE] Large ICMPV6 Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101626 6101627 || [CISCO-SDEE] Fragmented ICMPv6 Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101627 6101628 || [CISCO-SDEE] ICMPv6 Traffic over IPv4 || url,wiki.quadrantsec.com/bin/view/Main/6101628 6101629 || [CISCO-SDEE] ICMP Traffic over IPv6 || url,wiki.quadrantsec.com/bin/view/Main/6101629 6101630 || [CISCO-SDEE] ICMPv6 Packet Too Big || url,wiki.quadrantsec.com/bin/view/Main/6101630 6101631 || [CISCO-SDEE] Microsoft .NET Framework Reflection Bypass Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101631 6101632 || [CISCO-SDEE] Unix CUPS HTTP GET Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101632 6101635 || [CISCO-SDEE] Bootpd 2.4.3 Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101635 6101636 || [CISCO-SDEE] Mozilla Firefox 1.0.7 InstallTrigger.Install Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101636 6101637 || [CISCO-SDEE] Mozilla Firefox Javascript Engine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101637 6101638 || [CISCO-SDEE] Mozilla Firefox CSS Layout Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101638 6101641 || [CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101641 6101642 || [CISCO-SDEE] Windows Kernel-Mode Driver Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101642 6101643 || [CISCO-SDEE] Apple Safari Out of Bounds Access Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101643 6101646 || [CISCO-SDEE] Metasploit Java Applet Payload Creation || url,wiki.quadrantsec.com/bin/view/Main/6101646 6101653 || [CISCO-SDEE] Novell GroupWise Internet Agent RRULE Weekday Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101653 6101654 || [CISCO-SDEE] PNG Embedded File Type || url,wiki.quadrantsec.com/bin/view/Main/6101654 6101664 || [CISCO-SDEE] Adobe Flash Player ActionScript callMethod Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101664 6101671 || [CISCO-SDEE] Oracle Secure Backup Server Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101671 6101681 || [CISCO-SDEE] Microsoft Windows Open Type Font Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101681 6101683 || [CISCO-SDEE] Microsoft IE Improper Ref Counting Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101683 6101693 || [CISCO-SDEE] GXV-3000 SIP Phone Eavesdropping Exploit || url,wiki.quadrantsec.com/bin/view/Main/6101693 6101694 || [CISCO-SDEE] Xitami Web Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101694 6101695 || [CISCO-SDEE] Rlogin Root Access || url,wiki.quadrantsec.com/bin/view/Main/6101695 6101696 || [CISCO-SDEE] Rlogin Guest Access || url,wiki.quadrantsec.com/bin/view/Main/6101696 6101697 || [CISCO-SDEE] Rlogin Nobody Access || url,wiki.quadrantsec.com/bin/view/Main/6101697 6101700 || [CISCO-SDEE] IPv6 Hop-by-Hop Options Present || url,wiki.quadrantsec.com/bin/view/Main/6101700 6101702 || [CISCO-SDEE] IPv6 Routing Header Present || url,wiki.quadrantsec.com/bin/view/Main/6101702 6101703 || [CISCO-SDEE] IPv6 Fragmented Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101703 6101704 || [CISCO-SDEE] IPv6 Authentication Header Present || url,wiki.quadrantsec.com/bin/view/Main/6101704 6101705 || [CISCO-SDEE] IPv6 ESP Header Present || url,wiki.quadrantsec.com/bin/view/Main/6101705 6101706 || [CISCO-SDEE] Invalid IPv6 Header Traffic Class Field || url,wiki.quadrantsec.com/bin/view/Main/6101706 6101707 || [CISCO-SDEE] Invalid IPv6 Header Flow Label Field || url,wiki.quadrantsec.com/bin/view/Main/6101707 6101708 || [CISCO-SDEE] IPv6 Header Contains An Invalid Address || url,wiki.quadrantsec.com/bin/view/Main/6101708 6101709 || [CISCO-SDEE] Microsoft Office Word RTF Document Processing Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101709 6101710 || [CISCO-SDEE] IPv6 Extensions Headers Out Of Order || url,wiki.quadrantsec.com/bin/view/Main/6101710 6101711 || [CISCO-SDEE] Duplicate IPv6 Extension Headers || url,wiki.quadrantsec.com/bin/view/Main/6101711 6101712 || [CISCO-SDEE] IPv6 Packet Contains Duplicate Src And Dst Address || url,wiki.quadrantsec.com/bin/view/Main/6101712 6101713 || [CISCO-SDEE] IPv6 Header Contains Multicast Source Address || url,wiki.quadrantsec.com/bin/view/Main/6101713 6101714 || [CISCO-SDEE] IPv6 Address Set To localhost || url,wiki.quadrantsec.com/bin/view/Main/6101714 6101716 || [CISCO-SDEE] IPv6 Options Padding Too Long || url,wiki.quadrantsec.com/bin/view/Main/6101716 6101717 || [CISCO-SDEE] Back To Back Padding Options || url,wiki.quadrantsec.com/bin/view/Main/6101717 6101718 || [CISCO-SDEE] IPv6 Option Data Too Short || url,wiki.quadrantsec.com/bin/view/Main/6101718 6101719 || [CISCO-SDEE] IPv6 Endpoint Identification Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101719 6101720 || [CISCO-SDEE] IPv6 Jumbo Payload Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101720 6101721 || [CISCO-SDEE] IPv6 Router Alert Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101721 6101722 || [CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101722 6101723 || [CISCO-SDEE] IPv6 Packet Contains Unassigned Options || url,wiki.quadrantsec.com/bin/view/Main/6101723 6101724 || [CISCO-SDEE] IPv6 Endpoint Identification Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101724 6101725 || [CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101725 6101726 || [CISCO-SDEE] IPv6 Invalid Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101726 6101727 || [CISCO-SDEE] IPv6 Router Alert Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101727 6101728 || [CISCO-SDEE] IPv6 Routing Header Type 0 || url,wiki.quadrantsec.com/bin/view/Main/6101728 6101729 || [CISCO-SDEE] Telnet Failure Log XSS || url,wiki.quadrantsec.com/bin/view/Main/6101729 6101730 || [CISCO-SDEE] IPv6 Type 1 Routing Header || url,wiki.quadrantsec.com/bin/view/Main/6101730 6101731 || [CISCO-SDEE] IPv6 Type 2 Routing Header || url,wiki.quadrantsec.com/bin/view/Main/6101731 6101732 || [CISCO-SDEE] IPv6 Routing Header Type Unknown Type || url,wiki.quadrantsec.com/bin/view/Main/6101732 6101733 || [CISCO-SDEE] Invalid IPv6 Routing Header Length || url,wiki.quadrantsec.com/bin/view/Main/6101733 6101734 || [CISCO-SDEE] IPv6 Routing Header Incomplete || url,wiki.quadrantsec.com/bin/view/Main/6101734 6101735 || [CISCO-SDEE] IPv6 Routing Header Contains Invalid IP Address || url,wiki.quadrantsec.com/bin/view/Main/6101735 6101736 || [CISCO-SDEE] IPv6 Routing Header Contains A Loop || url,wiki.quadrantsec.com/bin/view/Main/6101736 6101737 || [CISCO-SDEE] IPv6 Routing Header Reserved Bits Set || url,wiki.quadrantsec.com/bin/view/Main/6101737 6101738 || [CISCO-SDEE] IPv6 Unnecessary Fragment Header || url,wiki.quadrantsec.com/bin/view/Main/6101738 6101739 || [CISCO-SDEE] IPv6 Illegal Fragmentation || url,wiki.quadrantsec.com/bin/view/Main/6101739 6101740 || [CISCO-SDEE] Small IPv6 Fragments || url,wiki.quadrantsec.com/bin/view/Main/6101740 6101741 || [CISCO-SDEE] IPv6 Fragment Header Reserved Bits Set || url,wiki.quadrantsec.com/bin/view/Main/6101741 6101742 || [CISCO-SDEE] IPv6 No Next Header Option Present || url,wiki.quadrantsec.com/bin/view/Main/6101742 6101743 || [CISCO-SDEE] PHP phpinfo() Cross-Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101743 6101747 || [CISCO-SDEE] MySQL Database Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6101747 6101749 || [CISCO-SDEE] Peercast Basic Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101749 6101755 || [CISCO-SDEE] PHP zip URL Wrapper Buffer Overflow (HTTP) || url,wiki.quadrantsec.com/bin/view/Main/6101755 6101756 || [CISCO-SDEE] Axigen POP3 Server Remote Format String Attack || url,wiki.quadrantsec.com/bin/view/Main/6101756 6101758 || [CISCO-SDEE] VLC HTTPD Format String Bug || url,wiki.quadrantsec.com/bin/view/Main/6101758 6101760 || [CISCO-SDEE] Sun Solaris RWall Daemon Syslog Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101760 6101761 || [CISCO-SDEE] PHP Post File Upload Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101761 6101762 || [CISCO-SDEE] Modbus TCP - Value Scan || url,wiki.quadrantsec.com/bin/view/Main/6101762 6101773 || [CISCO-SDEE] Synergy Clipboard Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101773 6101774 || [CISCO-SDEE] iPlanet Web Admin Server Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6101774 6101775 || [CISCO-SDEE] Netware Client Service Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101775 6101777 || [CISCO-SDEE] Microsoft IIS 4.0 Information Leaking Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101777 6101778 || [CISCO-SDEE] Microsoft IIS 4.0 Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101778 6101780 || [CISCO-SDEE] CVS Server Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101780 6101781 || [CISCO-SDEE] Nimda Worm TFTP Request || url,wiki.quadrantsec.com/bin/view/Main/6101781 6101786 || [CISCO-SDEE] Computer Associates Total Defense Suite UNCWS SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6101786 6101787 || [CISCO-SDEE] Oracle Java Remote Compiler Option Loading || url,wiki.quadrantsec.com/bin/view/Main/6101787 6101789 || [CISCO-SDEE] Tom Sawyer GET Extension Factory ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101789 6101790 || [CISCO-SDEE] Microsoft System Center Operations Manager Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6101790 6101791 || [CISCO-SDEE] HeapLib Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6101791 6101792 || [CISCO-SDEE] Internet Explorer CButton User After Free || url,wiki.quadrantsec.com/bin/view/Main/6101792 6101793 || [CISCO-SDEE] Microsoft .NET Framework OData Services Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101793 6101794 || [CISCO-SDEE] Microsoft XML Core Services Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101794 6101799 || [CISCO-SDEE] Citrix Streamprocess Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101799 6101801 || [CISCO-SDEE] RealNetworks RealPlayer URL Parsing Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101801 6101802 || [CISCO-SDEE] Ruby on Rails Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101802 6101803 || [CISCO-SDEE] Microsoft Exchange iCal DoS || url,wiki.quadrantsec.com/bin/view/Main/6101803 6101804 || [CISCO-SDEE] Java 1.7 Update 10 Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101804 6101807 || [CISCO-SDEE] Cisco ASA 1000v Cloud Firewall H.323 Inspection Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101807 6101813 || [CISCO-SDEE] Oracle Java Applet Rhino Script Engine Policy Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101813 6101814 || [CISCO-SDEE] x.509 Certificate NULL Byte Name Insertion || url,wiki.quadrantsec.com/bin/view/Main/6101814 6101815 || [CISCO-SDEE] x.509 Certificate Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101815 6101819 || [CISCO-SDEE] IOS IPSLA DoS || url,wiki.quadrantsec.com/bin/view/Main/6101819 6101820 || [CISCO-SDEE] Quest Software Big Brother Arbitrary File Deletion and Overwriting || url,wiki.quadrantsec.com/bin/view/Main/6101820 6101822 || [CISCO-SDEE] Squid Gopher Parsing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101822 6101823 || [CISCO-SDEE] CUPS GIF Parsing Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101823 6101831 || [CISCO-SDEE] Microsoft .NET XML Signature Syntax and Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101831 6101833 || [CISCO-SDEE] Citrix XenApp And XenDesktop XML Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101833 6101835 || [CISCO-SDEE] Sunway ForceControl SNMP NetDBServer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101835 6101836 || [CISCO-SDEE] HP JetDirect PJL Interface Universal Path Traversal || url,wiki.quadrantsec.com/bin/view/Main/6101836 6101837 || [CISCO-SDEE] HTML5 Heap Spray || url,wiki.quadrantsec.com/bin/view/Main/6101837 6101838 || [CISCO-SDEE] Wibu-Systems WibuKey Runtime for Windows ActiveX Control Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101838 6101850 || [CISCO-SDEE] Novell eDirectory LDAP Null Search Parameter Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101850 6101851 || [CISCO-SDEE] Portable SDK for UPnP Devices Buffer Overflow Vulnerabilities || url,wiki.quadrantsec.com/bin/view/Main/6101851 6101853 || [CISCO-SDEE] Ruby On Rails Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101853 6101855 || [CISCO-SDEE] Novell Netware XNFS.NLM Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101855 6101857 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101857 6101858 || [CISCO-SDEE] HP OmniInet.exe Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101858 6101862 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101862 6101863 || [CISCO-SDEE] Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101863 6101864 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101864 6101865 || [CISCO-SDEE] Novell GroupWise Internet Agent Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101865 6101866 || [CISCO-SDEE] Mozilla Firefox DOM Insertions Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101866 6101867 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101867 6101868 || [CISCO-SDEE] Microsoft Vector Markup Language Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101868 6101873 || [CISCO-SDEE] Cisco ATA 187 Remote Access Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101873 6101874 || [CISCO-SDEE] VoipNow Professional Nsextt Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101874 6101877 || [CISCO-SDEE] WebERP Local File Include Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101877 6101878 || [CISCO-SDEE] Sun Java Web Console Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101878 6101880 || [CISCO-SDEE] Elefant CMS ID Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101880 6101881 || [CISCO-SDEE] D-Link DSL-2640B Redpass.Cgi Cross Site Request Forgery Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101881 6101882 || [CISCO-SDEE] Mozilla Firefox Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101882 6101883 || [CISCO-SDEE] JW Player Logo.Link Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101883 6101885 || [CISCO-SDEE] WordPress Count Per Day Plugin Datemin Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101885 6101886 || [CISCO-SDEE] WordPress Wp-ImageZoom File Parameter Remote File Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101886 6101892 || [CISCO-SDEE] InduSoft Web Studio Unauthenticated Insecure Remote Operations || url,wiki.quadrantsec.com/bin/view/Main/6101892 6101894 || [CISCO-SDEE] Bitweaver Highlight Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101894 6101895 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101895 6101896 || [CISCO-SDEE] XAMPP Cds.Php Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101896 6101898 || [CISCO-SDEE] Nagios XI VisApi.Php Div Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101898 6101899 || [CISCO-SDEE] MGB Guestbook Index.Php Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101899 6101900 || [CISCO-SDEE] WordPress Church_Admin Id Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101900 6101904 || [CISCO-SDEE] JW Player Playerready Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101904 6101908 || [CISCO-SDEE] Sophos E-Mail Security Virtual Appliance Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101908 6101909 || [CISCO-SDEE] KindEditor Name Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101909 6101911 || [CISCO-SDEE] WordPress Rich Widget Plugin Arbitrary File Upload Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101911 6101914 || [CISCO-SDEE] Zenoss ViewDaemonLog Daemon Arbitrary Log File Access Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101914 6101920 || [CISCO-SDEE] HP Application Lifecycle Management XGO.ocx Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101920 6101922 || [CISCO-SDEE] ManageEngine Support Center Plus Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101922 6101924 || [CISCO-SDEE] SilverStripe BackURL Parameter URI Redirection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101924 6101925 || [CISCO-SDEE] Symphony CMS BluePRINTs URI SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6101925 6101926 || [CISCO-SDEE] WordPress ABC Test Plugin Id Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101926 6101927 || [CISCO-SDEE] WordPress Crayon Syntax Highlighter Wp_load Remote File Include || url,wiki.quadrantsec.com/bin/view/Main/6101927 6101928 || [CISCO-SDEE] Lattice Semiconductor Diamond Programmer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101928 6101929 || [CISCO-SDEE] Mcrypt Check File Head Stack Based Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101929 6101930 || [CISCO-SDEE] WordPress Cross Site Request Forgery Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101930 6101931 || [CISCO-SDEE] WordPress Newsletter Preview.php File Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101931 6101933 || [CISCO-SDEE] DocXP Fid Parameter Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101933 6101937 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101937 6101938 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101938 6101939 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101939 6101940 || [CISCO-SDEE] Microsoft Internet Explore Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101940 6101941 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101941 6101942 || [CISCO-SDEE] Microsoft Internet Explorer Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6101942 6101944 || [CISCO-SDEE] Oracle Outside In CorelDRAW File Parser Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101944 6101945 || [CISCO-SDEE] Trend Micro Control Manager Cross Site Request Forgery || url,wiki.quadrantsec.com/bin/view/Main/6101945 6101946 || [CISCO-SDEE] Apple Safari WebKit SVG Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101946 6101947 || [CISCO-SDEE] Adobe Flash Player Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101947 6101949 || [CISCO-SDEE] Internet Explorer Cloned DOM Object Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101949 6101950 || [CISCO-SDEE] Adobe Flash Player Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101950 6101958 || [CISCO-SDEE] Apache DoS || url,wiki.quadrantsec.com/bin/view/Main/6101958 6101959 || [CISCO-SDEE] Apple Safari WebKit innerHTML Double Free Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101959 6101969 || [CISCO-SDEE] WINS Service Failed Response Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101969 6101972 || [CISCO-SDEE] Hewlett-Packard OpenView Network Node Manager Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101972 6101973 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101973 6101974 || [CISCO-SDEE] Novell GroupWise HTTP Interfaces Arbitrary File Retrieval || url,wiki.quadrantsec.com/bin/view/Main/6101974 6101975 || [CISCO-SDEE] APT1 SSL Certificate || url,wiki.quadrantsec.com/bin/view/Main/6101975 6101976 || [CISCO-SDEE] Cisco IOS Zone-based Firewall SIP Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101976 6101977 || [CISCO-SDEE] Adobe Flash Player Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101977 6101978 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101978 6101981 || [CISCO-SDEE] Microsoft Office Visio Viewer VSD File Type Confusion || url,wiki.quadrantsec.com/bin/view/Main/6101981 6101984 || [CISCO-SDEE] Microsoft Sharepoint XSS || url,wiki.quadrantsec.com/bin/view/Main/6101984 6101990 || [CISCO-SDEE] Microsoft Sharepoint XSS || url,wiki.quadrantsec.com/bin/view/Main/6101990 6101993 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101993 6101997 || [CISCO-SDEE] Microsoft WKSSVC NetpManageIPCConnect Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101997 6101998 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101998 6102000 || [CISCO-SDEE] ICMP Echo Reply || url,wiki.quadrantsec.com/bin/view/Main/6102000 6102001 || [CISCO-SDEE] ICMP Host Unreachable || url,wiki.quadrantsec.com/bin/view/Main/6102001 6102002 || [CISCO-SDEE] ICMP Source Quench || url,wiki.quadrantsec.com/bin/view/Main/6102002 6102003 || [CISCO-SDEE] ICMP Redirect || url,wiki.quadrantsec.com/bin/view/Main/6102003 6102004 || [CISCO-SDEE] ICMP Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6102004 6102005 || [CISCO-SDEE] ICMP Time Exceeded for a Datagram || url,wiki.quadrantsec.com/bin/view/Main/6102005 6102006 || [CISCO-SDEE] ICMP Parameter Problem on Datagram || url,wiki.quadrantsec.com/bin/view/Main/6102006 6102007 || [CISCO-SDEE] ICMP Timestamp Request || url,wiki.quadrantsec.com/bin/view/Main/6102007 6102008 || [CISCO-SDEE] ICMP Timestamp Reply || url,wiki.quadrantsec.com/bin/view/Main/6102008 6102009 || [CISCO-SDEE] ICMP Information Request || url,wiki.quadrantsec.com/bin/view/Main/6102009 6102010 || [CISCO-SDEE] ICMP Information Reply || url,wiki.quadrantsec.com/bin/view/Main/6102010 6102012 || [CISCO-SDEE] ICMP Address Mask Reply || url,wiki.quadrantsec.com/bin/view/Main/6102012 6102019 || [CISCO-SDEE] 7T IGSS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6102019 6102021 || [CISCO-SDEE] Microsoft Windows SMB PIPE Remote Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102021 6102023 || [CISCO-SDEE] Schneider Electric Accutech Manager HTTP Request Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6102023 6102024 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102024 6102030 || [CISCO-SDEE] Microsoft Internet Explorer CCaret Use-After-Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102030 6102034 || [CISCO-SDEE] Microsoft OneNote Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6102034 6102036 || [CISCO-SDEE] Microsoft SharePoint Elevation of Privilege || url,wiki.quadrantsec.com/bin/view/Main/6102036 6102038 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6102038 6102039 || [CISCO-SDEE] Internet Explorer 8 Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102039 6102100 || [CISCO-SDEE] ICMP Network Sweep With Echo || url,wiki.quadrantsec.com/bin/view/Main/6102100 6102101 || [CISCO-SDEE] ICMP Network Sweep w/Timestamp || url,wiki.quadrantsec.com/bin/view/Main/6102101 6102102 || [CISCO-SDEE] ICMP Network Sweep w/Address Mask || url,wiki.quadrantsec.com/bin/view/Main/6102102 6102150 || [CISCO-SDEE] Fragmented ICMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6102150 6102151 || [CISCO-SDEE] Large ICMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6102151 6102152 || [CISCO-SDEE] ICMP Flood || url,wiki.quadrantsec.com/bin/view/Main/6102152 6102153 || [CISCO-SDEE] ICMP Smurf Attack || url,wiki.quadrantsec.com/bin/view/Main/6102153 6102154 || [CISCO-SDEE] Ping of Death Attack || url,wiki.quadrantsec.com/bin/view/Main/6102154 6102155 || [CISCO-SDEE] Modem DoS || url,wiki.quadrantsec.com/bin/view/Main/6102155 6102156 || [CISCO-SDEE] Nachi Worm ICMP Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6102156 6102157 || [CISCO-SDEE] ICMP Hard Error DoS || url,wiki.quadrantsec.com/bin/view/Main/6102157 6102158 || [CISCO-SDEE] Nachi Worm ICMP Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6102158 6102159 || [CISCO-SDEE] ICMP Destination Unreachable Protocol Unreachable || url,wiki.quadrantsec.com/bin/view/Main/6102159 6102200 || [CISCO-SDEE] Invalid IGMP Header DoS || url,wiki.quadrantsec.com/bin/view/Main/6102200 6102201 || [CISCO-SDEE] IGMP over fragmented IP || url,wiki.quadrantsec.com/bin/view/Main/6102201 6102202 || [CISCO-SDEE] IGMP Invalid Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6102202 6103001 || [CISCO-SDEE] TCP Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103001 6103002 || [CISCO-SDEE] TCP SYN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103002 6103003 || [CISCO-SDEE] TCP Frag SYN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103003 6103005 || [CISCO-SDEE] TCP FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103005 6103006 || [CISCO-SDEE] TCP Frag FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103006 6103010 || [CISCO-SDEE] TCP High Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103010 6103011 || [CISCO-SDEE] TCP FIN High Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103011 6103012 || [CISCO-SDEE] TCP Frag FIN High Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103012 6103015 || [CISCO-SDEE] TCP Null Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103015 6103016 || [CISCO-SDEE] TCP Frag Null Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103016 6103020 || [CISCO-SDEE] TCP SYN FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103020 6103021 || [CISCO-SDEE] TCP Frag SYN FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103021 6103030 || [CISCO-SDEE] TCP SYN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103030 6103031 || [CISCO-SDEE] TCP FRAG SYN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103031 6103032 || [CISCO-SDEE] TCP FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103032 6103033 || [CISCO-SDEE] TCP FRAG FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103033 6103034 || [CISCO-SDEE] TCP NULL Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103034 6103035 || [CISCO-SDEE] TCP FRAG NULL Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103035 6103036 || [CISCO-SDEE] TCP SYN FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103036 6103037 || [CISCO-SDEE] TCP FRAG SYN FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103037 6103038 || [CISCO-SDEE] Fragmented NULL TCP Packet || url,wiki.quadrantsec.com/bin/view/Main/6103038 6103039 || [CISCO-SDEE] Fragmented Orphaned FIN packet || url,wiki.quadrantsec.com/bin/view/Main/6103039 6103040 || [CISCO-SDEE] TCP NULL Packet || url,wiki.quadrantsec.com/bin/view/Main/6103040 6103041 || [CISCO-SDEE] TCP SYN/FIN Packet || url,wiki.quadrantsec.com/bin/view/Main/6103041 6103042 || [CISCO-SDEE] Orphaned Fin Packet || url,wiki.quadrantsec.com/bin/view/Main/6103042 6103043 || [CISCO-SDEE] Fragmented SYN/FIN Packet || url,wiki.quadrantsec.com/bin/view/Main/6103043 6103045 || [CISCO-SDEE] Queso Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103045 6103046 || [CISCO-SDEE] NMAP OS Fingerprint || url,wiki.quadrantsec.com/bin/view/Main/6103046 6103050 || [CISCO-SDEE] Half-open SYN Attack || url,wiki.quadrantsec.com/bin/view/Main/6103050 6103051 || [CISCO-SDEE] TCP Connection Window Size RST DoS || url,wiki.quadrantsec.com/bin/view/Main/6103051 6103052 || [CISCO-SDEE] UPNP Service Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103052 6103100 || [CISCO-SDEE] SMTP RCPT TO: Bounce || url,wiki.quadrantsec.com/bin/view/Main/6103100 6103101 || [CISCO-SDEE] Sendmail Invalid Recipient || url,wiki.quadrantsec.com/bin/view/Main/6103101 6103102 || [CISCO-SDEE] Sendmail Invalid Sender || url,wiki.quadrantsec.com/bin/view/Main/6103102 6103103 || [CISCO-SDEE] Sendmail Reconnaissance || url,wiki.quadrantsec.com/bin/view/Main/6103103 6103104 || [CISCO-SDEE] Archaic Sendmail Attacks || url,wiki.quadrantsec.com/bin/view/Main/6103104 6103105 || [CISCO-SDEE] Sendmail Decode Alias || url,wiki.quadrantsec.com/bin/view/Main/6103105 6103106 || [CISCO-SDEE] Mail Spam || url,wiki.quadrantsec.com/bin/view/Main/6103106 6103107 || [CISCO-SDEE] Majordomo Execute Attack || url,wiki.quadrantsec.com/bin/view/Main/6103107 6103108 || [CISCO-SDEE] SMTP MIME Content Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103108 6103109 || [CISCO-SDEE] Long SMTP Command || url,wiki.quadrantsec.com/bin/view/Main/6103109 6103110 || [CISCO-SDEE] Suspicious Mail Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103110 6103111 || [CISCO-SDEE] W32 Sircam Malicious Code || url,wiki.quadrantsec.com/bin/view/Main/6103111 6103112 || [CISCO-SDEE] Lotus Domino Mail Loop DoS || url,wiki.quadrantsec.com/bin/view/Main/6103112 6103113 || [CISCO-SDEE] Email Attachment with Malicious Payload || url,wiki.quadrantsec.com/bin/view/Main/6103113 6103114 || [CISCO-SDEE] FetchMail Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6103114 6103115 || [CISCO-SDEE] Sendmail Data Header Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103115 6103116 || [CISCO-SDEE] Netbus || url,wiki.quadrantsec.com/bin/view/Main/6103116 6103117 || [CISCO-SDEE] KLEZ Worm || url,wiki.quadrantsec.com/bin/view/Main/6103117 6103118 || [CISCO-SDEE] rwhoisd format string || url,wiki.quadrantsec.com/bin/view/Main/6103118 6103119 || [CISCO-SDEE] WS_FTP STAT Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103119 6103120 || [CISCO-SDEE] ANTS Virus || url,wiki.quadrantsec.com/bin/view/Main/6103120 6103121 || [CISCO-SDEE] Vintra MailServer EXPN DoS || url,wiki.quadrantsec.com/bin/view/Main/6103121 6103122 || [CISCO-SDEE] SMTP EXPN root Recon || url,wiki.quadrantsec.com/bin/view/Main/6103122 6103123 || [CISCO-SDEE] NetBus Pro Traffic || url,wiki.quadrantsec.com/bin/view/Main/6103123 6103124 || [CISCO-SDEE] Sendmail prescan Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6103124 6103125 || [CISCO-SDEE] Postfix 1.1.12 envelope address DoS || url,wiki.quadrantsec.com/bin/view/Main/6103125 6103126 || [CISCO-SDEE] Postfix bounce scan || url,wiki.quadrantsec.com/bin/view/Main/6103126 6103127 || [CISCO-SDEE] SMTP AUTH Brute Force Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103127 6103128 || [CISCO-SDEE] Exchange xexch50 overflow || url,wiki.quadrantsec.com/bin/view/Main/6103128 6103129 || [CISCO-SDEE] Mimail Virus C Variant File Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103129 6103130 || [CISCO-SDEE] Mimail Virus I Variant File Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103130 6103131 || [CISCO-SDEE] Mimail Virus L Variant File Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103131 6103132 || [CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103132 6103133 || [CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment Variant B || url,wiki.quadrantsec.com/bin/view/Main/6103133 6103134 || [CISCO-SDEE] DoomJuice Worm network probe || url,wiki.quadrantsec.com/bin/view/Main/6103134 6103135 || [CISCO-SDEE] MyDoom Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103135 6103136 || [CISCO-SDEE] Netsky Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103136 6103137 || [CISCO-SDEE] Sober Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103137 6103138 || [CISCO-SDEE] Bagle.C Virus Email Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103138 6103139 || [CISCO-SDEE] Bagle.E Virus Email Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103139 6103140 || [CISCO-SDEE] Bagle Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103140 6103141 || [CISCO-SDEE] Lovgate Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103141 6103142 || [CISCO-SDEE] Sasser Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103142 6103143 || [CISCO-SDEE] BERBEW Trojan Activity || url,wiki.quadrantsec.com/bin/view/Main/6103143 6103144 || [CISCO-SDEE] Ratos Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103144 6103145 || [CISCO-SDEE] ZAFI Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103145 6103146 || [CISCO-SDEE] Bropia Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103146 6103150 || [CISCO-SDEE] FTP Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103150 6103151 || [CISCO-SDEE] FTP SYST Command Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103151 6103152 || [CISCO-SDEE] FTP CWD ~root || url,wiki.quadrantsec.com/bin/view/Main/6103152 6103153 || [CISCO-SDEE] FTP Improper Address Specified || url,wiki.quadrantsec.com/bin/view/Main/6103153 6103154 || [CISCO-SDEE] FTP Improper Port Specified || url,wiki.quadrantsec.com/bin/view/Main/6103154 6103155 || [CISCO-SDEE] FTP RETR Pipe Filename Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103155 6103156 || [CISCO-SDEE] FTP STOR Pipe Filename Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103156 6103157 || [CISCO-SDEE] FTP PASV Port Spoof || url,wiki.quadrantsec.com/bin/view/Main/6103157 6103158 || [CISCO-SDEE] FTP SITE EXEC Format String || url,wiki.quadrantsec.com/bin/view/Main/6103158 6103159 || [CISCO-SDEE] FTP PASS Suspicious Length || url,wiki.quadrantsec.com/bin/view/Main/6103159 6103160 || [CISCO-SDEE] Cesar FTP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103160 6103161 || [CISCO-SDEE] FTP realpath Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103161 6103162 || [CISCO-SDEE] glFtpD LIST DoS || url,wiki.quadrantsec.com/bin/view/Main/6103162 6103163 || [CISCO-SDEE] WU-FTPD Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6103163 6103164 || [CISCO-SDEE] Instant Server Mini Portal Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103164 6103165 || [CISCO-SDEE] FTP SITE EXEC || url,wiki.quadrantsec.com/bin/view/Main/6103165 6103166 || [CISCO-SDEE] FTP USER Suspicious Length || url,wiki.quadrantsec.com/bin/view/Main/6103166 6103167 || [CISCO-SDEE] Format String in FTP username || url,wiki.quadrantsec.com/bin/view/Main/6103167 6103168 || [CISCO-SDEE] FTP SITE EXEC Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103168 6103169 || [CISCO-SDEE] FTP SITE EXEC tar || url,wiki.quadrantsec.com/bin/view/Main/6103169 6103170 || [CISCO-SDEE] WS_FTP SITE CPWD Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103170 6103171 || [CISCO-SDEE] FTP Priviledged Login || url,wiki.quadrantsec.com/bin/view/Main/6103171 6103172 || [CISCO-SDEE] Ftp Cwd Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103172 6103173 || [CISCO-SDEE] Long FTP Command || url,wiki.quadrantsec.com/bin/view/Main/6103173 6103175 || [CISCO-SDEE] ProFTPD STAT DoS || url,wiki.quadrantsec.com/bin/view/Main/6103175 6103177 || [CISCO-SDEE] Long MDTM Command || url,wiki.quadrantsec.com/bin/view/Main/6103177 6103178 || [CISCO-SDEE] Denial Of Service in Microsoft SMS Client || url,wiki.quadrantsec.com/bin/view/Main/6103178 6103179 || [CISCO-SDEE] ftpdchk DOS || url,wiki.quadrantsec.com/bin/view/Main/6103179 6103180 || [CISCO-SDEE] BakBone NetVault Remote Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103180 6103181 || [CISCO-SDEE] dSMTP Mail Server Format String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103181 6103200 || [CISCO-SDEE] WWW Phf Attack || url,wiki.quadrantsec.com/bin/view/Main/6103200 6103202 || [CISCO-SDEE] WWW .url File Requested || url,wiki.quadrantsec.com/bin/view/Main/6103202 6103203 || [CISCO-SDEE] WWW .lnk File Requested || url,wiki.quadrantsec.com/bin/view/Main/6103203 6103204 || [CISCO-SDEE] WWW .bat File Requested || url,wiki.quadrantsec.com/bin/view/Main/6103204 6103205 || [CISCO-SDEE] HTML File Has .url Link || url,wiki.quadrantsec.com/bin/view/Main/6103205 6103206 || [CISCO-SDEE] HTML File Has .lnk Link || url,wiki.quadrantsec.com/bin/view/Main/6103206 6103207 || [CISCO-SDEE] HTML File Has .bat Link || url,wiki.quadrantsec.com/bin/view/Main/6103207 6103208 || [CISCO-SDEE] WWW Campas Attack || url,wiki.quadrantsec.com/bin/view/Main/6103208 6103209 || [CISCO-SDEE] WWW Glimpse Server Attack || url,wiki.quadrantsec.com/bin/view/Main/6103209 6103210 || [CISCO-SDEE] WWW IIS View Source Attack || url,wiki.quadrantsec.com/bin/view/Main/6103210 6103211 || [CISCO-SDEE] WWW IIS Hex View Source Attack || url,wiki.quadrantsec.com/bin/view/Main/6103211 6103212 || [CISCO-SDEE] WWW NPH-TEST-CGI Attack || url,wiki.quadrantsec.com/bin/view/Main/6103212 6103213 || [CISCO-SDEE] WWW TEST-CGI Attack || url,wiki.quadrantsec.com/bin/view/Main/6103213 6103214 || [CISCO-SDEE] IIS DOT DOT VIEW Attack || url,wiki.quadrantsec.com/bin/view/Main/6103214 6103215 || [CISCO-SDEE] IIS DOT DOT EXECUTE Attack || url,wiki.quadrantsec.com/bin/view/Main/6103215 6103216 || [CISCO-SDEE] WWW Directory Traversal ../.. || url,wiki.quadrantsec.com/bin/view/Main/6103216 6103217 || [CISCO-SDEE] WWW php View File Attack || url,wiki.quadrantsec.com/bin/view/Main/6103217 6103218 || [CISCO-SDEE] WWW SGI Wrap Attack || url,wiki.quadrantsec.com/bin/view/Main/6103218 6103219 || [CISCO-SDEE] WWW PHP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103219 6103220 || [CISCO-SDEE] IIS Long URL Attack || url,wiki.quadrantsec.com/bin/view/Main/6103220 6103221 || [CISCO-SDEE] WWW CGI-Viewsource Attack || url,wiki.quadrantsec.com/bin/view/Main/6103221 6103222 || [CISCO-SDEE] WWW PHP Log Scripts Read Attack || url,wiki.quadrantsec.com/bin/view/Main/6103222 6103223 || [CISCO-SDEE] WWW IRIX cgi-handler Attack || url,wiki.quadrantsec.com/bin/view/Main/6103223 6103224 || [CISCO-SDEE] HTTP WebGais || url,wiki.quadrantsec.com/bin/view/Main/6103224 6103225 || [CISCO-SDEE] WWW websendmail File Access || url,wiki.quadrantsec.com/bin/view/Main/6103225 6103226 || [CISCO-SDEE] WWW Webdist Bug || url,wiki.quadrantsec.com/bin/view/Main/6103226 6103227 || [CISCO-SDEE] WWW Htmlscript Bug || url,wiki.quadrantsec.com/bin/view/Main/6103227 6103228 || [CISCO-SDEE] WWW Performer Attack || url,wiki.quadrantsec.com/bin/view/Main/6103228 6103229 || [CISCO-SDEE] Website Win-C-Sample Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103229 6103230 || [CISCO-SDEE] Website Uploader || url,wiki.quadrantsec.com/bin/view/Main/6103230 6103231 || [CISCO-SDEE] Novell Convert Attack || url,wiki.quadrantsec.com/bin/view/Main/6103231 6103232 || [CISCO-SDEE] WWW finger attempt || url,wiki.quadrantsec.com/bin/view/Main/6103232 6103233 || [CISCO-SDEE] WWW count-cgi Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103233 6103234 || [CISCO-SDEE] IE Local Trusted Resource Execution || url,wiki.quadrantsec.com/bin/view/Main/6103234 6103235 || [CISCO-SDEE] showHelp CHM File Execution Weakness || url,wiki.quadrantsec.com/bin/view/Main/6103235 6103236 || [CISCO-SDEE] IIS Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6103236 6103250 || [CISCO-SDEE] TCP Hijack || url,wiki.quadrantsec.com/bin/view/Main/6103250 6103251 || [CISCO-SDEE] TCP Hijack Simplex Mode || url,wiki.quadrantsec.com/bin/view/Main/6103251 6103252 || [CISCO-SDEE] Microsoft Agent ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6103252 6103253 || [CISCO-SDEE] HTTP Request Smuggling || url,wiki.quadrantsec.com/bin/view/Main/6103253 6103254 || [CISCO-SDEE] XML-RPC PHP Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103254 6103255 || [CISCO-SDEE] Apache Long HTTP Header DoS || url,wiki.quadrantsec.com/bin/view/Main/6103255 6103300 || [CISCO-SDEE] NetBIOS OOB Data || url,wiki.quadrantsec.com/bin/view/Main/6103300 6103301 || [CISCO-SDEE] NETBIOS Stat || url,wiki.quadrantsec.com/bin/view/Main/6103301 6103302 || [CISCO-SDEE] NBT NetBios Session Service Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6103302 6103303 || [CISCO-SDEE] SMB Login successful with Guest Privileges || url,wiki.quadrantsec.com/bin/view/Main/6103303 6103304 || [CISCO-SDEE] SMB NULL login attempt || url,wiki.quadrantsec.com/bin/view/Main/6103304 6103305 || [CISCO-SDEE] SMB 95 98 Password File Access || url,wiki.quadrantsec.com/bin/view/Main/6103305 6103306 || [CISCO-SDEE] SMB Remote Registry Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103306 6103307 || [CISCO-SDEE] Red Button || url,wiki.quadrantsec.com/bin/view/Main/6103307 6103308 || [CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103308 6103309 || [CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103309 6103310 || [CISCO-SDEE] Netbios Enum Share DoS || url,wiki.quadrantsec.com/bin/view/Main/6103310 6103311 || [CISCO-SDEE] SMB Remote SAM Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103311 6103312 || [CISCO-SDEE] SMB .eml email file remote access || url,wiki.quadrantsec.com/bin/view/Main/6103312 6103313 || [CISCO-SDEE] SMB Suspicious Password Usage || url,wiki.quadrantsec.com/bin/view/Main/6103313 6103314 || [CISCO-SDEE] Windows Locator Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103314 6103315 || [CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6103315 6103316 || [CISCO-SDEE] Project1 DOS || url,wiki.quadrantsec.com/bin/view/Main/6103316 6103317 || [CISCO-SDEE] LSASS DCE RPC Request || url,wiki.quadrantsec.com/bin/view/Main/6103317 6103318 || [CISCO-SDEE] DsRolerUpgradeDownlevelServer Request || url,wiki.quadrantsec.com/bin/view/Main/6103318 6103319 || [CISCO-SDEE] DCE RPC Request || url,wiki.quadrantsec.com/bin/view/Main/6103319 6103320 || [CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103320 6103321 || [CISCO-SDEE] SMB User Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6103321 6103322 || [CISCO-SDEE] SMB Windows Share Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6103322 6103323 || [CISCO-SDEE] SMB: RFPoison Attack || url,wiki.quadrantsec.com/bin/view/Main/6103323 6103324 || [CISCO-SDEE] SMB NIMDA Infected File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6103324 6103325 || [CISCO-SDEE] Samba call_trans2open Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103325 6103326 || [CISCO-SDEE] Windows Startup Folder Remote Access || url,wiki.quadrantsec.com/bin/view/Main/6103326 6103327 || [CISCO-SDEE] Windows RPC DCOM Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103327 6103328 || [CISCO-SDEE] Windows SMB RPC NoOp Sled || url,wiki.quadrantsec.com/bin/view/Main/6103328 6103329 || [CISCO-SDEE] Windows RPCSS Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103329 6103330 || [CISCO-SDEE] Windows RPCSS Overflow 2 || url,wiki.quadrantsec.com/bin/view/Main/6103330 6103331 || [CISCO-SDEE] UDP MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103331 6103332 || [CISCO-SDEE] TCP MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103332 6103333 || [CISCO-SDEE] SMB MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103333 6103334 || [CISCO-SDEE] Windows Workstation Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103334 6103335 || [CISCO-SDEE] Anig Worm File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6103335 6103336 || [CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103336 6103337 || [CISCO-SDEE] Windows RPC Race Condition Exploitation || url,wiki.quadrantsec.com/bin/view/Main/6103337 6103338 || [CISCO-SDEE] Windows LSASS RPC Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103338 6103339 || [CISCO-SDEE] Windows System32 Directory File Creation || url,wiki.quadrantsec.com/bin/view/Main/6103339 6103340 || [CISCO-SDEE] Windows Shell External Handler || url,wiki.quadrantsec.com/bin/view/Main/6103340 6103341 || [CISCO-SDEE] Metasploit Activity || url,wiki.quadrantsec.com/bin/view/Main/6103341 6103342 || [CISCO-SDEE] Windows NetDDE Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103342 6103343 || [CISCO-SDEE] Windows Account Locked || url,wiki.quadrantsec.com/bin/view/Main/6103343 6103344 || [CISCO-SDEE] Windows 2000 TCP RPC DoS || url,wiki.quadrantsec.com/bin/view/Main/6103344 6103345 || [CISCO-SDEE] RPC WinNuke || url,wiki.quadrantsec.com/bin/view/Main/6103345 6103346 || [CISCO-SDEE] Windows TSShutdn.exe Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103346 6103347 || [CISCO-SDEE] Windows ASN.1 Library Bit String Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6103347 6103348 || [CISCO-SDEE] NetBIOS Disk Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103348 6103349 || [CISCO-SDEE] NetBIOS Date And Time Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103349 6103350 || [CISCO-SDEE] NetBIOS Transport Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103350 6103351 || [CISCO-SDEE] NetBIOS User Session Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103351 6103352 || [CISCO-SDEE] Samba Fragment Reassembly Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103352 6103353 || [CISCO-SDEE] SMB Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103353 6103356 || [CISCO-SDEE] Remote Registry Request DoS || url,wiki.quadrantsec.com/bin/view/Main/6103356 6103357 || [CISCO-SDEE] Invalid Netbios Name || url,wiki.quadrantsec.com/bin/view/Main/6103357 6103400 || [CISCO-SDEE] Sun Kill Telnet DoS || url,wiki.quadrantsec.com/bin/view/Main/6103400 6103401 || [CISCO-SDEE] Telnet-IFS Match || url,wiki.quadrantsec.com/bin/view/Main/6103401 6103402 || [CISCO-SDEE] BSD Telnet Daemon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103402 6103403 || [CISCO-SDEE] Telnet Excessive Environment Options || url,wiki.quadrantsec.com/bin/view/Main/6103403 6103404 || [CISCO-SDEE] SysV /bin/login Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103404 6103405 || [CISCO-SDEE] Avirt Gateway Proxy Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103405 6103406 || [CISCO-SDEE] Solaris TTYPROMPT Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103406 6103407 || [CISCO-SDEE] Telnet Client NEW ENVIRON Option Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103407 6103408 || [CISCO-SDEE] Telnet Client LINEMODE SLC Option Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103408 6103409 || [CISCO-SDEE] Telnet Over Non-standard Ports || url,wiki.quadrantsec.com/bin/view/Main/6103409 6103450 || [CISCO-SDEE] Finger Bomb || url,wiki.quadrantsec.com/bin/view/Main/6103450 6103451 || [CISCO-SDEE] BearShare Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103451 6103452 || [CISCO-SDEE] Gopherd Halidate Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103452 6103453 || [CISCO-SDEE] MS NetMeeting RDS DoS || url,wiki.quadrantsec.com/bin/view/Main/6103453 6103454 || [CISCO-SDEE] Check Point Firewall Information Leak || url,wiki.quadrantsec.com/bin/view/Main/6103454 6103455 || [CISCO-SDEE] Java Web Server Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6103455 6103456 || [CISCO-SDEE] Solaris in.fingerd Information Leak || url,wiki.quadrantsec.com/bin/view/Main/6103456 6103457 || [CISCO-SDEE] Finger root shell || url,wiki.quadrantsec.com/bin/view/Main/6103457 6103458 || [CISCO-SDEE] AIM game invite overflow || url,wiki.quadrantsec.com/bin/view/Main/6103458 6103459 || [CISCO-SDEE] ValiCert Forms.exe Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103459 6103461 || [CISCO-SDEE] Finger probe || url,wiki.quadrantsec.com/bin/view/Main/6103461 6103462 || [CISCO-SDEE] Finger Redirect || url,wiki.quadrantsec.com/bin/view/Main/6103462 6103463 || [CISCO-SDEE] Finger root || url,wiki.quadrantsec.com/bin/view/Main/6103463 6103464 || [CISCO-SDEE] File access in finger || url,wiki.quadrantsec.com/bin/view/Main/6103464 6103465 || [CISCO-SDEE] Finger Activity || url,wiki.quadrantsec.com/bin/view/Main/6103465 6103466 || [CISCO-SDEE] RAS/PPTP Malformed Control Packet DOS || url,wiki.quadrantsec.com/bin/view/Main/6103466 6103500 || [CISCO-SDEE] Rlogin -froot Attack || url,wiki.quadrantsec.com/bin/view/Main/6103500 6103501 || [CISCO-SDEE] Rlogin Long TERM Variable || url,wiki.quadrantsec.com/bin/view/Main/6103501 6103502 || [CISCO-SDEE] rlogin Activity || url,wiki.quadrantsec.com/bin/view/Main/6103502 6103525 || [CISCO-SDEE] IMAP Authenticate Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103525 6103526 || [CISCO-SDEE] Imap Login Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103526 6103527 || [CISCO-SDEE] UW imapd Overflows || url,wiki.quadrantsec.com/bin/view/Main/6103527 6103528 || [CISCO-SDEE] IPSwitch IMail DELETE Command Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103528 6103529 || [CISCO-SDEE] IMAP Long EXAMINE Command || url,wiki.quadrantsec.com/bin/view/Main/6103529 6103530 || [CISCO-SDEE] Cisco Secure ACS Oversized TACACS+ Attack || url,wiki.quadrantsec.com/bin/view/Main/6103530 6103531 || [CISCO-SDEE] Cisco IOS Telnet DoS || url,wiki.quadrantsec.com/bin/view/Main/6103531 6103532 || [CISCO-SDEE] Malformed BGP Open Message || url,wiki.quadrantsec.com/bin/view/Main/6103532 6103533 || [CISCO-SDEE] Cisco IOS Misformed BGP Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6103533 6103534 || [CISCO-SDEE] IMAP Long AUTHENTICATE Command || url,wiki.quadrantsec.com/bin/view/Main/6103534 6103537 || [CISCO-SDEE] MailEnable HTTP Authorization Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103537 6103540 || [CISCO-SDEE] Cisco Secure ACS CSAdmin Attack || url,wiki.quadrantsec.com/bin/view/Main/6103540 6103550 || [CISCO-SDEE] POP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103550 6103551 || [CISCO-SDEE] POP User Root || url,wiki.quadrantsec.com/bin/view/Main/6103551 6103575 || [CISCO-SDEE] INN Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103575 6103576 || [CISCO-SDEE] INN Control Message Exploit || url,wiki.quadrantsec.com/bin/view/Main/6103576 6103577 || [CISCO-SDEE] IMAP LOGIN Command Invalid Username || url,wiki.quadrantsec.com/bin/view/Main/6103577 6103578 || [CISCO-SDEE] IMAP Format String || url,wiki.quadrantsec.com/bin/view/Main/6103578 6103600 || [CISCO-SDEE] IOS Telnet Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103600 6103601 || [CISCO-SDEE] IOS Command History Exploit || url,wiki.quadrantsec.com/bin/view/Main/6103601 6103602 || [CISCO-SDEE] IOS Cisco Identification || url,wiki.quadrantsec.com/bin/view/Main/6103602 6103603 || [CISCO-SDEE] IOS Enable Bypass || url,wiki.quadrantsec.com/bin/view/Main/6103603 6103604 || [CISCO-SDEE] Cisco Catalyst CR DoS || url,wiki.quadrantsec.com/bin/view/Main/6103604 6103650 || [CISCO-SDEE] SSH RSAREF2 Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103650 6103651 || [CISCO-SDEE] SSH CRC32 Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103651 6103652 || [CISCO-SDEE] SSH Gobbles || url,wiki.quadrantsec.com/bin/view/Main/6103652 6103653 || [CISCO-SDEE] Multiple Rapid SSH Connections || url,wiki.quadrantsec.com/bin/view/Main/6103653 6103654 || [CISCO-SDEE] SSH Gobbles Exploit || url,wiki.quadrantsec.com/bin/view/Main/6103654 6103700 || [CISCO-SDEE] CDE dtspcd Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103700 6103701 || [CISCO-SDEE] Oracle 9iAS Web Cache Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103701 6103702 || [CISCO-SDEE] Default sa account access || url,wiki.quadrantsec.com/bin/view/Main/6103702 6103703 || [CISCO-SDEE] Squid FTP URL Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103703 6103704 || [CISCO-SDEE] IIS FTP STAT Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6103704 6103705 || [CISCO-SDEE] Tivoli Storage Manager Client Acceptor Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103705 6103706 || [CISCO-SDEE] MIT PGP Public Key Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103706 6103707 || [CISCO-SDEE] Perl fingerd Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6103707 6103708 || [CISCO-SDEE] AnalogX Proxy Socks4a DNS Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103708 6103709 || [CISCO-SDEE] AnalogX Proxy Web Proxy Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103709 6103710 || [CISCO-SDEE] Cisco Secure ACS Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103710 6103711 || [CISCO-SDEE] Informer FW1 Auth Replay DoS || url,wiki.quadrantsec.com/bin/view/Main/6103711 6103714 || [CISCO-SDEE] Oracle TNS 'Service_Name' Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103714 6103716 || [CISCO-SDEE] GDI+ JPEG Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103716 6103718 || [CISCO-SDEE] Windows .ANI File DoS || url,wiki.quadrantsec.com/bin/view/Main/6103718 6103719 || [CISCO-SDEE] MSN Messenger PNG Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103719 6103720 || [CISCO-SDEE] MSSQL sa Account Brute Force || url,wiki.quadrantsec.com/bin/view/Main/6103720 6103721 || [CISCO-SDEE] TNS Brute Force || url,wiki.quadrantsec.com/bin/view/Main/6103721 6103728 || [CISCO-SDEE] Long pop username || url,wiki.quadrantsec.com/bin/view/Main/6103728 6103729 || [CISCO-SDEE] Long pop password || url,wiki.quadrantsec.com/bin/view/Main/6103729 6103730 || [CISCO-SDEE] Trinoo (TCP) || url,wiki.quadrantsec.com/bin/view/Main/6103730 6103731 || [CISCO-SDEE] IMail HTTP Get Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103731 6103732 || [CISCO-SDEE] MSSQL xp_cmdshell Usage || url,wiki.quadrantsec.com/bin/view/Main/6103732 6103733 || [CISCO-SDEE] Real Server Format Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103733 6103734 || [CISCO-SDEE] Cfengine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103734 6103735 || [CISCO-SDEE] CVS Flag Insertion Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103735 6103736 || [CISCO-SDEE] Subversion get-dated-rev overflow || url,wiki.quadrantsec.com/bin/view/Main/6103736 6103737 || [CISCO-SDEE] Squid Proxy NTLM Authenticate Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103737 6103738 || [CISCO-SDEE] CVS Argumentx Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6103738 6103739 || [CISCO-SDEE] Nullsoft SHOUTcast Format String Attack || url,wiki.quadrantsec.com/bin/view/Main/6103739 6103740 || [CISCO-SDEE] IMail LDAP Service Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103740 6103782 || [CISCO-SDEE] mIRC DCC Send Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103782 6103783 || [CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103783 6103784 || [CISCO-SDEE] BrightStor Discovery Service SERVICEPC Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103784 6103785 || [CISCO-SDEE] Oracle 9i XDB FTP UNLOCK Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103785 6103786 || [CISCO-SDEE] Oracle 9i XDB FTP PASS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103786 6103787 || [CISCO-SDEE] IRIX Printing System Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103787 6103788 || [CISCO-SDEE] Solaris LPD Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103788 6103789 || [CISCO-SDEE] DistCC Daemon Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103789 6103790 || [CISCO-SDEE] HP Openview Omniback II Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103790 6103791 || [CISCO-SDEE] Solaris Printd Unlink File Deletion || url,wiki.quadrantsec.com/bin/view/Main/6103791 6103792 || [CISCO-SDEE] Long Telnet Username || url,wiki.quadrantsec.com/bin/view/Main/6103792 6103793 || [CISCO-SDEE] ZENworks 6.5 Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103793 6103802 || [CISCO-SDEE] Oracle iSQL*PLus Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103802 6103883 || [CISCO-SDEE] Apache mod_proxy Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103883 6103884 || [CISCO-SDEE] Cfengine Authentication Heap Based Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103884 6103991 || [CISCO-SDEE] BackOrifice BO2K TCP Stealth 1 || url,wiki.quadrantsec.com/bin/view/Main/6103991 6104001 || [CISCO-SDEE] UDP Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6104001 6104002 || [CISCO-SDEE] UDP Host Flood || url,wiki.quadrantsec.com/bin/view/Main/6104002 6104003 || [CISCO-SDEE] Nmap UDP Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6104003 6104004 || [CISCO-SDEE] DNS Flood Attack || url,wiki.quadrantsec.com/bin/view/Main/6104004 6104050 || [CISCO-SDEE] UDP Bomb || url,wiki.quadrantsec.com/bin/view/Main/6104050 6104053 || [CISCO-SDEE] BackOrifice-Original-UDP || url,wiki.quadrantsec.com/bin/view/Main/6104053 6104054 || [CISCO-SDEE] RIP Trace || url,wiki.quadrantsec.com/bin/view/Main/6104054 6104056 || [CISCO-SDEE] NTPd readvar overflow || url,wiki.quadrantsec.com/bin/view/Main/6104056 6104058 || [CISCO-SDEE] UPnP LOCATION Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104058 6104060 || [CISCO-SDEE] Back Orifice Ping || url,wiki.quadrantsec.com/bin/view/Main/6104060 6104061 || [CISCO-SDEE] Chargen Echo DoS || url,wiki.quadrantsec.com/bin/view/Main/6104061 6104062 || [CISCO-SDEE] Cisco CSS 11000 Malformed UDP DoS || url,wiki.quadrantsec.com/bin/view/Main/6104062 6104063 || [CISCO-SDEE] Unreal Engine secure Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104063 6104067 || [CISCO-SDEE] Malformed IKE Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6104067 6104068 || [CISCO-SDEE] DoS NBT Stream || url,wiki.quadrantsec.com/bin/view/Main/6104068 6104100 || [CISCO-SDEE] Tftp Passwd File || url,wiki.quadrantsec.com/bin/view/Main/6104100 6104101 || [CISCO-SDEE] Cisco TFTPD Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6104101 6104150 || [CISCO-SDEE] Ascend Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6104150 6104151 || [CISCO-SDEE] BOBAX Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6104151 6104322 || [CISCO-SDEE] Generic File Transfer Signatures || url,wiki.quadrantsec.com/bin/view/Main/6104322 6104500 || [CISCO-SDEE] Cisco IOS Embedded SNMP Community Names || url,wiki.quadrantsec.com/bin/view/Main/6104500 6104501 || [CISCO-SDEE] CVCO/4K Remote Username / Password Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104501 6104502 || [CISCO-SDEE] SNMP Community Name Brute Force Attempt || url,wiki.quadrantsec.com/bin/view/Main/6104502 6104503 || [CISCO-SDEE] Windows NT SNMP System Info Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104503 6104504 || [CISCO-SDEE] SNMP IOS Configuration Retrieval || url,wiki.quadrantsec.com/bin/view/Main/6104504 6104505 || [CISCO-SDEE] SNMP IOS VACM MIB Access || url,wiki.quadrantsec.com/bin/view/Main/6104505 6104506 || [CISCO-SDEE] D-Link Wireless SNMP Plain Text Password || url,wiki.quadrantsec.com/bin/view/Main/6104506 6104507 || [CISCO-SDEE] SNMP Protocol Violation || url,wiki.quadrantsec.com/bin/view/Main/6104507 6104508 || [CISCO-SDEE] Non SNMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6104508 6104509 || [CISCO-SDEE] HP Openview SNMP Hidden Community Name || url,wiki.quadrantsec.com/bin/view/Main/6104509 6104510 || [CISCO-SDEE] Solaris SNMP Hidden Community Name || url,wiki.quadrantsec.com/bin/view/Main/6104510 6104511 || [CISCO-SDEE] Avaya SNMP Hidden Community Name || url,wiki.quadrantsec.com/bin/view/Main/6104511 6104512 || [CISCO-SDEE] SNMP Community String Public || url,wiki.quadrantsec.com/bin/view/Main/6104512 6104513 || [CISCO-SDEE] Cisco SNMP Message Processing DoS || url,wiki.quadrantsec.com/bin/view/Main/6104513 6104514 || [CISCO-SDEE] SNMP Community String Public || url,wiki.quadrantsec.com/bin/view/Main/6104514 6104515 || [CISCO-SDEE] Cisco IP/VC Embedded Community Names || url,wiki.quadrantsec.com/bin/view/Main/6104515 6104516 || [CISCO-SDEE] SNMP Printer Query DoS || url,wiki.quadrantsec.com/bin/view/Main/6104516 6104600 || [CISCO-SDEE] IOS UDP Bomb || url,wiki.quadrantsec.com/bin/view/Main/6104600 6104601 || [CISCO-SDEE] CheckPoint Firewall RDP ByPass || url,wiki.quadrantsec.com/bin/view/Main/6104601 6104602 || [CISCO-SDEE] Beagle (Bagle) Virus DNS Lookup || url,wiki.quadrantsec.com/bin/view/Main/6104602 6104603 || [CISCO-SDEE] DHCP Discover || url,wiki.quadrantsec.com/bin/view/Main/6104603 6104604 || [CISCO-SDEE] DHCP Request || url,wiki.quadrantsec.com/bin/view/Main/6104604 6104605 || [CISCO-SDEE] DHCP Offer || url,wiki.quadrantsec.com/bin/view/Main/6104605 6104606 || [CISCO-SDEE] Cisco TFTP Long Filename Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104606 6104607 || [CISCO-SDEE] Deep Throat Response || url,wiki.quadrantsec.com/bin/view/Main/6104607 6104608 || [CISCO-SDEE] Trinoo (UDP) || url,wiki.quadrantsec.com/bin/view/Main/6104608 6104609 || [CISCO-SDEE] Orinoco SNMP Info Leak || url,wiki.quadrantsec.com/bin/view/Main/6104609 6104610 || [CISCO-SDEE] Kerberos 4 User Recon || url,wiki.quadrantsec.com/bin/view/Main/6104610 6104611 || [CISCO-SDEE] D-Link DWL-900AP+ TFTP Config Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104611 6104612 || [CISCO-SDEE] Cisco IP Phone TFTP Config Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104612 6104613 || [CISCO-SDEE] TFTP Filename Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104613 6104614 || [CISCO-SDEE] TFTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104614 6104615 || [CISCO-SDEE] Beagle.B (Bagle.B) Virus DNS Lookup || url,wiki.quadrantsec.com/bin/view/Main/6104615 6104617 || [CISCO-SDEE] PoPToP PPtP Short Length Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104617 6104619 || [CISCO-SDEE] Invalid DHCP Packet || url,wiki.quadrantsec.com/bin/view/Main/6104619 6104620 || [CISCO-SDEE] DNS Limited Broadcast Query || url,wiki.quadrantsec.com/bin/view/Main/6104620 6104701 || [CISCO-SDEE] MSSQL Resolution Service Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104701 6104702 || [CISCO-SDEE] MSSQL Resolution Service Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104702 6104703 || [CISCO-SDEE] MSSQL Resolution Service Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104703 6104704 || [CISCO-SDEE] MSSQL Resolution Service Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104704 6105034 || [CISCO-SDEE] WWW IIS newdsn attack || url,wiki.quadrantsec.com/bin/view/Main/6105034 6105035 || [CISCO-SDEE] HTTP cgi HylaFAX Faxsurvey || url,wiki.quadrantsec.com/bin/view/Main/6105035 6105037 || [CISCO-SDEE] WWW SGI MachineInfo Attack || url,wiki.quadrantsec.com/bin/view/Main/6105037 6105038 || [CISCO-SDEE] WWW wwwsql file read Bug || url,wiki.quadrantsec.com/bin/view/Main/6105038 6105039 || [CISCO-SDEE] WWW finger attempt || url,wiki.quadrantsec.com/bin/view/Main/6105039 6105041 || [CISCO-SDEE] WWW anyform attack || url,wiki.quadrantsec.com/bin/view/Main/6105041 6105044 || [CISCO-SDEE] WWW Webcom.se Guestbook attack || url,wiki.quadrantsec.com/bin/view/Main/6105044 6105045 || [CISCO-SDEE] WWW xterm display attack || url,wiki.quadrantsec.com/bin/view/Main/6105045 6105046 || [CISCO-SDEE] WWW dumpenv.pl recon || url,wiki.quadrantsec.com/bin/view/Main/6105046 6105047 || [CISCO-SDEE] WWW Server Side Include POST attack || url,wiki.quadrantsec.com/bin/view/Main/6105047 6105048 || [CISCO-SDEE] WWW IIS BAT EXE attack || url,wiki.quadrantsec.com/bin/view/Main/6105048 6105049 || [CISCO-SDEE] WWW IIS showcode.asp access || url,wiki.quadrantsec.com/bin/view/Main/6105049 6105050 || [CISCO-SDEE] WWW IIS .htr Overflow Attack || url,wiki.quadrantsec.com/bin/view/Main/6105050 6105051 || [CISCO-SDEE] IIS Double Byte Code Page || url,wiki.quadrantsec.com/bin/view/Main/6105051 6105052 || [CISCO-SDEE] FrontPage Extensions PWD Open Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105052 6105053 || [CISCO-SDEE] FrontPage _vti_bin Directory List Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105053 6105054 || [CISCO-SDEE] WWWBoard Password || url,wiki.quadrantsec.com/bin/view/Main/6105054 6105055 || [CISCO-SDEE] HTTP Basic Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105055 6105056 || [CISCO-SDEE] WWW Cisco IOS %% DoS || url,wiki.quadrantsec.com/bin/view/Main/6105056 6105057 || [CISCO-SDEE] WWW Sambar Samples || url,wiki.quadrantsec.com/bin/view/Main/6105057 6105058 || [CISCO-SDEE] WWW info2www Attack || url,wiki.quadrantsec.com/bin/view/Main/6105058 6105059 || [CISCO-SDEE] WWW Alibaba Attack || url,wiki.quadrantsec.com/bin/view/Main/6105059 6105060 || [CISCO-SDEE] WWW Excite AT-generate.cgi Access || url,wiki.quadrantsec.com/bin/view/Main/6105060 6105061 || [CISCO-SDEE] WWW catalog_type.asp Access || url,wiki.quadrantsec.com/bin/view/Main/6105061 6105062 || [CISCO-SDEE] WWW classifieds.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105062 6105064 || [CISCO-SDEE] WWW imagemap.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105064 6105065 || [CISCO-SDEE] WWW IRIX infosrch.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105065 6105066 || [CISCO-SDEE] WWW man.sh Access || url,wiki.quadrantsec.com/bin/view/Main/6105066 6105067 || [CISCO-SDEE] WWW plusmail Attack || url,wiki.quadrantsec.com/bin/view/Main/6105067 6105068 || [CISCO-SDEE] WWW formmail.pl Access || url,wiki.quadrantsec.com/bin/view/Main/6105068 6105069 || [CISCO-SDEE] WWW whois_raw.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105069 6105070 || [CISCO-SDEE] WWW msadcs.dll Access || url,wiki.quadrantsec.com/bin/view/Main/6105070 6105071 || [CISCO-SDEE] WWW msacds.dll Attack || url,wiki.quadrantsec.com/bin/view/Main/6105071 6105072 || [CISCO-SDEE] WWW bizdb1-search.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105072 6105073 || [CISCO-SDEE] WWW EZshopper loadpage.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105073 6105074 || [CISCO-SDEE] WWW EZshopper search.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105074 6105075 || [CISCO-SDEE] WWW IIS Virtualized UNC Bug || url,wiki.quadrantsec.com/bin/view/Main/6105075 6105076 || [CISCO-SDEE] WWW webplus bug || url,wiki.quadrantsec.com/bin/view/Main/6105076 6105077 || [CISCO-SDEE] WWW Excite AT-admin.cgi Access || url,wiki.quadrantsec.com/bin/view/Main/6105077 6105078 || [CISCO-SDEE] WWW Piranha passwd attack || url,wiki.quadrantsec.com/bin/view/Main/6105078 6105079 || [CISCO-SDEE] WWW PCCS MySQL Admin Access || url,wiki.quadrantsec.com/bin/view/Main/6105079 6105080 || [CISCO-SDEE] WWW IBM WebSphere Access || url,wiki.quadrantsec.com/bin/view/Main/6105080 6105081 || [CISCO-SDEE] WWW WinNT cmd.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105081 6105082 || [CISCO-SDEE] IE HTML Objects Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105082 6105083 || [CISCO-SDEE] WWW Virtual Vision FTP Browser Access || url,wiki.quadrantsec.com/bin/view/Main/6105083 6105084 || [CISCO-SDEE] WWW Alibaba Attack 2 || url,wiki.quadrantsec.com/bin/view/Main/6105084 6105085 || [CISCO-SDEE] WWW IIS Source Fragment Access || url,wiki.quadrantsec.com/bin/view/Main/6105085 6105086 || [CISCO-SDEE] WWW WEBactive Logfile Access || url,wiki.quadrantsec.com/bin/view/Main/6105086 6105087 || [CISCO-SDEE] WWW Sun Java Server Access || url,wiki.quadrantsec.com/bin/view/Main/6105087 6105088 || [CISCO-SDEE] WWW Akopia MiniVend Access || url,wiki.quadrantsec.com/bin/view/Main/6105088 6105089 || [CISCO-SDEE] WWW Big Brother Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105089 6105090 || [CISCO-SDEE] WWW FrontPage htimage.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105090 6105091 || [CISCO-SDEE] WWW Cart32 Remote Admin Access || url,wiki.quadrantsec.com/bin/view/Main/6105091 6105092 || [CISCO-SDEE] WWW CGI-World Poll It Access || url,wiki.quadrantsec.com/bin/view/Main/6105092 6105093 || [CISCO-SDEE] WWW PHP-Nuke admin.php3 Access || url,wiki.quadrantsec.com/bin/view/Main/6105093 6105095 || [CISCO-SDEE] WWW CGI Script Center Account Manager Attack || url,wiki.quadrantsec.com/bin/view/Main/6105095 6105096 || [CISCO-SDEE] WWW CGI Script Center Subscribe Me Attack || url,wiki.quadrantsec.com/bin/view/Main/6105096 6105097 || [CISCO-SDEE] WWW FrontPage MS-DOS Device Attack || url,wiki.quadrantsec.com/bin/view/Main/6105097 6105099 || [CISCO-SDEE] WWW GWScripts News Publisher Access || url,wiki.quadrantsec.com/bin/view/Main/6105099 6105100 || [CISCO-SDEE] WWW CGI Center Auction Weaver File Access || url,wiki.quadrantsec.com/bin/view/Main/6105100 6105101 || [CISCO-SDEE] WWW CGI Center Auction Weaver Attack || url,wiki.quadrantsec.com/bin/view/Main/6105101 6105102 || [CISCO-SDEE] WWW phpPhotoAlbum explorer.php Access || url,wiki.quadrantsec.com/bin/view/Main/6105102 6105103 || [CISCO-SDEE] WWW SuSE Apache CGI Source Access || url,wiki.quadrantsec.com/bin/view/Main/6105103 6105104 || [CISCO-SDEE] WWW YaBB File Access || url,wiki.quadrantsec.com/bin/view/Main/6105104 6105105 || [CISCO-SDEE] WWW Ranson Johnson mailto.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105105 6105106 || [CISCO-SDEE] WWW Ranson Johnson mailform.pl Access || url,wiki.quadrantsec.com/bin/view/Main/6105106 6105107 || [CISCO-SDEE] WWW Mandrake Linux /perl Access || url,wiki.quadrantsec.com/bin/view/Main/6105107 6105108 || [CISCO-SDEE] WWW Netegrity Site Minder Access || url,wiki.quadrantsec.com/bin/view/Main/6105108 6105109 || [CISCO-SDEE] WWW Sambar Beta search.dll Access || url,wiki.quadrantsec.com/bin/view/Main/6105109 6105110 || [CISCO-SDEE] WWW SuSE Installed Packages Access || url,wiki.quadrantsec.com/bin/view/Main/6105110 6105111 || [CISCO-SDEE] WWW Solaris Answerbook 2 Access || url,wiki.quadrantsec.com/bin/view/Main/6105111 6105112 || [CISCO-SDEE] WWW Solaris Answerbook 2 Attack || url,wiki.quadrantsec.com/bin/view/Main/6105112 6105113 || [CISCO-SDEE] WWW CommuniGate Pro Access || url,wiki.quadrantsec.com/bin/view/Main/6105113 6105114 || [CISCO-SDEE] WWW IIS Unicode Attack || url,wiki.quadrantsec.com/bin/view/Main/6105114 6105115 || [CISCO-SDEE] Netscape Enterprise Server with ?wp Tags || url,wiki.quadrantsec.com/bin/view/Main/6105115 6105116 || [CISCO-SDEE] Endymion MailMan Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105116 6105117 || [CISCO-SDEE] phpGroupWare Remote Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105117 6105118 || [CISCO-SDEE] eWave ServletExec 3.0C File Upload || url,wiki.quadrantsec.com/bin/view/Main/6105118 6105119 || [CISCO-SDEE] CGI Script Center News Update Admin Passwd Change || url,wiki.quadrantsec.com/bin/view/Main/6105119 6105120 || [CISCO-SDEE] Netscape Server Suite Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105120 6105121 || [CISCO-SDEE] iPlanet .shtml Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105121 6105122 || [CISCO-SDEE] Nokia IP440 Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105122 6105123 || [CISCO-SDEE] WWW IIS Internet Printing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105123 6105124 || [CISCO-SDEE] IIS CGI Double Decode || url,wiki.quadrantsec.com/bin/view/Main/6105124 6105125 || [CISCO-SDEE] PerlCal Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105125 6105126 || [CISCO-SDEE] WWW IIS .ida Indexing Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105126 6105127 || [CISCO-SDEE] WWW viewsrc.cgi Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105127 6105128 || [CISCO-SDEE] WWW nph-maillist.pl Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105128 6105129 || [CISCO-SDEE] IOS HTTP Unauth Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105129 6105130 || [CISCO-SDEE] Bugzilla Privileged Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105130 6105131 || [CISCO-SDEE] talkback.cgi Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105131 6105132 || [CISCO-SDEE] VirusWall catinfo Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105132 6105133 || [CISCO-SDEE] Net.Commerce Macro Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105133 6105134 || [CISCO-SDEE] MacOS PWS DoS || url,wiki.quadrantsec.com/bin/view/Main/6105134 6105138 || [CISCO-SDEE] Oracle Application Server Shared Library Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105138 6105140 || [CISCO-SDEE] Net.Commerce Macro Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105140 6105141 || [CISCO-SDEE] NCM Content.pl SQL Query Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105141 6105142 || [CISCO-SDEE] DCShop File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105142 6105146 || [CISCO-SDEE] MS-DOS Device Name DoS || url,wiki.quadrantsec.com/bin/view/Main/6105146 6105147 || [CISCO-SDEE] Arcadia Internet Store Directory Traversal Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105147 6105148 || [CISCO-SDEE] Perception LiteServe Web Server CGI Source Code Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105148 6105149 || [CISCO-SDEE] Trend Micro Interscan Viruswall Configuration Modification || url,wiki.quadrantsec.com/bin/view/Main/6105149 6105150 || [CISCO-SDEE] InterScan VirusWall RegGo.dll Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105150 6105151 || [CISCO-SDEE] WebStore Admin Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105151 6105152 || [CISCO-SDEE] WebStore Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105152 6105154 || [CISCO-SDEE] WWW uDirectory Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105154 6105155 || [CISCO-SDEE] WWW SiteWare Editor Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105155 6105156 || [CISCO-SDEE] WWW Microsoft fp30reg.dll Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105156 6105157 || [CISCO-SDEE] Tarantella TTAWebTop.CGI Directory Traversal Bug || url,wiki.quadrantsec.com/bin/view/Main/6105157 6105158 || [CISCO-SDEE] iPlanet Proprietary Method Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105158 6105159 || [CISCO-SDEE] phpMyAdmin Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105159 6105160 || [CISCO-SDEE] Apache ? indexing file disclosure bug || url,wiki.quadrantsec.com/bin/view/Main/6105160 6105161 || [CISCO-SDEE] SquirrelMail Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105161 6105162 || [CISCO-SDEE] Active Classifieds Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105162 6105163 || [CISCO-SDEE] Mambo Site Server Administrative Password ByPass || url,wiki.quadrantsec.com/bin/view/Main/6105163 6105164 || [CISCO-SDEE] PHPBB Remote SQL Query Manipulation || url,wiki.quadrantsec.com/bin/view/Main/6105164 6105165 || [CISCO-SDEE] php-nuke article.php sql query || url,wiki.quadrantsec.com/bin/view/Main/6105165 6105166 || [CISCO-SDEE] php-nuke modules.php DoS || url,wiki.quadrantsec.com/bin/view/Main/6105166 6105167 || [CISCO-SDEE] phpMyAdmin Cmd Exec 2 || url,wiki.quadrantsec.com/bin/view/Main/6105167 6105168 || [CISCO-SDEE] Snapstream PVS Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105168 6105169 || [CISCO-SDEE] SnapStream PVS Plaintext Password Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105169 6105170 || [CISCO-SDEE] Null Byte In HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105170 6105171 || [CISCO-SDEE] NC-Book book.cgi Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105171 6105172 || [CISCO-SDEE] WinWrapper Admin Server Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105172 6105173 || [CISCO-SDEE] Directory Manager Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105173 6105174 || [CISCO-SDEE] phpmyexplorer directory traversal || url,wiki.quadrantsec.com/bin/view/Main/6105174 6105175 || [CISCO-SDEE] Hassan Shopping Cart Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105175 6105176 || [CISCO-SDEE] Exchange Address List Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105176 6105177 || [CISCO-SDEE] DoS Arnudp || url,wiki.quadrantsec.com/bin/view/Main/6105177 6105178 || [CISCO-SDEE] MS Index Server File/Path Recon || url,wiki.quadrantsec.com/bin/view/Main/6105178 6105179 || [CISCO-SDEE] PHP-Nuke File Upload || url,wiki.quadrantsec.com/bin/view/Main/6105179 6105180 || [CISCO-SDEE] sgiMerchant Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105180 6105181 || [CISCO-SDEE] MacOS Apache File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105181 6105182 || [CISCO-SDEE] WebDiscount's eShop Arbitrary Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105182 6105183 || [CISCO-SDEE] PHP File Inclusion Remote Exec || url,wiki.quadrantsec.com/bin/view/Main/6105183 6105184 || [CISCO-SDEE] Apache Authentication Module ByPass || url,wiki.quadrantsec.com/bin/view/Main/6105184 6105188 || [CISCO-SDEE] HTTP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6105188 6105191 || [CISCO-SDEE] Active Perl PerlIS.dll Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105191 6105194 || [CISCO-SDEE] Apache Server .ht File Access || url,wiki.quadrantsec.com/bin/view/Main/6105194 6105195 || [CISCO-SDEE] AS/400 '/' attack || url,wiki.quadrantsec.com/bin/view/Main/6105195 6105196 || [CISCO-SDEE] Red Hat Stronghold Recon attack || url,wiki.quadrantsec.com/bin/view/Main/6105196 6105197 || [CISCO-SDEE] Network Query Tool command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105197 6105199 || [CISCO-SDEE] W3Mail Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105199 6105200 || [CISCO-SDEE] IIS Data Stream Source Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105200 6105201 || [CISCO-SDEE] PHP-Nuke Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105201 6105202 || [CISCO-SDEE] PHP-Nuke File Copy / Delete || url,wiki.quadrantsec.com/bin/view/Main/6105202 6105203 || [CISCO-SDEE] Hosting Controller File Access and Upload || url,wiki.quadrantsec.com/bin/view/Main/6105203 6105204 || [CISCO-SDEE] AspUpload Sample Scripts || url,wiki.quadrantsec.com/bin/view/Main/6105204 6105205 || [CISCO-SDEE] Apache php.exe File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105205 6105206 || [CISCO-SDEE] Horde IMP Session Hijack || url,wiki.quadrantsec.com/bin/view/Main/6105206 6105207 || [CISCO-SDEE] Entrust GetAccess directory traversal || url,wiki.quadrantsec.com/bin/view/Main/6105207 6105208 || [CISCO-SDEE] Network Tools shell metacharacters || url,wiki.quadrantsec.com/bin/view/Main/6105208 6105209 || [CISCO-SDEE] Agora.cgi Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105209 6105210 || [CISCO-SDEE] FAQManager.cgi directory traversal || url,wiki.quadrantsec.com/bin/view/Main/6105210 6105211 || [CISCO-SDEE] zml.cgi File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105211 6105212 || [CISCO-SDEE] Bugzilla Admin Authorization Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105212 6105213 || [CISCO-SDEE] Bugzilla Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105213 6105214 || [CISCO-SDEE] FAQManager.cgi null bytes || url,wiki.quadrantsec.com/bin/view/Main/6105214 6105215 || [CISCO-SDEE] lastlines.cgi cmd exec/traversal || url,wiki.quadrantsec.com/bin/view/Main/6105215 6105216 || [CISCO-SDEE] PHP Rocket Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105216 6105217 || [CISCO-SDEE] Webmin Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105217 6105218 || [CISCO-SDEE] Boozt Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105218 6105219 || [CISCO-SDEE] Lotus Domino database DoS || url,wiki.quadrantsec.com/bin/view/Main/6105219 6105220 || [CISCO-SDEE] CSVForm Remote Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105220 6105221 || [CISCO-SDEE] Hosting Controller Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105221 6105222 || [CISCO-SDEE] DoS Beer || url,wiki.quadrantsec.com/bin/view/Main/6105222 6105223 || [CISCO-SDEE] Pi3Web Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105223 6105224 || [CISCO-SDEE] SquirrelMail SquirrelSpell Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105224 6105229 || [CISCO-SDEE] DCP Portal Root Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105229 6105230 || [CISCO-SDEE] Lotus Domino Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105230 6105231 || [CISCO-SDEE] MRTG Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105231 6105232 || [CISCO-SDEE] URL with XSS || url,wiki.quadrantsec.com/bin/view/Main/6105232 6105233 || [CISCO-SDEE] PHP fileupload Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105233 6105234 || [CISCO-SDEE] pforum sql-injection || url,wiki.quadrantsec.com/bin/view/Main/6105234 6105235 || [CISCO-SDEE] Mac OS X URI Handler Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105235 6105236 || [CISCO-SDEE] Xoops sql-injection || url,wiki.quadrantsec.com/bin/view/Main/6105236 6105237 || [CISCO-SDEE] HTTP CONNECT Tunnel || url,wiki.quadrantsec.com/bin/view/Main/6105237 6105238 || [CISCO-SDEE] EZNET Ezboard Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105238 6105239 || [CISCO-SDEE] Sambar cgitest.exe Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105239 6105240 || [CISCO-SDEE] Marcus Xenakis Shell Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105240 6105241 || [CISCO-SDEE] Avenger System Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105241 6105243 || [CISCO-SDEE] CS .cgi Script Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105243 6105244 || [CISCO-SDEE] PhpSmsSend Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105244 6105245 || [CISCO-SDEE] HTTP 1.1 Chunked Encoding Transfer || url,wiki.quadrantsec.com/bin/view/Main/6105245 6105246 || [CISCO-SDEE] IIS ISAPI Filter Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105246 6105247 || [CISCO-SDEE] IIS ASP SSI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105247 6105248 || [CISCO-SDEE] IIS HTR ISAPI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105248 6105251 || [CISCO-SDEE] Allaire JRun // Directory Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105251 6105252 || [CISCO-SDEE] Allaire JRun Session ID Recon || url,wiki.quadrantsec.com/bin/view/Main/6105252 6105253 || [CISCO-SDEE] Axis StorPoint CD Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105253 6105255 || [CISCO-SDEE] Linux Directory traceroute / nslookup Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105255 6105256 || [CISCO-SDEE] Dot Dot Slash in URI || url,wiki.quadrantsec.com/bin/view/Main/6105256 6105257 || [CISCO-SDEE] PHPNetToolpack traceroute Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105257 6105258 || [CISCO-SDEE] Script source disclosure with CodeBrws.asp || url,wiki.quadrantsec.com/bin/view/Main/6105258 6105259 || [CISCO-SDEE] Snitz Forums SQL injection || url,wiki.quadrantsec.com/bin/view/Main/6105259 6105260 || [CISCO-SDEE] Xpede sprc.asp SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105260 6105261 || [CISCO-SDEE] BackOffice Server Web Administration Access || url,wiki.quadrantsec.com/bin/view/Main/6105261 6105262 || [CISCO-SDEE] Large number of Slashes URL || url,wiki.quadrantsec.com/bin/view/Main/6105262 6105263 || [CISCO-SDEE] ecware.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105263 6105265 || [CISCO-SDEE] RedHat cachemgr.cgi Access || url,wiki.quadrantsec.com/bin/view/Main/6105265 6105266 || [CISCO-SDEE] iCat Carbo Server File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105266 6105268 || [CISCO-SDEE] Cisco Catalyst Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105268 6105269 || [CISCO-SDEE] ColdFusion CFDOCS Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105269 6105270 || [CISCO-SDEE] EZ-Mall order.log File Access || url,wiki.quadrantsec.com/bin/view/Main/6105270 6105271 || [CISCO-SDEE] search.cgi Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105271 6105272 || [CISCO-SDEE] count.cgi GIF File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105272 6105273 || [CISCO-SDEE] Bannermatic Sensitive File Access || url,wiki.quadrantsec.com/bin/view/Main/6105273 6105274 || [CISCO-SDEE] Netpad.cgi Directory Traversal/Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105274 6105275 || [CISCO-SDEE] Phorum Remote Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105275 6105276 || [CISCO-SDEE] Dansie cart.cgi Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105276 6105277 || [CISCO-SDEE] dfire.cgi Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105277 6105278 || [CISCO-SDEE] VP-ASP shoptest.asp access || url,wiki.quadrantsec.com/bin/view/Main/6105278 6105279 || [CISCO-SDEE] JJ Cgi Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105279 6105280 || [CISCO-SDEE] IIS idq.dll Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105280 6105281 || [CISCO-SDEE] Carello add.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105281 6105282 || [CISCO-SDEE] IIS ExAir advsearch.asp Access || url,wiki.quadrantsec.com/bin/view/Main/6105282 6105283 || [CISCO-SDEE] info2www CGI Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105283 6105284 || [CISCO-SDEE] IIS webhits.dll Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105284 6105285 || [CISCO-SDEE] PHPEventCalendar Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105285 6105286 || [CISCO-SDEE] WebScripts WebBBS Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105286 6105287 || [CISCO-SDEE] SiteServer AdSamples SITE.CSC File Access || url,wiki.quadrantsec.com/bin/view/Main/6105287 6105288 || [CISCO-SDEE] Verity search97 Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105288 6105289 || [CISCO-SDEE] SQLXML ISAPI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105289 6105290 || [CISCO-SDEE] Apache Tomcat DefaultServlet File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105290 6105291 || [CISCO-SDEE] WEB-INF Dot File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105291 6105292 || [CISCO-SDEE] SalesCart shop.mdb File Access || url,wiki.quadrantsec.com/bin/view/Main/6105292 6105293 || [CISCO-SDEE] robots.txt File Access || url,wiki.quadrantsec.com/bin/view/Main/6105293 6105294 || [CISCO-SDEE] BearShare File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105294 6105295 || [CISCO-SDEE] finger CGI Recon || url,wiki.quadrantsec.com/bin/view/Main/6105295 6105296 || [CISCO-SDEE] Netscape Server PageServices Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105296 6105297 || [CISCO-SDEE] order_log.dat File Access || url,wiki.quadrantsec.com/bin/view/Main/6105297 6105298 || [CISCO-SDEE] shopper.conf File Access || url,wiki.quadrantsec.com/bin/view/Main/6105298 6105299 || [CISCO-SDEE] quikstore.cfg File Access || url,wiki.quadrantsec.com/bin/view/Main/6105299 6105300 || [CISCO-SDEE] reg_echo.cgi Recon || url,wiki.quadrantsec.com/bin/view/Main/6105300 6105301 || [CISCO-SDEE] /consolehelp/ CGI File Access || url,wiki.quadrantsec.com/bin/view/Main/6105301 6105302 || [CISCO-SDEE] /file/ WebLogic File Access || url,wiki.quadrantsec.com/bin/view/Main/6105302 6105303 || [CISCO-SDEE] pfdispaly.cgi Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105303 6105304 || [CISCO-SDEE] files.pl File Access || url,wiki.quadrantsec.com/bin/view/Main/6105304 6105305 || [CISCO-SDEE] .bash_history File Access || url,wiki.quadrantsec.com/bin/view/Main/6105305 6105306 || [CISCO-SDEE] SoftCart storemgr.pw File Access || url,wiki.quadrantsec.com/bin/view/Main/6105306 6105307 || [CISCO-SDEE] Mercantec Softcart Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105307 6105308 || [CISCO-SDEE] rpc-nlog.pl Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105308 6105309 || [CISCO-SDEE] Handler CGI Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105309 6105310 || [CISCO-SDEE] INDEX / directory access || url,wiki.quadrantsec.com/bin/view/Main/6105310 6105311 || [CISCO-SDEE] 8.3 file name access || url,wiki.quadrantsec.com/bin/view/Main/6105311 6105312 || [CISCO-SDEE] *.jsp/*.jhtml Java Execution || url,wiki.quadrantsec.com/bin/view/Main/6105312 6105313 || [CISCO-SDEE] order.log File Access || url,wiki.quadrantsec.com/bin/view/Main/6105313 6105314 || [CISCO-SDEE] windmail.exe Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105314 6105315 || [CISCO-SDEE] changedisplay.pl WWWthreads Privilege Elevation || url,wiki.quadrantsec.com/bin/view/Main/6105315 6105316 || [CISCO-SDEE] BadBlue Admin Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105316 6105317 || [CISCO-SDEE] Tivoli Endpoint Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105317 6105318 || [CISCO-SDEE] Tivoli ManagedNode Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105318 6105319 || [CISCO-SDEE] SoftCart orders Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105319 6105320 || [CISCO-SDEE] ColdFusion administrator Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105320 6105321 || [CISCO-SDEE] Guest Book CGI access || url,wiki.quadrantsec.com/bin/view/Main/6105321 6105322 || [CISCO-SDEE] Long HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105322 6105323 || [CISCO-SDEE] midicart.mdb File Access || url,wiki.quadrantsec.com/bin/view/Main/6105323 6105324 || [CISCO-SDEE] Cisco IOS Query (?/) || url,wiki.quadrantsec.com/bin/view/Main/6105324 6105325 || [CISCO-SDEE] Contivity cgiproc DoS || url,wiki.quadrantsec.com/bin/view/Main/6105325 6105326 || [CISCO-SDEE] Root.exe access || url,wiki.quadrantsec.com/bin/view/Main/6105326 6105327 || [CISCO-SDEE] Tilde in URI || url,wiki.quadrantsec.com/bin/view/Main/6105327 6105328 || [CISCO-SDEE] Cisco IP phone DoS || url,wiki.quadrantsec.com/bin/view/Main/6105328 6105329 || [CISCO-SDEE] Apache/mod_ssl Worm Probe || url,wiki.quadrantsec.com/bin/view/Main/6105329 6105330 || [CISCO-SDEE] Apache/mod_ssl Worm Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105330 6105331 || [CISCO-SDEE] Image Javascript insertion || url,wiki.quadrantsec.com/bin/view/Main/6105331 6105332 || [CISCO-SDEE] Wordtrans-web Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105332 6105333 || [CISCO-SDEE] FUDForum File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105333 6105334 || [CISCO-SDEE] DB4Web File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105334 6105335 || [CISCO-SDEE] DB4WEB Proxy Scan || url,wiki.quadrantsec.com/bin/view/Main/6105335 6105336 || [CISCO-SDEE] Abyss Web Server File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105336 6105337 || [CISCO-SDEE] Dot Dot Slash in HTTP Arguments || url,wiki.quadrantsec.com/bin/view/Main/6105337 6105338 || [CISCO-SDEE] Front Page Admin password retrival || url,wiki.quadrantsec.com/bin/view/Main/6105338 6105339 || [CISCO-SDEE] SunONE Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105339 6105340 || [CISCO-SDEE] Killer Protection Credential File Access || url,wiki.quadrantsec.com/bin/view/Main/6105340 6105341 || [CISCO-SDEE] HP Procurve 4000M Switch DoS || url,wiki.quadrantsec.com/bin/view/Main/6105341 6105342 || [CISCO-SDEE] Invision Board phpinfo.php Recon || url,wiki.quadrantsec.com/bin/view/Main/6105342 6105343 || [CISCO-SDEE] Apache Host Header Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105343 6105344 || [CISCO-SDEE] IIS MDAC RDS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105344 6105345 || [CISCO-SDEE] HTTPBench Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105345 6105346 || [CISCO-SDEE] BadBlue Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105346 6105347 || [CISCO-SDEE] Xoops WebChat SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105347 6105348 || [CISCO-SDEE] Cobalt RaQ Server overflow.cgi Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105348 6105349 || [CISCO-SDEE] Polycom ViewStation Admin Password || url,wiki.quadrantsec.com/bin/view/Main/6105349 6105350 || [CISCO-SDEE] PHPnuke email attachment access || url,wiki.quadrantsec.com/bin/view/Main/6105350 6105351 || [CISCO-SDEE] MS IE Help Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105351 6105352 || [CISCO-SDEE] H-Sphere Webshell Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105352 6105353 || [CISCO-SDEE] H-Sphere Webshell 'mode' URI exec || url,wiki.quadrantsec.com/bin/view/Main/6105353 6105354 || [CISCO-SDEE] H-Sphere Webshell 'zipfile' URI exec || url,wiki.quadrantsec.com/bin/view/Main/6105354 6105355 || [CISCO-SDEE] DotBr exec.php3 exec || url,wiki.quadrantsec.com/bin/view/Main/6105355 6105356 || [CISCO-SDEE] DotBr system.php3 exec || url,wiki.quadrantsec.com/bin/view/Main/6105356 6105357 || [CISCO-SDEE] IMP SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105357 6105358 || [CISCO-SDEE] Psunami.CGI Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105358 6105359 || [CISCO-SDEE] Office Scan CGI Scripts Access || url,wiki.quadrantsec.com/bin/view/Main/6105359 6105360 || [CISCO-SDEE] FrontPage htimage.exe Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105360 6105362 || [CISCO-SDEE] FrontPage dvwssr.dll Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105362 6105363 || [CISCO-SDEE] FrontPage imagemap.exe Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105363 6105364 || [CISCO-SDEE] IIS WebDAV Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105364 6105365 || [CISCO-SDEE] Long WebDAV Request || url,wiki.quadrantsec.com/bin/view/Main/6105365 6105366 || [CISCO-SDEE] Shell Code in HTTP URL / Args || url,wiki.quadrantsec.com/bin/view/Main/6105366 6105367 || [CISCO-SDEE] Apache CR LF DoS || url,wiki.quadrantsec.com/bin/view/Main/6105367 6105368 || [CISCO-SDEE] Cisco ACS Windows CSAdmin Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105368 6105369 || [CISCO-SDEE] Win32 Apache Batch File CmdExec || url,wiki.quadrantsec.com/bin/view/Main/6105369 6105370 || [CISCO-SDEE] HTDig File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105370 6105371 || [CISCO-SDEE] bdir.htr Access || url,wiki.quadrantsec.com/bin/view/Main/6105371 6105372 || [CISCO-SDEE] ASP %20 source disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105372 6105373 || [CISCO-SDEE] IIS 5 Translate: f Source Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105373 6105374 || [CISCO-SDEE] IIS Executable File Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105374 6105375 || [CISCO-SDEE] Apache mod_dav Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105375 6105376 || [CISCO-SDEE] iisPROTECT Admin SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105376 6105377 || [CISCO-SDEE] HTTP args to xp_cmdshell in HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105377 6105378 || [CISCO-SDEE] Vignette TCL Injection Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105378 6105379 || [CISCO-SDEE] Windows Media Services Logging ISAPI Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105379 6105380 || [CISCO-SDEE] phpBB SQL injection || url,wiki.quadrantsec.com/bin/view/Main/6105380 6105381 || [CISCO-SDEE] VPASP SQL injection || url,wiki.quadrantsec.com/bin/view/Main/6105381 6105382 || [CISCO-SDEE] Xpressions SQL Admin Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105382 6105383 || [CISCO-SDEE] Cyberstrong eShop SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105383 6105385 || [CISCO-SDEE] CiscoWorks User Priviledge Modification || url,wiki.quadrantsec.com/bin/view/Main/6105385 6105386 || [CISCO-SDEE] CiscoWorks Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105386 6105388 || [CISCO-SDEE] Kerio MailServer Webmail multiple overflows || url,wiki.quadrantsec.com/bin/view/Main/6105388 6105389 || [CISCO-SDEE] WebAdmin Long User Name Logon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105389 6105390 || [CISCO-SDEE] Swen Worm HTTP Counter Update Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105390 6105391 || [CISCO-SDEE] FrontPage Server Extensions Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105391 6105392 || [CISCO-SDEE] Internet Explorer XML Object Overflow Type 1 || url,wiki.quadrantsec.com/bin/view/Main/6105392 6105393 || [CISCO-SDEE] Internet Explorer XML Object Overflow Type 2 || url,wiki.quadrantsec.com/bin/view/Main/6105393 6105394 || [CISCO-SDEE] Apache mod_gzip Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105394 6105395 || [CISCO-SDEE] Cisco ACNS Authentication Library Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105395 6105397 || [CISCO-SDEE] SiteInteractive Subscribe Me setup.pl Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105397 6105399 || [CISCO-SDEE] ALT-N MDaemon form2raw.cgi Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105399 6105400 || [CISCO-SDEE] Beagle.B (Bagle.B) Web Beacon || url,wiki.quadrantsec.com/bin/view/Main/6105400 6105401 || [CISCO-SDEE] Outlook mailto Quote Malformed URI || url,wiki.quadrantsec.com/bin/view/Main/6105401 6105402 || [CISCO-SDEE] Internet Explorer URL Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6105402 6105403 || [CISCO-SDEE] OpenSSL SSL OR TLS Malformed Handshake DoS || url,wiki.quadrantsec.com/bin/view/Main/6105403 6105404 || [CISCO-SDEE] Internet Explorer Uninitialized Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105404 6105405 || [CISCO-SDEE] IIS nsiislog.dll long argument overflow || url,wiki.quadrantsec.com/bin/view/Main/6105405 6105406 || [CISCO-SDEE] Illegal MHTML URL || url,wiki.quadrantsec.com/bin/view/Main/6105406 6105407 || [CISCO-SDEE] IIS PCT Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105407 6105408 || [CISCO-SDEE] Windows HCP URI Parsing Script Exec || url,wiki.quadrantsec.com/bin/view/Main/6105408 6105409 || [CISCO-SDEE] Microsoft HCP Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105409 6105410 || [CISCO-SDEE] APSIS Pound Remote Format String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105410 6105411 || [CISCO-SDEE] Linksys Http DoS || url,wiki.quadrantsec.com/bin/view/Main/6105411 6105412 || [CISCO-SDEE] AIM Goaway Message Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105412 6105413 || [CISCO-SDEE] WhatsUp Gold Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105413 6105414 || [CISCO-SDEE] Microsoft NNTP Heap Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105414 6105416 || [CISCO-SDEE] IE object data remote execution || url,wiki.quadrantsec.com/bin/view/Main/6105416 6105417 || [CISCO-SDEE] IE Object Tag Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105417 6105418 || [CISCO-SDEE] IIS Cross Site Scripting .htw || url,wiki.quadrantsec.com/bin/view/Main/6105418 6105419 || [CISCO-SDEE] IIS Frontpage Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105419 6105420 || [CISCO-SDEE] IIS TRACK Requests || url,wiki.quadrantsec.com/bin/view/Main/6105420 6105421 || [CISCO-SDEE] IIS UNC Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105421 6105422 || [CISCO-SDEE] IIS ISAPI Extension Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6105422 6105423 || [CISCO-SDEE] IIS ism.dll Access || url,wiki.quadrantsec.com/bin/view/Main/6105423 6105424 || [CISCO-SDEE] IE HRAlign Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105424 6105425 || [CISCO-SDEE] Internet Explorer IFRAME Tag Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105425 6105426 || [CISCO-SDEE] Netscape NSS SSLv2 Hello Message Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105426 6105427 || [CISCO-SDEE] Apache Space Character DoS || url,wiki.quadrantsec.com/bin/view/Main/6105427 6105428 || [CISCO-SDEE] Cisco CNS Registrar DoS || url,wiki.quadrantsec.com/bin/view/Main/6105428 6105429 || [CISCO-SDEE] WINS Replication Protocol Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105429 6105430 || [CISCO-SDEE] Darwin Streaming Server DoS || url,wiki.quadrantsec.com/bin/view/Main/6105430 6105431 || [CISCO-SDEE] IIS W3Who Vulnerabilties || url,wiki.quadrantsec.com/bin/view/Main/6105431 6105432 || [CISCO-SDEE] Script Embedded in HTTP Header || url,wiki.quadrantsec.com/bin/view/Main/6105432 6105433 || [CISCO-SDEE] Jabberd Username Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105433 6105434 || [CISCO-SDEE] Veritas Backup Exec Registration Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105434 6105435 || [CISCO-SDEE] Crystal Reports Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105435 6105436 || [CISCO-SDEE] RXBot Activity || url,wiki.quadrantsec.com/bin/view/Main/6105436 6105437 || [CISCO-SDEE] phpBB highlight parameter || url,wiki.quadrantsec.com/bin/view/Main/6105437 6105438 || [CISCO-SDEE] Cisco IOS Call Processing Solutions DoS || url,wiki.quadrantsec.com/bin/view/Main/6105438 6105439 || [CISCO-SDEE] Microsoft Loadimage API Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105439 6105440 || [CISCO-SDEE] IRC Bot Activity || url,wiki.quadrantsec.com/bin/view/Main/6105440 6105441 || [CISCO-SDEE] Windows Help File Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105441 6105442 || [CISCO-SDEE] Cursor/Icon File Format Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105442 6105443 || [CISCO-SDEE] Microsoft ActiveX Help Control || url,wiki.quadrantsec.com/bin/view/Main/6105443 6105444 || [CISCO-SDEE] MySQL MaxDB WebAgent logon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105444 6105445 || [CISCO-SDEE] AWStats configdir Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105445 6105446 || [CISCO-SDEE] Internet Explorer Install Engine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105446 6105447 || [CISCO-SDEE] VB.aw Trojan/Back Door || url,wiki.quadrantsec.com/bin/view/Main/6105447 6105448 || [CISCO-SDEE] Blaster Worm || url,wiki.quadrantsec.com/bin/view/Main/6105448 6105449 || [CISCO-SDEE] Massacre Virus Attachment || url,wiki.quadrantsec.com/bin/view/Main/6105449 6105450 || [CISCO-SDEE] Love Letter Worm Attachment || url,wiki.quadrantsec.com/bin/view/Main/6105450 6105451 || [CISCO-SDEE] IIS WebDAV DoS || url,wiki.quadrantsec.com/bin/view/Main/6105451 6105452 || [CISCO-SDEE] Office XP URL Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105452 6105453 || [CISCO-SDEE] AWStats Plugin Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105453 6105454 || [CISCO-SDEE] Exim SPA Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105454 6105455 || [CISCO-SDEE] Arkeia Type 77 Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105455 6105456 || [CISCO-SDEE] Internet Explorer 5 ie5filex Exploit || url,wiki.quadrantsec.com/bin/view/Main/6105456 6105457 || [CISCO-SDEE] WU-FTPD DoS || url,wiki.quadrantsec.com/bin/view/Main/6105457 6105458 || [CISCO-SDEE] WebConnect MS-DOS Device Name DoS || url,wiki.quadrantsec.com/bin/view/Main/6105458 6105459 || [CISCO-SDEE] WebConnect Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105459 6105460 || [CISCO-SDEE] phpMyAdmin phpmyadmin.css.php File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105460 6105461 || [CISCO-SDEE] BadBlue MFCISAPICommand Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105461 6105462 || [CISCO-SDEE] phpBB Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105462 6105463 || [CISCO-SDEE] Computer Associates License Software GETCONFIG Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105463 6105464 || [CISCO-SDEE] Computer Associates License Suite Network Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105464 6105465 || [CISCO-SDEE] Computer Associates License Suite Checksum Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105465 6105466 || [CISCO-SDEE] Computer Associates License Suite PUTOLF Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105466 6105467 || [CISCO-SDEE] Computer Associates License Suite PUTOLF Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105467 6105468 || [CISCO-SDEE] Computer Associates License Suite Invalid Command Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105468 6105469 || [CISCO-SDEE] TrackerCam PHP Argument Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105469 6105471 || [CISCO-SDEE] SafeNet Sentinel Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105471 6105472 || [CISCO-SDEE] IE Sysimage Handler Local Executable Reference || url,wiki.quadrantsec.com/bin/view/Main/6105472 6105473 || [CISCO-SDEE] Java JNLP File Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105473 6105474 || [CISCO-SDEE] SQL Query in HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105474 6105475 || [CISCO-SDEE] BrightStor ARCserve Backup Universal Agent Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105475 6105476 || [CISCO-SDEE] HTML Application Execution || url,wiki.quadrantsec.com/bin/view/Main/6105476 6105477 || [CISCO-SDEE] Possible Heap Payload Construction || url,wiki.quadrantsec.com/bin/view/Main/6105477 6105478 || [CISCO-SDEE] Microsoft Exchange SMTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105478 6105479 || [CISCO-SDEE] MySQL MaxDB WebDAV Lock-Token Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105479 6105480 || [CISCO-SDEE] MySQL MaxDB WebDAV If Header Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105480 6105481 || [CISCO-SDEE] MySQL MaxDB WebDBM Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105481 6105482 || [CISCO-SDEE] Microsoft SQL Server Login Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105482 6105483 || [CISCO-SDEE] IE Content Advisor Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105483 6105484 || [CISCO-SDEE] Sambar Server Search Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105484 6105485 || [CISCO-SDEE] ISS PAM.dll ICQ Parser Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105485 6105486 || [CISCO-SDEE] Apple File Service LoginExt Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105486 6105487 || [CISCO-SDEE] IA WebMail Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105487 6105488 || [CISCO-SDEE] Icecast Server HTTP Header Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105488 6105489 || [CISCO-SDEE] MyTOB Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6105489 6105490 || [CISCO-SDEE] Firefox JavaScript IFRAME Exploitation || url,wiki.quadrantsec.com/bin/view/Main/6105490 6105491 || [CISCO-SDEE] Firefox JavaScript Install Trigger Function || url,wiki.quadrantsec.com/bin/view/Main/6105491 6105492 || [CISCO-SDEE] Wurmark Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6105492 6105493 || [CISCO-SDEE] Llsrpc Bind || url,wiki.quadrantsec.com/bin/view/Main/6105493 6105494 || [CISCO-SDEE] Webview Script Injection || url,wiki.quadrantsec.com/bin/view/Main/6105494 6105495 || [CISCO-SDEE] LDAP Active Directory Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105495 6105496 || [CISCO-SDEE] License Logging Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105496 6105497 || [CISCO-SDEE] SMTP BDAT Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105497 6105498 || [CISCO-SDEE] Media Player IE Zone Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105498 6105499 || [CISCO-SDEE] HTML Link in Object Tag in IE || url,wiki.quadrantsec.com/bin/view/Main/6105499 6105500 || [CISCO-SDEE] IE .asp File Execution || url,wiki.quadrantsec.com/bin/view/Main/6105500 6105501 || [CISCO-SDEE] IE ActiveX ADODB Stream || url,wiki.quadrantsec.com/bin/view/Main/6105501 6105502 || [CISCO-SDEE] Llssrv RPC Activity || url,wiki.quadrantsec.com/bin/view/Main/6105502 6105503 || [CISCO-SDEE] Object Creation In IE Local Zone || url,wiki.quadrantsec.com/bin/view/Main/6105503 6105504 || [CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105504 6105505 || [CISCO-SDEE] RIP Trace || url,wiki.quadrantsec.com/bin/view/Main/6105505 6105506 || [CISCO-SDEE] Back Orifice Ping || url,wiki.quadrantsec.com/bin/view/Main/6105506 6105507 || [CISCO-SDEE] Unreal Engine /secure/ Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105507 6105508 || [CISCO-SDEE] Malformed IKE Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6105508 6105509 || [CISCO-SDEE] Tftp Passwd File || url,wiki.quadrantsec.com/bin/view/Main/6105509 6105510 || [CISCO-SDEE] Cisco TFTPD Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105510 6105511 || [CISCO-SDEE] Ascend Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105511 6105512 || [CISCO-SDEE] Cisco SNMP Message Processing DoS || url,wiki.quadrantsec.com/bin/view/Main/6105512 6105513 || [CISCO-SDEE] SNMP Community String Public || url,wiki.quadrantsec.com/bin/view/Main/6105513 6105514 || [CISCO-SDEE] Cisco IP VC Embedded Community Names || url,wiki.quadrantsec.com/bin/view/Main/6105514 6105515 || [CISCO-SDEE] IE DHTML Edit Control || url,wiki.quadrantsec.com/bin/view/Main/6105515 6105516 || [CISCO-SDEE] FTP Wildcard DoS || url,wiki.quadrantsec.com/bin/view/Main/6105516 6105517 || [CISCO-SDEE] AnswerBook2 Format String || url,wiki.quadrantsec.com/bin/view/Main/6105517 6105518 || [CISCO-SDEE] Quake Server Connect DoS || url,wiki.quadrantsec.com/bin/view/Main/6105518 6105519 || [CISCO-SDEE] IE Popup Blocker Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105519 6105520 || [CISCO-SDEE] XEXCH50 Command Usage || url,wiki.quadrantsec.com/bin/view/Main/6105520 6105521 || [CISCO-SDEE] Nested Array Sort Loop DoS || url,wiki.quadrantsec.com/bin/view/Main/6105521 6105523 || [CISCO-SDEE] Jet Database Engine Shell Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105523 6105524 || [CISCO-SDEE] Font Tag Split || url,wiki.quadrantsec.com/bin/view/Main/6105524 6105525 || [CISCO-SDEE] Outlook Express Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105525 6105526 || [CISCO-SDEE] Telnet Environment Option Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105526 6105527 || [CISCO-SDEE] IIS Index HTW Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105527 6105528 || [CISCO-SDEE] IIS5 SEARCH overflow || url,wiki.quadrantsec.com/bin/view/Main/6105528 6105529 || [CISCO-SDEE] CheckPoint Firewall RDP ByPass || url,wiki.quadrantsec.com/bin/view/Main/6105529 6105530 || [CISCO-SDEE] DHCP Discover || url,wiki.quadrantsec.com/bin/view/Main/6105530 6105531 || [CISCO-SDEE] IE Status Bar Spoof || url,wiki.quadrantsec.com/bin/view/Main/6105531 6105532 || [CISCO-SDEE] Back Door Deltasource || url,wiki.quadrantsec.com/bin/view/Main/6105532 6105533 || [CISCO-SDEE] Back Door Remote Boot Tool || url,wiki.quadrantsec.com/bin/view/Main/6105533 6105534 || [CISCO-SDEE] KaZaA UDP Client Probe || url,wiki.quadrantsec.com/bin/view/Main/6105534 6105535 || [CISCO-SDEE] Overnet Client Scan || url,wiki.quadrantsec.com/bin/view/Main/6105535 6105536 || [CISCO-SDEE] Gnutella File Search || url,wiki.quadrantsec.com/bin/view/Main/6105536 6105537 || [CISCO-SDEE] ICQ Client DNS Request || url,wiki.quadrantsec.com/bin/view/Main/6105537 6105538 || [CISCO-SDEE] AIM Client DNS request || url,wiki.quadrantsec.com/bin/view/Main/6105538 6105539 || [CISCO-SDEE] Yahoo Messenger Client DNS Request || url,wiki.quadrantsec.com/bin/view/Main/6105539 6105540 || [CISCO-SDEE] MSN Messenger Client DNS Request || url,wiki.quadrantsec.com/bin/view/Main/6105540 6105541 || [CISCO-SDEE] Modem DoS || url,wiki.quadrantsec.com/bin/view/Main/6105541 6105543 || [CISCO-SDEE] PingTunnel ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6105543 6105544 || [CISCO-SDEE] Back Door Blaaaaa || url,wiki.quadrantsec.com/bin/view/Main/6105544 6105545 || [CISCO-SDEE] HTTP Request Smuggling Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105545 6105546 || [CISCO-SDEE] Internet Key Exchange DoS || url,wiki.quadrantsec.com/bin/view/Main/6105546 6105547 || [CISCO-SDEE] SMB File Name Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105547 6105548 || [CISCO-SDEE] Veritas Backup Exec Windows Remote Agent Password Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105548 6105549 || [CISCO-SDEE] Evolution Message Size Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105549 6105551 || [CISCO-SDEE] Outlook Web Access Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105551 6105552 || [CISCO-SDEE] Windows Media Player Skin File Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105552 6105553 || [CISCO-SDEE] Finger and cFinger Double Star User List Search || url,wiki.quadrantsec.com/bin/view/Main/6105553 6105554 || [CISCO-SDEE] IE Object Tag Overflow Runtime Script Exploit || url,wiki.quadrantsec.com/bin/view/Main/6105554 6105555 || [CISCO-SDEE] Cisco ONS Telnet DOS || url,wiki.quadrantsec.com/bin/view/Main/6105555 6105556 || [CISCO-SDEE] Javaprxy.dll Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105556 6105557 || [CISCO-SDEE] Windows ICC Color Management Module Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105557 6105558 || [CISCO-SDEE] Webcart Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105558 6105559 || [CISCO-SDEE] FTP Format String || url,wiki.quadrantsec.com/bin/view/Main/6105559 6105560 || [CISCO-SDEE] MailEnable IMAP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105560 6105561 || [CISCO-SDEE] Windows SMTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105561 6105562 || [CISCO-SDEE] Qpopper Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105562 6105564 || [CISCO-SDEE] ARCserve Backup MS-SQL Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105564 6105565 || [CISCO-SDEE] Print Spooler Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105565 6105566 || [CISCO-SDEE] Potential IE Cross Frame Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105566 6105567 || [CISCO-SDEE] Veritas Backup Exec Remote Registry Access || url,wiki.quadrantsec.com/bin/view/Main/6105567 6105568 || [CISCO-SDEE] Veritas Backup Exec Agent Remote File Access || url,wiki.quadrantsec.com/bin/view/Main/6105568 6105569 || [CISCO-SDEE] MDaemon Imap Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105569 6105570 || [CISCO-SDEE] ZOTOB Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6105570 6105571 || [CISCO-SDEE] RBOT.CBQ Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6105571 6105572 || [CISCO-SDEE] Design Tools Diagram Surface ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6105572 6105573 || [CISCO-SDEE] Novell eDirectory Server iMonitor Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105573 6105574 || [CISCO-SDEE] OpenView Network Node Manager Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105574 6105575 || [CISCO-SDEE] NBT NetBIOS Session Service Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6105575 6105576 || [CISCO-SDEE] SMB Login successful with Guest Privileges || url,wiki.quadrantsec.com/bin/view/Main/6105576 6105577 || [CISCO-SDEE] SMB NULL login attempt || url,wiki.quadrantsec.com/bin/view/Main/6105577 6105578 || [CISCO-SDEE] SMB 95 98 Password File Access || url,wiki.quadrantsec.com/bin/view/Main/6105578 6105579 || [CISCO-SDEE] SMB Remote Registry Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105579 6105580 || [CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105580 6105581 || [CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105581 6105582 || [CISCO-SDEE] NetBIOS Enum Share DoS || url,wiki.quadrantsec.com/bin/view/Main/6105582 6105583 || [CISCO-SDEE] SMB Remote SAM Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105583 6105584 || [CISCO-SDEE] SMB .eml email file remote access || url,wiki.quadrantsec.com/bin/view/Main/6105584 6105585 || [CISCO-SDEE] SMB Suspicious Password Usage || url,wiki.quadrantsec.com/bin/view/Main/6105585 6105586 || [CISCO-SDEE] Windows Locator Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105586 6105587 || [CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105587 6105588 || [CISCO-SDEE] Windows DCOM Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105588 6105589 || [CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105589 6105590 || [CISCO-SDEE] SMB User Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6105590 6105591 || [CISCO-SDEE] SMB Windows Share Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6105591 6105592 || [CISCO-SDEE] SMB RFPoison Attack || url,wiki.quadrantsec.com/bin/view/Main/6105592 6105593 || [CISCO-SDEE] SMB NIMDA Infected File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6105593 6105594 || [CISCO-SDEE] Samba call_trans2open Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105594 6105595 || [CISCO-SDEE] Windows Startup Folder Remote Access || url,wiki.quadrantsec.com/bin/view/Main/6105595 6105596 || [CISCO-SDEE] Windows SMB/RPC NoOp Sled || url,wiki.quadrantsec.com/bin/view/Main/6105596 6105597 || [CISCO-SDEE] SMB MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105597 6105598 || [CISCO-SDEE] Windows Workstation Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105598 6105599 || [CISCO-SDEE] Anig Worm File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6105599 6105600 || [CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105600 6105601 || [CISCO-SDEE] Windows LSASS RPC Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105601 6105602 || [CISCO-SDEE] Windows System32 Directory File Access || url,wiki.quadrantsec.com/bin/view/Main/6105602 6105603 || [CISCO-SDEE] MSRPC Protocol violation || url,wiki.quadrantsec.com/bin/view/Main/6105603 6105605 || [CISCO-SDEE] Windows Account Locked || url,wiki.quadrantsec.com/bin/view/Main/6105605 6105606 || [CISCO-SDEE] SMB Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6105606 6105608 || [CISCO-SDEE] Network Supervisor Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105608 6105609 || [CISCO-SDEE] IE COM Object Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105609 6105610 || [CISCO-SDEE] Cacti Graph_Image.PHP Remote Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105610 6105611 || [CISCO-SDEE] WordPress Cookie cache_lastpostdate Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105611 6105612 || [CISCO-SDEE] DNP3 - Unsolicited Response Storm || url,wiki.quadrantsec.com/bin/view/Main/6105612 6105613 || [CISCO-SDEE] DNP3 - Cold Restart Request || url,wiki.quadrantsec.com/bin/view/Main/6105613 6105614 || [CISCO-SDEE] DNP3 - Disable Unsolicited Responses || url,wiki.quadrantsec.com/bin/view/Main/6105614 6105615 || [CISCO-SDEE] DNP3 - Read Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105615 6105616 || [CISCO-SDEE] DNP3 - Stop Application || url,wiki.quadrantsec.com/bin/view/Main/6105616 6105617 || [CISCO-SDEE] DNP3 - Warm Restart || url,wiki.quadrantsec.com/bin/view/Main/6105617 6105618 || [CISCO-SDEE] DNP3 - Broadcast Request || url,wiki.quadrantsec.com/bin/view/Main/6105618 6105619 || [CISCO-SDEE] Non-DNP3 Communication on a DNP3 Port || url,wiki.quadrantsec.com/bin/view/Main/6105619 6105620 || [CISCO-SDEE] DNP3 - Write Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105620 6105621 || [CISCO-SDEE] DNP3 - Miscellaneous Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105621 6105622 || [CISCO-SDEE] Modbus TCP - Force Listen Only Mode || url,wiki.quadrantsec.com/bin/view/Main/6105622 6105623 || [CISCO-SDEE] Modbus TCP - Restart Communications Option || url,wiki.quadrantsec.com/bin/view/Main/6105623 6105624 || [CISCO-SDEE] Modbus TCP - Clear Counters and Diagnostic Registers || url,wiki.quadrantsec.com/bin/view/Main/6105624 6105625 || [CISCO-SDEE] Modbus TCP - Read Device Identification || url,wiki.quadrantsec.com/bin/view/Main/6105625 6105626 || [CISCO-SDEE] Modbus TCP - Report Server Information || url,wiki.quadrantsec.com/bin/view/Main/6105626 6105627 || [CISCO-SDEE] Modbus TCP - Illegal Packet Size || url,wiki.quadrantsec.com/bin/view/Main/6105627 6105628 || [CISCO-SDEE] Modbus Slave Device Busy Exception Code Delay || url,wiki.quadrantsec.com/bin/view/Main/6105628 6105629 || [CISCO-SDEE] Modbus Acknowledge Exception Code Delay || url,wiki.quadrantsec.com/bin/view/Main/6105629 6105630 || [CISCO-SDEE] Modbus TCP - Read Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105630 6105631 || [CISCO-SDEE] Modbus TCP - Write Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105631 6105632 || [CISCO-SDEE] Modbus TCP - Non-Modbus Communication || url,wiki.quadrantsec.com/bin/view/Main/6105632 6105633 || [CISCO-SDEE] .HTR Source View || url,wiki.quadrantsec.com/bin/view/Main/6105633 6105634 || [CISCO-SDEE] Barracuda Spam Firewall Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105634 6105635 || [CISCO-SDEE] Plug and Play Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105635 6105636 || [CISCO-SDEE] vBulletin Template PHP Code Injection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105636 6105637 || [CISCO-SDEE] Internet Explorer FTP Download Path Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105637 6105638 || [CISCO-SDEE] PHP Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105638 6105639 || [CISCO-SDEE] Web View Script Injection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105639 6105640 || [CISCO-SDEE] XML Race Condition in Internet Explorer || url,wiki.quadrantsec.com/bin/view/Main/6105640 6105641 || [CISCO-SDEE] MS DTC DoS || url,wiki.quadrantsec.com/bin/view/Main/6105641 6105642 || [CISCO-SDEE] DirectShow Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105642 6105643 || [CISCO-SDEE] Sox WAV File Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105643 6105644 || [CISCO-SDEE] Client Service for NetWare Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105644 6105645 || [CISCO-SDEE] SSH URI Handler || url,wiki.quadrantsec.com/bin/view/Main/6105645 6105646 || [CISCO-SDEE] Gatekeeper Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105646 6105647 || [CISCO-SDEE] Savant Webserver Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105647 6105648 || [CISCO-SDEE] Tomcat Denial of Service Attack || url,wiki.quadrantsec.com/bin/view/Main/6105648 6105649 || [CISCO-SDEE] ESignal Remote Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105649 6105650 || [CISCO-SDEE] Finjan SurfinGate FHTTP Restart Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105650 6105651 || [CISCO-SDEE] Helix Server DoS || url,wiki.quadrantsec.com/bin/view/Main/6105651 6105652 || [CISCO-SDEE] FTP Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105652 6105653 || [CISCO-SDEE] Cisco WLSE/HSE Default Username || url,wiki.quadrantsec.com/bin/view/Main/6105653 6105654 || [CISCO-SDEE] FTP Root Drive Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105654 6105655 || [CISCO-SDEE] Cobalt RaQ Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105655 6105656 || [CISCO-SDEE] Oracle TNS Listener DoS || url,wiki.quadrantsec.com/bin/view/Main/6105656 6105657 || [CISCO-SDEE] AMLServer Local Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105657 6105658 || [CISCO-SDEE] Apache Tomcat JSP Engine DoS || url,wiki.quadrantsec.com/bin/view/Main/6105658 6105659 || [CISCO-SDEE] VMWare GSX Server Authentication Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105659 6105660 || [CISCO-SDEE] SquirrelMail Email Header Script Injection || url,wiki.quadrantsec.com/bin/view/Main/6105660 6105661 || [CISCO-SDEE] Long HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105661 6105662 || [CISCO-SDEE] HTTP POST Content-Type Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105662 6105663 || [CISCO-SDEE] NoOp Sled On HTTPS Port || url,wiki.quadrantsec.com/bin/view/Main/6105663 6105664 || [CISCO-SDEE] Apache Tomcat Null Byte File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105664 6105665 || [CISCO-SDEE] Ultimate PHP Board Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105665 6105666 || [CISCO-SDEE] Unix chetcpasswd.cgi File Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105666 6105667 || [CISCO-SDEE] Site Searcher Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105667 6105668 || [CISCO-SDEE] Unauthenticated FTP Connection || url,wiki.quadrantsec.com/bin/view/Main/6105668 6105669 || [CISCO-SDEE] Arkeia Type 74 Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105669 6105671 || [CISCO-SDEE] IMAP Select Excessive Length || url,wiki.quadrantsec.com/bin/view/Main/6105671 6105672 || [CISCO-SDEE] Computer Associates Message Queuing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105672 6105673 || [CISCO-SDEE] NetBackup Format String || url,wiki.quadrantsec.com/bin/view/Main/6105673 6105674 || [CISCO-SDEE] Snort Back Orifice Preprocessor Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105674 6105675 || [CISCO-SDEE] HP-UX LPD Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105675 6105676 || [CISCO-SDEE] News Manager Lite Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105676 6105677 || [CISCO-SDEE] Helix Universal Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105677 6105678 || [CISCO-SDEE] AWStats Plugin Log Access || url,wiki.quadrantsec.com/bin/view/Main/6105678 6105679 || [CISCO-SDEE] Oracle TNS Listener Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6105679 6105680 || [CISCO-SDEE] Apache Line Feed DoS || url,wiki.quadrantsec.com/bin/view/Main/6105680 6105681 || [CISCO-SDEE] ISC DHCP Daemon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105681 6105683 || [CISCO-SDEE] Vista Feed Headlines Gadget Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105683 6105684 || [CISCO-SDEE] Malformed SIP Packet || url,wiki.quadrantsec.com/bin/view/Main/6105684 6105685 || [CISCO-SDEE] WebBBS Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105685 6105686 || [CISCO-SDEE] Long POPPASSWD String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105686 6105687 || [CISCO-SDEE] IE Frame Cross Zone Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105687 6105688 || [CISCO-SDEE] RSA WebAgent Redirect Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105688 6105689 || [CISCO-SDEE] MSSQL Resolution Service Keep-Alive DoS || url,wiki.quadrantsec.com/bin/view/Main/6105689 6105692 || [CISCO-SDEE] Macromedia Flash Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105692 6105693 || [CISCO-SDEE] Metafile Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105693 6105694 || [CISCO-SDEE] Enhanced Metafile Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105694 6105695 || [CISCO-SDEE] Enhanced Metafile DoS || url,wiki.quadrantsec.com/bin/view/Main/6105695 6105696 || [CISCO-SDEE] Midi Decoder Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105696 6105697 || [CISCO-SDEE] Script in Email Body || url,wiki.quadrantsec.com/bin/view/Main/6105697 6105698 || [CISCO-SDEE] LanMan DoS || url,wiki.quadrantsec.com/bin/view/Main/6105698 6105699 || [CISCO-SDEE] SalesLogix File Upload Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105699 6105700 || [CISCO-SDEE] PHP cURL Arbitrary File Access || url,wiki.quadrantsec.com/bin/view/Main/6105700 6105701 || [CISCO-SDEE] Oracle Soap Request || url,wiki.quadrantsec.com/bin/view/Main/6105701 6105703 || [CISCO-SDEE] Video Surveillance IP Gateway Encoder/Decoder Telnet Authentication Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105703 6105705 || [CISCO-SDEE] iPlanet Web Server Remote Root Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105705 6105706 || [CISCO-SDEE] Persistent Content in a Dynamic Webpage || url,wiki.quadrantsec.com/bin/view/Main/6105706 6105708 || [CISCO-SDEE] SWAT Pre-Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105708 6105710 || [CISCO-SDEE] Eicar Standard Anti-Virus Test File || url,wiki.quadrantsec.com/bin/view/Main/6105710 6105711 || [CISCO-SDEE] Malformed URL || url,wiki.quadrantsec.com/bin/view/Main/6105711 6105713 || [CISCO-SDEE] Zip File Name Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105713 6105714 || [CISCO-SDEE] GKrellM Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105714 6105715 || [CISCO-SDEE] SAP Internet Transaction Server Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105715 6105716 || [CISCO-SDEE] IOS Stack Group Bidding Protocol DoS || url,wiki.quadrantsec.com/bin/view/Main/6105716 6105717 || [CISCO-SDEE] Ipswitch SMTP Format String || url,wiki.quadrantsec.com/bin/view/Main/6105717 6105718 || [CISCO-SDEE] VERITAS NetBackup Volume Manager Daemon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105718 6105720 || [CISCO-SDEE] Lyris ListManager SQL Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105720 6105722 || [CISCO-SDEE] Google Appliance ProxyStyleSheet Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105722 6105723 || [CISCO-SDEE] Microsoft IIS .dll DoS || url,wiki.quadrantsec.com/bin/view/Main/6105723 6105724 || [CISCO-SDEE] Nikto Scan || url,wiki.quadrantsec.com/bin/view/Main/6105724 6105725 || [CISCO-SDEE] Novell NMAP Agent Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105725 6105726 || [CISCO-SDEE] Active Directory Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6105726 6105727 || [CISCO-SDEE] Cisco VPN 3000 Concentrator HTTP Attack Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105727 6105728 || [CISCO-SDEE] Windows IGMP DoS || url,wiki.quadrantsec.com/bin/view/Main/6105728 6105729 || [CISCO-SDEE] Windows Media Player Browser Plug-in Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105729 6105730 || [CISCO-SDEE] Winamp Playlist File Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105730 6105731 || [CISCO-SDEE] Windows Media Player BMP Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105731 6105732 || [CISCO-SDEE] Web Client Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105732 6105733 || [CISCO-SDEE] Long HTTP Header Hostname || url,wiki.quadrantsec.com/bin/view/Main/6105733 6105734 || [CISCO-SDEE] IE isComponentInstalled() Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105734 6105735 || [CISCO-SDEE] Macromedia Flash Player ActionDefineFunction Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105735 6105736 || [CISCO-SDEE] WinVNC Client Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105736 6105737 || [CISCO-SDEE] Internet Explorer Action Handlers Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105737 6105738 || [CISCO-SDEE] Windows ACS Registry Access || url,wiki.quadrantsec.com/bin/view/Main/6105738 6105739 || [CISCO-SDEE] Active Directory Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6105739 6105740 || [CISCO-SDEE] Kerio Personal Firewall Remote Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105740 6105743 || [CISCO-SDEE] PeerCast Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105743 6105744 || [CISCO-SDEE] IMAP Login DoS || url,wiki.quadrantsec.com/bin/view/Main/6105744 6105745 || [CISCO-SDEE] FTP REST command || url,wiki.quadrantsec.com/bin/view/Main/6105745 6105746 || [CISCO-SDEE] FTP ALLO command || url,wiki.quadrantsec.com/bin/view/Main/6105746 6105747 || [CISCO-SDEE] MDAC Function Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105747 6105748 || [CISCO-SDEE] Non-SMTP Session Start || url,wiki.quadrantsec.com/bin/view/Main/6105748 6105749 || [CISCO-SDEE] Internet Explorer Double Byte Character Parsing || url,wiki.quadrantsec.com/bin/view/Main/6105749 6105750 || [CISCO-SDEE] WLSE Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105750 6105751 || [CISCO-SDEE] Ultr@VNC Client Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105751 6105752 || [CISCO-SDEE] Sybase EAServer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105752 6105753 || [CISCO-SDEE] Office Mailto Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105753 6105754 || [CISCO-SDEE] PAJAX Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105754 6105756 || [CISCO-SDEE] Embedded TCP Connection Relay || url,wiki.quadrantsec.com/bin/view/Main/6105756 6105757 || [CISCO-SDEE] Microsoft Exchange Server Cross-Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105757 6105758 || [CISCO-SDEE] Bomberclone Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105758 6105759 || [CISCO-SDEE] VNC Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105759 6105760 || [CISCO-SDEE] Novell GroupWise Messenger Accept-Language Value Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105760 6105761 || [CISCO-SDEE] Ultr@VNC Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105761 6105763 || [CISCO-SDEE] Wireless Control System Cross Server Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105763 6105764 || [CISCO-SDEE] ShixxNOTE Font Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105764 6105765 || [CISCO-SDEE] Horde Help Viewer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105765 6105766 || [CISCO-SDEE] DNS Resolution Response Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105766 6105767 || [CISCO-SDEE] FreeSSHd Key Exchange Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105767 6105768 || [CISCO-SDEE] Warez Activity || url,wiki.quadrantsec.com/bin/view/Main/6105768 6105769 || [CISCO-SDEE] Malformed HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105769 6105770 || [CISCO-SDEE] Cisco Secure ACS XSS || url,wiki.quadrantsec.com/bin/view/Main/6105770 6105771 || [CISCO-SDEE] Winny Activity || url,wiki.quadrantsec.com/bin/view/Main/6105771 6105772 || [CISCO-SDEE] ASP.NET Information Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105772 6105773 || [CISCO-SDEE] Simple PHP Blog Unauthorized File Access || url,wiki.quadrantsec.com/bin/view/Main/6105773 6105774 || [CISCO-SDEE] Windows Media Player PNG Processing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105774 6105775 || [CISCO-SDEE] MHTML Redirection || url,wiki.quadrantsec.com/bin/view/Main/6105775 6105776 || [CISCO-SDEE] Routing and Remote Access Service Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105776 6105777 || [CISCO-SDEE] Mozilla Favicon Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105777 6105778 || [CISCO-SDEE] Windows Uplddrvinfo.htm File Deletion Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105778 6105779 || [CISCO-SDEE] ICCP COTP Connection Request || url,wiki.quadrantsec.com/bin/view/Main/6105779 6105780 || [CISCO-SDEE] ICCP COTP Connection Established || url,wiki.quadrantsec.com/bin/view/Main/6105780 6105781 || [CISCO-SDEE] ICCP Client Association || url,wiki.quadrantsec.com/bin/view/Main/6105781 6105782 || [CISCO-SDEE] ICCP MMS Write Request Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105782 6105783 || [CISCO-SDEE] ICCP MMS Write Request Succeeded || url,wiki.quadrantsec.com/bin/view/Main/6105783 6105784 || [CISCO-SDEE] ICCP COTP Address Unknown Disconnect || url,wiki.quadrantsec.com/bin/view/Main/6105784 6105785 || [CISCO-SDEE] ICCP COTP Protocol Error Disconnect || url,wiki.quadrantsec.com/bin/view/Main/6105785 6105786 || [CISCO-SDEE] ICCP Invalid OSI SSEL || url,wiki.quadrantsec.com/bin/view/Main/6105786 6105787 || [CISCO-SDEE] ICCP Invalid OSI PSEL || url,wiki.quadrantsec.com/bin/view/Main/6105787 6105788 || [CISCO-SDEE] ICCP Invalid TPKT Protocol || url,wiki.quadrantsec.com/bin/view/Main/6105788 6105789 || [CISCO-SDEE] HTTP Tunnel Client Activity || url,wiki.quadrantsec.com/bin/view/Main/6105789 6105790 || [CISCO-SDEE] CS-MARS JBoss Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105790 6105792 || [CISCO-SDEE] Excel Hyperlink Object Library Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105792 6105793 || [CISCO-SDEE] SMB Server Driver Remote Execution || url,wiki.quadrantsec.com/bin/view/Main/6105793 6105794 || [CISCO-SDEE] Routing and Remote Access Service RASMAN Registry Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105794 6105795 || [CISCO-SDEE] DHCP Option Overflow Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105795 6105796 || [CISCO-SDEE] Cisco IOS HTTP Unauthorized Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105796 6105797 || [CISCO-SDEE] Exchange Calendar DoS || url,wiki.quadrantsec.com/bin/view/Main/6105797 6105798 || [CISCO-SDEE] Mambo PHP sbp File Inclusion Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105798 6105799 || [CISCO-SDEE] Server Service Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105799 6105800 || [CISCO-SDEE] HTTP Large Content-Type || url,wiki.quadrantsec.com/bin/view/Main/6105800 6105801 || [CISCO-SDEE] Quicktime JPEG Code Execution Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105801 6105802 || [CISCO-SDEE] MHTML URI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105802 6105803 || [CISCO-SDEE] Sygate Login Servlet SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105803 6105804 || [CISCO-SDEE] VPN3000 Concentrator Unauthenticated FTP Access || url,wiki.quadrantsec.com/bin/view/Main/6105804 6105805 || [CISCO-SDEE] VPN3000 Concentrator FTP RMD Execution || url,wiki.quadrantsec.com/bin/view/Main/6105805 6105806 || [CISCO-SDEE] Winny P2P Connection Activity || url,wiki.quadrantsec.com/bin/view/Main/6105806 6105807 || [CISCO-SDEE] Indexing Service Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105807 6105809 || [CISCO-SDEE] DCERPC Authentication DoS || url,wiki.quadrantsec.com/bin/view/Main/6105809 6105810 || [CISCO-SDEE] SecureCRT SSH1 Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105810 6105812 || [CISCO-SDEE] Cisco IPS SSL DOS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105812 6105813 || [CISCO-SDEE] Microsoft Internet Explorer Vector Markup Language Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105813 6105814 || [CISCO-SDEE] Step-by-Step Interactive Training Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105814 6105815 || [CISCO-SDEE] WebViewFolderIcon setSlice() Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105815 6105816 || [CISCO-SDEE] TOR Client Activity || url,wiki.quadrantsec.com/bin/view/Main/6105816 6105817 || [CISCO-SDEE] ASP .NET Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105817 6105818 || [CISCO-SDEE] Metasploit Shellcode Encoder || url,wiki.quadrantsec.com/bin/view/Main/6105818 6105819 || [CISCO-SDEE] Long FTP XCRC XSHA1 XMD5 Command || url,wiki.quadrantsec.com/bin/view/Main/6105819 6105820 || [CISCO-SDEE] Symantec AntiVirus and Client Security Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105820 6105821 || [CISCO-SDEE] DirectAnimation ActiveX Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105821 6105822 || [CISCO-SDEE] Workstation Service Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105822 6105823 || [CISCO-SDEE] McAfee Epolicy Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105823 6105824 || [CISCO-SDEE] HTTP Header DoS || url,wiki.quadrantsec.com/bin/view/Main/6105824 6105825 || [CISCO-SDEE] SIP Malformed Invite Packet || url,wiki.quadrantsec.com/bin/view/Main/6105825 6105826 || [CISCO-SDEE] EIQ ESA Topology Delete Device Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105826 6105827 || [CISCO-SDEE] Internet Explorer ActiveX Control Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105827 6105828 || [CISCO-SDEE] Apache Server Side Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105828 6105829 || [CISCO-SDEE] Invalid SSL Packet || url,wiki.quadrantsec.com/bin/view/Main/6105829 6105830 || [CISCO-SDEE] Cisco Secure Access Control Server HTTP Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105830 6105831 || [CISCO-SDEE] Cisco Secure Access Control Server RADIUS Accounting Request Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105831 6105832 || [CISCO-SDEE] IOS Crafted IP Option Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105832 6105833 || [CISCO-SDEE] Quicktime RTSP URL Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105833 6105835 || [CISCO-SDEE] Cisco IOS SIP DoS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105835 6105837 || [CISCO-SDEE] Malformed TCP packet || url,wiki.quadrantsec.com/bin/view/Main/6105837 6105838 || [CISCO-SDEE] IOS NAM SNMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6105838 6105839 || [CISCO-SDEE] Internet Explorer FTP Server Response Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105839 6105840 || [CISCO-SDEE] Internet Explorer CLSID Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105840 6105841 || [CISCO-SDEE] CatOS NAM SNMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6105841 6105842 || [CISCO-SDEE] Solaris Telnet Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105842 6105843 || [CISCO-SDEE] CA BrightStor Tape Engine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105843 6105845 || [CISCO-SDEE] Word Memory Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6105845 6105846 || [CISCO-SDEE] FTP 230 Reply Code || url,wiki.quadrantsec.com/bin/view/Main/6105846 6105847 || [CISCO-SDEE] FTP Successful Privileged Login || url,wiki.quadrantsec.com/bin/view/Main/6105847 6105848 || [CISCO-SDEE] Content Management Service Cross-site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105848 6105849 || [CISCO-SDEE] Microsoft Content Management Server Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105849 6105850 || [CISCO-SDEE] Snort DCE/RPC Preprocessor Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105850 6105851 || [CISCO-SDEE] WCS Administrative Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105851 6105852 || [CISCO-SDEE] Word Malformed String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105852 6105853 || [CISCO-SDEE] SIP Invite DoS || url,wiki.quadrantsec.com/bin/view/Main/6105853 6105854 || [CISCO-SDEE] Cisco CUCM/CUPS Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105854 6105855 || [CISCO-SDEE] Helix Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105855 6105856 || [CISCO-SDEE] Agent URL Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105856 6105857 || [CISCO-SDEE] UPnP Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105857 6105858 || [CISCO-SDEE] DNS Server RPC Interface Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105858 6105859 || [CISCO-SDEE] uTorrent File Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105859 6105860 || [CISCO-SDEE] IOS FTPd Successful Login || url,wiki.quadrantsec.com/bin/view/Main/6105860 6105861 || [CISCO-SDEE] Cisco CNS Netflow Collection Engine Default Password || url,wiki.quadrantsec.com/bin/view/Main/6105861 6105862 || [CISCO-SDEE] Outlook Web Access UTF Character Script Execution || url,wiki.quadrantsec.com/bin/view/Main/6105862 6105863 || [CISCO-SDEE] Internet Explorer CAPICOM.Certificates Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105863 6105864 || [CISCO-SDEE] Exchange Server IMAP Literal Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105864 6105865 || [CISCO-SDEE] Microsoft WMS Arbitrary File Rewrite Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105865 6105866 || [CISCO-SDEE] IBM Lotus Domino IMAP CRAM-MD5 Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105866 6105868 || [CISCO-SDEE] IE Navigation Cancel Page Spoofing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105868 6105869 || [CISCO-SDEE] Internet Explorer CSS Tag Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105869 6105870 || [CISCO-SDEE] Win32 API Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105870 6105871 || [CISCO-SDEE] Urlmon.dll COM Object Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6105871 6105873 || [CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105873 6105874 || [CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105874 6105876 || [CISCO-SDEE] WinZip ActiveX Control Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6105876 6105877 || [CISCO-SDEE] IE Protocol Handler Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105877 6105878 || [CISCO-SDEE] VBE Object ID Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105878 6105879 || [CISCO-SDEE] Apple QuickTime Java QTPointer Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105879 6105880 || [CISCO-SDEE] Sun Java Web Start JNLP File Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105880 6105884 || [CISCO-SDEE] IOS NHRP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105884 6105885 || [CISCO-SDEE] EnjoySAP kweditcontrol.kwedit Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105885 6105886 || [CISCO-SDEE] Sun Java Socks Proxy Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105886 6105887 || [CISCO-SDEE] Microsoft PDWizard ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105887 6105888 || [CISCO-SDEE] TLBINF32.DLL COM Object Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6105888 6105889 || [CISCO-SDEE] NeoTrace ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105889 6105890 || [CISCO-SDEE] Long IMAP SUBSCRIBE Command || url,wiki.quadrantsec.com/bin/view/Main/6105890 6105892 || [CISCO-SDEE] Motive Communications ActiveUtils Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105892 6105893 || [CISCO-SDEE] Cisco IP Phone Remote Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105893 6105894 || [CISCO-SDEE] Storm Worm || url,wiki.quadrantsec.com/bin/view/Main/6105894 6105898 || [CISCO-SDEE] Microsoft Agent HTTP Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105898 6105899 || [CISCO-SDEE] MSN Messenger Webcam Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105899 6105902 || [CISCO-SDEE] AIM Message HTML Injection || url,wiki.quadrantsec.com/bin/view/Main/6105902 6105903 || [CISCO-SDEE] MS SharePoint XSS || url,wiki.quadrantsec.com/bin/view/Main/6105903 6105905 || [CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoof || url,wiki.quadrantsec.com/bin/view/Main/6105905 6105906 || [CISCO-SDEE] Microsoft Malformed Word Document Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105906 6105908 || [CISCO-SDEE] NNTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105908 6105909 || [CISCO-SDEE] Browser Address Bar Spoofing Attack || url,wiki.quadrantsec.com/bin/view/Main/6105909 6105910 || [CISCO-SDEE] CUCM Centralized TFTP File Locator Service Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105910 6105912 || [CISCO-SDEE] CUCM SIP INVITE UDP Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105912 6105913 || [CISCO-SDEE] PIX/ASA/FWSM MGCP DoS || url,wiki.quadrantsec.com/bin/view/Main/6105913 6105915 || [CISCO-SDEE] Microsoft FoxPro ActiveX Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105915 6105916 || [CISCO-SDEE] URL Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105916 6105918 || [CISCO-SDEE] AskJeeves Toolbar ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105918 6105919 || [CISCO-SDEE] Microsoft Kodak Image Viewer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105919 6105920 || [CISCO-SDEE] Apple Quicktime VRPanoSampleAtom Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105920 6105921 || [CISCO-SDEE] Apple Quicktime Color Table Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105921 6105922 || [CISCO-SDEE] BEA WebLogic Admin Console Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105922 6105923 || [CISCO-SDEE] Microsoft Internet Explorer FTP Client Directory Traversal issue || url,wiki.quadrantsec.com/bin/view/Main/6105923 6105924 || [CISCO-SDEE] Mozilla Browsers JavaScript Argument Passing Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105924 6105925 || [CISCO-SDEE] Internet Explorer HTML Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105925 6105926 || [CISCO-SDEE] Oracle ctxsys.driload Access Violation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105926 6105927 || [CISCO-SDEE] Novell GroupWise WebAccess Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105927 6105928 || [CISCO-SDEE] CSA for Windows System Driver Remote Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105928 6105929 || [CISCO-SDEE] McAfee VirusScan File Name Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105929 6105930 || [CISCO-SDEE] Generic SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105930 6105931 || [CISCO-SDEE] Google Ratproxy || url,wiki.quadrantsec.com/bin/view/Main/6105931 6105933 || [CISCO-SDEE] Oracle Database DBMS_Scheduler Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6105933 6105934 || [CISCO-SDEE] Winamp MP4 Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105934 6105935 || [CISCO-SDEE] Quicktime FlipFileTypeAtom_BtoN Underflow || url,wiki.quadrantsec.com/bin/view/Main/6105935 6105936 || [CISCO-SDEE] QuickTime MOV Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105936 6105937 || [CISCO-SDEE] Oracle Database SUBSCRIPTION_NAME Parameter SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105937 6105938 || [CISCO-SDEE] Oracle Database sys.pbsde.init Procedure Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105938 6105939 || [CISCO-SDEE] Word Text Box Memory Curruption || url,wiki.quadrantsec.com/bin/view/Main/6105939 6105940 || [CISCO-SDEE] HTML Objects Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105940 6105941 || [CISCO-SDEE] Windows CSRSS Message Box Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105941 6105942 || [CISCO-SDEE] Yahoo Messenger AudioConf ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105942 6105943 || [CISCO-SDEE] Oracle Database Server SQL Query Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105943 6105944 || [CISCO-SDEE] eTrust IDS Encryption Key DoS || url,wiki.quadrantsec.com/bin/view/Main/6105944 6105945 || [CISCO-SDEE] MS IE Cross Frame Scripting Restriction Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105945 6105948 || [CISCO-SDEE] Ingres Database uuid_from_char() Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105948 6105949 || [CISCO-SDEE] Multiple HP Web Jetadmin Vulnerabilities || url,wiki.quadrantsec.com/bin/view/Main/6105949 6105950 || [CISCO-SDEE] Excel Malformed String Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105950 6105951 || [CISCO-SDEE] BrightStor ARCserve Backup MSRPC Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105951 6105952 || [CISCO-SDEE] WordPerfect Importer/Exporter Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105952 6105953 || [CISCO-SDEE] Apache Tomcat Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105953 6105954 || [CISCO-SDEE] ePolicy Orchestrator SiteManager ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105954 6105955 || [CISCO-SDEE] QuickTime udta Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105955 6105956 || [CISCO-SDEE] Multiple Vendor SOAP DoS || url,wiki.quadrantsec.com/bin/view/Main/6105956 6105957 || [CISCO-SDEE] QuickTime Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105957 6105959 || [CISCO-SDEE] Citrix ICA Client ActiveX Control Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105959 6105960 || [CISCO-SDEE] Mozilla Regular Expressions Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105960 6105961 || [CISCO-SDEE] Oracle Database Server MD2 package SDO_CODE_SIZE procedure Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105961 6105963 || [CISCO-SDEE] Kerberos V5 Principal Name Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105963 6105966 || [CISCO-SDEE] Symantec Veritas NetBackup Server bpcd Long Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105966 6105967 || [CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105967 6105971 || [CISCO-SDEE] IE daxctle.ocx KeyFrame Memory Curruption || url,wiki.quadrantsec.com/bin/view/Main/6105971 6105972 || [CISCO-SDEE] QuickTime Movie Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105972 6105973 || [CISCO-SDEE] Publisher Font Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105973 6105974 || [CISCO-SDEE] Oracle Database Server SDO_CS.TRANSFORM_LAYER Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105974 6105975 || [CISCO-SDEE] Microsoft Windows Media Player ASX Playlist Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105975 6105976 || [CISCO-SDEE] Avast! Remote LHA Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105976 6105977 || [CISCO-SDEE] DB2 Handshake DoS || url,wiki.quadrantsec.com/bin/view/Main/6105977 6105978 || [CISCO-SDEE] MailEnable SMTP Service SPF Lookup Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105978 6105979 || [CISCO-SDEE] Microsoft Internet Explorer COM Object Instantiation Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105979 6105980 || [CISCO-SDEE] Microsoft Speech API Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105980 6105982 || [CISCO-SDEE] Visual Basic for Applications SDK Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105982 6105983 || [CISCO-SDEE] Microsoft Internet Explorer VML Buffer Overrun || url,wiki.quadrantsec.com/bin/view/Main/6105983 6105984 || [CISCO-SDEE] IE COM Object Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105984 6105985 || [CISCO-SDEE] Quicktime RTSP Content-Type Excessive Length || url,wiki.quadrantsec.com/bin/view/Main/6105985 6105986 || [CISCO-SDEE] Microsoft GDI GIF Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105986 6105987 || [CISCO-SDEE] Mozilla Products SVG layout vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105987 6105991 || [CISCO-SDEE] MaxDB WebDBM Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105991 6105993 || [CISCO-SDEE] IE COM Object Instantiation Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105993 6105994 || [CISCO-SDEE] ImageMagick SGI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105994 6105997 || [CISCO-SDEE] eGatherer RunEgatherer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105997 6105998 || [CISCO-SDEE] SYS.KUPW-WORKER Package MAIN Procedure SQL Injection Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105998 6106000 || [CISCO-SDEE] Oracle Server Reports Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6106000 6106003 || [CISCO-SDEE] SNMP Community String Private || url,wiki.quadrantsec.com/bin/view/Main/6106003 6106004 || [CISCO-SDEE] IOS HTTP Server Iframe Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106004 6106005 || [CISCO-SDEE] Unencrypted SSL Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106005 6106007 || [CISCO-SDEE] Management Console Cross-Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6106007 6106008 || [CISCO-SDEE] First 4 Internet XCP Uninstallation ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106008 6106009 || [CISCO-SDEE] SYN Flood DOS || url,wiki.quadrantsec.com/bin/view/Main/6106009 6106011 || [CISCO-SDEE] Internet Explorer FTP Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106011 6106012 || [CISCO-SDEE] EIQ License Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106012 6106013 || [CISCO-SDEE] IRCBOT_JK DNS Lookup || url,wiki.quadrantsec.com/bin/view/Main/6106013 6106014 || [CISCO-SDEE] Flash Player Improper Memory Access || url,wiki.quadrantsec.com/bin/view/Main/6106014 6106015 || [CISCO-SDEE] Flash ActionDefineFunction Improper Memory Access || url,wiki.quadrantsec.com/bin/view/Main/6106015 6106016 || [CISCO-SDEE] RIM BlackBerry Enterprise Router DoS || url,wiki.quadrantsec.com/bin/view/Main/6106016 6106017 || [CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106017 6106020 || [CISCO-SDEE] QuickTime PictureViewer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106020 6106022 || [CISCO-SDEE] WebSphere J_Username Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106022 6106023 || [CISCO-SDEE] IE JavaScript window() DoS || url,wiki.quadrantsec.com/bin/view/Main/6106023 6106024 || [CISCO-SDEE] Firefox JavaScript Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106024 6106025 || [CISCO-SDEE] Jet DB Engine Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106025 6106026 || [CISCO-SDEE] Squid Gopher Protocol Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106026 6106027 || [CISCO-SDEE] Outlook Word Malformed Object Tag || url,wiki.quadrantsec.com/bin/view/Main/6106027 6106030 || [CISCO-SDEE] Microsoft Windows Message Queuing Service Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106030 6106031 || [CISCO-SDEE] Mcafee FreeScan Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106031 6106039 || [CISCO-SDEE] DOMNodeRemoved Mutation Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106039 6106040 || [CISCO-SDEE] Symantec Scan Engine Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106040 6106041 || [CISCO-SDEE] Mozilla Firefox CSS Letter-Spacing Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106041 6106045 || [CISCO-SDEE] MHTTP Response Splitting || url,wiki.quadrantsec.com/bin/view/Main/6106045 6106046 || [CISCO-SDEE] InterNetNews NULL Path Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106046 6106047 || [CISCO-SDEE] TrendMicro InterScan Viruswall Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6106047 6106048 || [CISCO-SDEE] Oracle Database Server SQL SYS.KUPV Injection || url,wiki.quadrantsec.com/bin/view/Main/6106048 6106049 || [CISCO-SDEE] Oracle Database Server Login Access Control Bypass Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106049 6106050 || [CISCO-SDEE] DNS HINFO Request || url,wiki.quadrantsec.com/bin/view/Main/6106050 6106051 || [CISCO-SDEE] DNS Zone Transfer || url,wiki.quadrantsec.com/bin/view/Main/6106051 6106052 || [CISCO-SDEE] DNS Zone Transfer from High Port || url,wiki.quadrantsec.com/bin/view/Main/6106052 6106053 || [CISCO-SDEE] DNS Request for All Records || url,wiki.quadrantsec.com/bin/view/Main/6106053 6106054 || [CISCO-SDEE] DNS Version Request || url,wiki.quadrantsec.com/bin/view/Main/6106054 6106055 || [CISCO-SDEE] DNS Inverse Query Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106055 6106056 || [CISCO-SDEE] DNS NXT Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106056 6106057 || [CISCO-SDEE] DNS SIG Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106057 6106058 || [CISCO-SDEE] DNS SRV DoS || url,wiki.quadrantsec.com/bin/view/Main/6106058 6106059 || [CISCO-SDEE] DNS TSIG Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106059 6106060 || [CISCO-SDEE] DNS Complain Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106060 6106061 || [CISCO-SDEE] DNS Infoleak || url,wiki.quadrantsec.com/bin/view/Main/6106061 6106062 || [CISCO-SDEE] DNS Authors Request || url,wiki.quadrantsec.com/bin/view/Main/6106062 6106063 || [CISCO-SDEE] DNS Incremental Zone Transfer || url,wiki.quadrantsec.com/bin/view/Main/6106063 6106064 || [CISCO-SDEE] BIND Large OPT Record DoS || url,wiki.quadrantsec.com/bin/view/Main/6106064 6106065 || [CISCO-SDEE] DNS Query Name Loop DoS || url,wiki.quadrantsec.com/bin/view/Main/6106065 6106066 || [CISCO-SDEE] DNS Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106066 6106067 || [CISCO-SDEE] DNS TSIG Bugtraq Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106067 6106068 || [CISCO-SDEE] Cisco Wireless Control System Administrative Default Password || url,wiki.quadrantsec.com/bin/view/Main/6106068 6106069 || [CISCO-SDEE] Windows Media Format Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106069 6106070 || [CISCO-SDEE] Windows Media Format Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106070 6106071 || [CISCO-SDEE] Oracle Database Server XDB.DBMS_XMLSCHEMA Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106071 6106072 || [CISCO-SDEE] Visual Basic VBP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106072 6106073 || [CISCO-SDEE] Visual Studio Crystal Reports RPT File Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106073 6106074 || [CISCO-SDEE] DirectX RLE Compressed TGA Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106074 6106075 || [CISCO-SDEE] Mozilla SOAPParameter Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106075 6106076 || [CISCO-SDEE] ISC BIND DNS resolver buffer overflow || url,wiki.quadrantsec.com/bin/view/Main/6106076 6106077 || [CISCO-SDEE] IE Malformed GIF File || url,wiki.quadrantsec.com/bin/view/Main/6106077 6106078 || [CISCO-SDEE] Outlook Web Access XSS || url,wiki.quadrantsec.com/bin/view/Main/6106078 6106079 || [CISCO-SDEE] ACDSee Products XPM Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106079 6106080 || [CISCO-SDEE] Adobe Products PNG Parsing || url,wiki.quadrantsec.com/bin/view/Main/6106080 6106081 || [CISCO-SDEE] Microsoft Excel BIFF Parsing || url,wiki.quadrantsec.com/bin/view/Main/6106081 6106082 || [CISCO-SDEE] Microsoft Excel Column Record Handling || url,wiki.quadrantsec.com/bin/view/Main/6106082 6106083 || [CISCO-SDEE] Microsoft Excel SetFont || url,wiki.quadrantsec.com/bin/view/Main/6106083 6106084 || [CISCO-SDEE] IE 7 HTML Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106084 6106085 || [CISCO-SDEE] IE Table Column Record Handling || url,wiki.quadrantsec.com/bin/view/Main/6106085 6106086 || [CISCO-SDEE] Windows Graphics Rendering Engine Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106086 6106087 || [CISCO-SDEE] Symantec ISAKMP DoS || url,wiki.quadrantsec.com/bin/view/Main/6106087 6106088 || [CISCO-SDEE] Windows Compressed Folders Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106088 6106089 || [CISCO-SDEE] PHP memory_limit Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106089 6106090 || [CISCO-SDEE] Libpng Chunk Length Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106090 6106091 || [CISCO-SDEE] Acrobat Reader File Extension Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106091 6106092 || [CISCO-SDEE] Qt BMP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106092 6106094 || [CISCO-SDEE] Nullsoft Winamp M3U Remote Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106094 6106095 || [CISCO-SDEE] Apache apr-util IPv6 URI Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106095 6106100 || [CISCO-SDEE] RPC Port Registration || url,wiki.quadrantsec.com/bin/view/Main/6106100 6106101 || [CISCO-SDEE] RPC Port Unregistration || url,wiki.quadrantsec.com/bin/view/Main/6106101 6106102 || [CISCO-SDEE] RPC Dump || url,wiki.quadrantsec.com/bin/view/Main/6106102 6106103 || [CISCO-SDEE] Proxied RPC Request || url,wiki.quadrantsec.com/bin/view/Main/6106103 6106104 || [CISCO-SDEE] RPC Port Reg Spoof || url,wiki.quadrantsec.com/bin/view/Main/6106104 6106105 || [CISCO-SDEE] RPC Port UnReg Spoof || url,wiki.quadrantsec.com/bin/view/Main/6106105 6106106 || [CISCO-SDEE] Cisco Secure ACS EAP-TLS Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106106 6106107 || [CISCO-SDEE] CVS File Existence Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106107 6106108 || [CISCO-SDEE] FreeRADIUS Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106108 6106110 || [CISCO-SDEE] RPC RSTATD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106110 6106111 || [CISCO-SDEE] RPC RUSESRD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106111 6106112 || [CISCO-SDEE] RPC NFS Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106112 6106113 || [CISCO-SDEE] RPC MOUNTD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106113 6106114 || [CISCO-SDEE] RPC YPASSWDD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106114 6106115 || [CISCO-SDEE] RPC SELECTION SVC Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106115 6106116 || [CISCO-SDEE] RPC REXD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106116 6106117 || [CISCO-SDEE] RPC STATUS Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106117 6106118 || [CISCO-SDEE] RPC TTDB Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106118 6106119 || [CISCO-SDEE] MySQL Authentication Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106119 6106120 || [CISCO-SDEE] RPC RSTATD Request || url,wiki.quadrantsec.com/bin/view/Main/6106120 6106121 || [CISCO-SDEE] RPC RUSESRD Request || url,wiki.quadrantsec.com/bin/view/Main/6106121 6106122 || [CISCO-SDEE] RPC NFS Request || url,wiki.quadrantsec.com/bin/view/Main/6106122 6106123 || [CISCO-SDEE] RPC MOUNTD Request || url,wiki.quadrantsec.com/bin/view/Main/6106123 6106124 || [CISCO-SDEE] RPC YPASSWDD Request || url,wiki.quadrantsec.com/bin/view/Main/6106124 6106125 || [CISCO-SDEE] RPC SELECTION SVC Request || url,wiki.quadrantsec.com/bin/view/Main/6106125 6106126 || [CISCO-SDEE] RPC REXD Request || url,wiki.quadrantsec.com/bin/view/Main/6106126 6106127 || [CISCO-SDEE] RPC STATUS Request || url,wiki.quadrantsec.com/bin/view/Main/6106127 6106128 || [CISCO-SDEE] RPC TTDB Request || url,wiki.quadrantsec.com/bin/view/Main/6106128 6106130 || [CISCO-SDEE] Microsoft Message Queuing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106130 6106131 || [CISCO-SDEE] Microsoft Plug and Play Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106131 6106132 || [CISCO-SDEE] Mod SSL- Mod Proxy Hook Format String || url,wiki.quadrantsec.com/bin/view/Main/6106132 6106133 || [CISCO-SDEE] Microsoft Excel Cell Length Buffer Overflow CVE-2004-0846 || url,wiki.quadrantsec.com/bin/view/Main/6106133 6106134 || [CISCO-SDEE] Microsoft ASP.NET Canonicalization || url,wiki.quadrantsec.com/bin/view/Main/6106134 6106135 || [CISCO-SDEE] Sun Solaris in.rwhod Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106135 6106137 || [CISCO-SDEE] Wordpad Default Font Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106137 6106138 || [CISCO-SDEE] Non-ASCII Hostname || url,wiki.quadrantsec.com/bin/view/Main/6106138 6106139 || [CISCO-SDEE] Malicious BMP File || url,wiki.quadrantsec.com/bin/view/Main/6106139 6106140 || [CISCO-SDEE] Squid ASN.1 Header Parsing Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106140 6106141 || [CISCO-SDEE] Macromedia JRun 4.x Server File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106141 6106142 || [CISCO-SDEE] Apache HTTP Server Mod_Cache Module DoS || url,wiki.quadrantsec.com/bin/view/Main/6106142 6106143 || [CISCO-SDEE] Borland Interbase Database Service Create-Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106143 6106144 || [CISCO-SDEE] X.Org X Font Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106144 6106145 || [CISCO-SDEE] Trend Micro ServerProtect TMregChange Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106145 6106146 || [CISCO-SDEE] Squid WCCP Message Receive Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106146 6106147 || [CISCO-SDEE] RealPlayer RealMedia Security Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106147 6106148 || [CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Off-by-one || url,wiki.quadrantsec.com/bin/view/Main/6106148 6106149 || [CISCO-SDEE] MySQL Arbitrary Library Injection || url,wiki.quadrantsec.com/bin/view/Main/6106149 6106150 || [CISCO-SDEE] ypserv Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106150 6106151 || [CISCO-SDEE] ypbind Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106151 6106152 || [CISCO-SDEE] yppasswdd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106152 6106153 || [CISCO-SDEE] ypupdated Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106153 6106154 || [CISCO-SDEE] ypxfrd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106154 6106155 || [CISCO-SDEE] mountd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106155 6106156 || [CISCO-SDEE] MIT Kerberos kadmind RPC Library Unix Authentication || url,wiki.quadrantsec.com/bin/view/Main/6106156 6106157 || [CISCO-SDEE] MIT Kerberos Kadmind Remote Code Injection || url,wiki.quadrantsec.com/bin/view/Main/6106157 6106158 || [CISCO-SDEE] MIT Kerberos Kadmind Rename Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106158 6106159 || [CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Request DoS || url,wiki.quadrantsec.com/bin/view/Main/6106159 6106160 || [CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106160 6106161 || [CISCO-SDEE] Ingres Database Communications Server Component Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106161 6106162 || [CISCO-SDEE] Ipswitch IMail Server Date String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106162 6106164 || [CISCO-SDEE] Microsoft Word Document Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106164 6106165 || [CISCO-SDEE] nfs-utils TCP Connection Termination Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106165 6106166 || [CISCO-SDEE] Novell eDirectory HTTP Server Redirection Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106166 6106168 || [CISCO-SDEE] Computer Associates Products Message Engine RPC Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106168 6106169 || [CISCO-SDEE] mod_tcl Module Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106169 6106170 || [CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106170 6106171 || [CISCO-SDEE] HP Info Center HPInfoDLL.dll ActiveX Control Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106171 6106172 || [CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function || url,wiki.quadrantsec.com/bin/view/Main/6106172 6106173 || [CISCO-SDEE] Empty DNS Query || url,wiki.quadrantsec.com/bin/view/Main/6106173 6106174 || [CISCO-SDEE] OpenLDAP Server BIND Request Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106174 6106175 || [CISCO-SDEE] rexd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106175 6106177 || [CISCO-SDEE] Malformed SIP Invite Packet || url,wiki.quadrantsec.com/bin/view/Main/6106177 6106178 || [CISCO-SDEE] SIP Message DoS || url,wiki.quadrantsec.com/bin/view/Main/6106178 6106179 || [CISCO-SDEE] Malformed MGCP Packet || url,wiki.quadrantsec.com/bin/view/Main/6106179 6106180 || [CISCO-SDEE] rexd Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106180 6106181 || [CISCO-SDEE] SIP DoS || url,wiki.quadrantsec.com/bin/view/Main/6106181 6106184 || [CISCO-SDEE] Large SIP Message || url,wiki.quadrantsec.com/bin/view/Main/6106184 6106186 || [CISCO-SDEE] RIS Data Collector Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106186 6106187 || [CISCO-SDEE] CallManager TCP Connection DoS || url,wiki.quadrantsec.com/bin/view/Main/6106187 6106188 || [CISCO-SDEE] statd dot dot || url,wiki.quadrantsec.com/bin/view/Main/6106188 6106189 || [CISCO-SDEE] statd automount attack || url,wiki.quadrantsec.com/bin/view/Main/6106189 6106190 || [CISCO-SDEE] statd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106190 6106191 || [CISCO-SDEE] RPC.tooltalk Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106191 6106192 || [CISCO-SDEE] RPC mountd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106192 6106193 || [CISCO-SDEE] RPC CMSD Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106193 6106194 || [CISCO-SDEE] sadmind Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106194 6106195 || [CISCO-SDEE] Sadmind RPC Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106195 6106196 || [CISCO-SDEE] snmpXdmid Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106196 6106197 || [CISCO-SDEE] rpc yppaswdd overflow || url,wiki.quadrantsec.com/bin/view/Main/6106197 6106198 || [CISCO-SDEE] Long rwalld Message || url,wiki.quadrantsec.com/bin/view/Main/6106198 6106199 || [CISCO-SDEE] Cachefsd Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106199 6106200 || [CISCO-SDEE] Ident Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106200 6106201 || [CISCO-SDEE] Ident Newline || url,wiki.quadrantsec.com/bin/view/Main/6106201 6106203 || [CISCO-SDEE] sadmind directory traversal command exec || url,wiki.quadrantsec.com/bin/view/Main/6106203 6106204 || [CISCO-SDEE] IIS Source Code Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106204 6106205 || [CISCO-SDEE] NetBackup Vmd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106205 6106206 || [CISCO-SDEE] WorldMail IMAP Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6106206 6106207 || [CISCO-SDEE] FreeBSD nfsd Request Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106207 6106208 || [CISCO-SDEE] NetBackup Volume Manager Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106208 6106209 || [CISCO-SDEE] NetBackup Vnetd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106209 6106210 || [CISCO-SDEE] LPR Format String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106210 6106211 || [CISCO-SDEE] LPD NoOp Sled || url,wiki.quadrantsec.com/bin/view/Main/6106211 6106212 || [CISCO-SDEE] IE HTML Tag Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106212 6106213 || [CISCO-SDEE] Firefox JavaScript Focus Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106213 6106214 || [CISCO-SDEE] LibTIFF TIFFFetchData Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106214 6106215 || [CISCO-SDEE] Novell Print Services Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106215 6106216 || [CISCO-SDEE] EMC Retrospect Client Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106216 6106217 || [CISCO-SDEE] eDirectory iMonitor NDS Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106217 6106218 || [CISCO-SDEE] MediaWiki Script Insertion || url,wiki.quadrantsec.com/bin/view/Main/6106218 6106219 || [CISCO-SDEE] CommuniGate Pro LDAP Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106219 6106220 || [CISCO-SDEE] Retrospect Backup Agent Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106220 6106221 || [CISCO-SDEE] IBM Director Agent DoS || url,wiki.quadrantsec.com/bin/view/Main/6106221 6106222 || [CISCO-SDEE] HP OpenView Client Configuration Manager Radia Notify Daemon Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106222 6106223 || [CISCO-SDEE] Citrix MetaFrame IMA Authentication Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106223 6106224 || [CISCO-SDEE] Windows IGMP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106224 6106225 || [CISCO-SDEE] KAME IKE raccoon HASH || url,wiki.quadrantsec.com/bin/view/Main/6106225 6106226 || [CISCO-SDEE] Trojan.Srizbi Bot || url,wiki.quadrantsec.com/bin/view/Main/6106226 6106227 || [CISCO-SDEE] Visual Basic Charts Control Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106227 6106228 || [CISCO-SDEE] Mac OSX Software Update Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106228 6106229 || [CISCO-SDEE] MS SQL Server sqldmo.dll Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106229 6106230 || [CISCO-SDEE] F-Secure Products Web Console Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106230 6106231 || [CISCO-SDEE] Citrix Presentation Server IMA || url,wiki.quadrantsec.com/bin/view/Main/6106231 6106232 || [CISCO-SDEE] Distributed Transaction Coordinator Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106232 6106233 || [CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Tape Engine Service || url,wiki.quadrantsec.com/bin/view/Main/6106233 6106234 || [CISCO-SDEE] VideoLAN VLC Subtitle Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106234 6106235 || [CISCO-SDEE] Apple Quicktime SMIL Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106235 6106236 || [CISCO-SDEE] AMI Pro File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106236 6106237 || [CISCO-SDEE] MailEnable IMAP Service Login Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106237 6106238 || [CISCO-SDEE] GNU RADIUS SQL Accounting Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106238 6106239 || [CISCO-SDEE] Apple QuickTime RTSP Long URL || url,wiki.quadrantsec.com/bin/view/Main/6106239 6106240 || [CISCO-SDEE] IMAP LOGIN Negative Value || url,wiki.quadrantsec.com/bin/view/Main/6106240 6106242 || [CISCO-SDEE] Trend Micro ServerProtect eng50.dll Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106242 6106243 || [CISCO-SDEE] Sun JRE Abstract Windowing Toolkit Module Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106243 6106244 || [CISCO-SDEE] Microsoft Windows SNMP Service Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106244 6106245 || [CISCO-SDEE] IBM Tivoli Storage Manager Initial Sign-on Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106245 6106246 || [CISCO-SDEE] Gateway Weblaunch Activex Control || url,wiki.quadrantsec.com/bin/view/Main/6106246 6106247 || [CISCO-SDEE] Sun Microsystems Java GIF File Handling Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106247 6106248 || [CISCO-SDEE] HP Mercury Loadrunner Agent Command Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106248 6106249 || [CISCO-SDEE] Visual Studio 6 ActiveX Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106249 6106250 || [CISCO-SDEE] FTP Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106250 6106251 || [CISCO-SDEE] Telnet Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106251 6106252 || [CISCO-SDEE] Rlogin Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106252 6106253 || [CISCO-SDEE] POP3 Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106253 6106255 || [CISCO-SDEE] SMB Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106255 6106256 || [CISCO-SDEE] HTTP Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106256 6106257 || [CISCO-SDEE] DHCP Client DoS || url,wiki.quadrantsec.com/bin/view/Main/6106257 6106258 || [CISCO-SDEE] Microsoft IE HTML Rendering Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106258 6106259 || [CISCO-SDEE] HP Linux Printing And Imaging hpssd Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106259 6106260 || [CISCO-SDEE] VERITAS Storage Foundation Administrator Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106260 6106261 || [CISCO-SDEE] ISC DHCP Remote DoS || url,wiki.quadrantsec.com/bin/view/Main/6106261 6106262 || [CISCO-SDEE] Cisco Secure Access Control Server CGI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106262 6106263 || [CISCO-SDEE] XSS in Cisco ACS Server || url,wiki.quadrantsec.com/bin/view/Main/6106263 6106264 || [CISCO-SDEE] Excel Malformed Header || url,wiki.quadrantsec.com/bin/view/Main/6106264 6106265 || [CISCO-SDEE] Microsoft Jet Database Engine Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106265 6106266 || [CISCO-SDEE] Excel Malformed Header || url,wiki.quadrantsec.com/bin/view/Main/6106266 6106267 || [CISCO-SDEE] IMAP Long FETCH Command || url,wiki.quadrantsec.com/bin/view/Main/6106267 6106268 || [CISCO-SDEE] HP Openview Network Node Manager Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106268 6106269 || [CISCO-SDEE] HP Openview Operations Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106269 6106270 || [CISCO-SDEE] HP OpenView Network Node Manager Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106270 6106271 || [CISCO-SDEE] VMWare ActiveX Arbitrary File Access || url,wiki.quadrantsec.com/bin/view/Main/6106271 6106272 || [CISCO-SDEE] Novell iPrint Client ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106272 6106273 || [CISCO-SDEE] Microsoft Works ActiveX WkImgSrv.dll Insecure Function || url,wiki.quadrantsec.com/bin/view/Main/6106273 6106274 || [CISCO-SDEE] McAfee ePolicy Orchestrator Format String || url,wiki.quadrantsec.com/bin/view/Main/6106274 6106275 || [CISCO-SDEE] SGI fam Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106275 6106276 || [CISCO-SDEE] TooltalkDB overflow || url,wiki.quadrantsec.com/bin/view/Main/6106276 6106277 || [CISCO-SDEE] Show Mount Recon || url,wiki.quadrantsec.com/bin/view/Main/6106277 6106278 || [CISCO-SDEE] Office Web Components DataSource Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106278 6106279 || [CISCO-SDEE] Citrix Presentation Server Client ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106279 6106280 || [CISCO-SDEE] Messenger Information Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106280 6106281 || [CISCO-SDEE] Malformed EPS Filter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106281 6106282 || [CISCO-SDEE] Malformed PICT Filter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106282 6106283 || [CISCO-SDEE] Malformed BMP Filter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106283 6106284 || [CISCO-SDEE] Openwsman HTTP Basic Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106284 6106295 || [CISCO-SDEE] LANDesk Intel QIP Service Heal Packet Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106295 6106296 || [CISCO-SDEE] IBM Lotus Sametime Server Multiplexer Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106296 6106297 || [CISCO-SDEE] RealPlayer ActiveX Import Method Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106297 6106298 || [CISCO-SDEE] Creative Software AutoUpdate Engine ActiveX Stack-Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106298 6106299 || [CISCO-SDEE] Namo ActiveSquare6 ActiveX Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106299 6106300 || [CISCO-SDEE] Loki ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106300 6106302 || [CISCO-SDEE] General Loki ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106302 6106303 || [CISCO-SDEE] PingTunnel ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106303 6106350 || [CISCO-SDEE] MS-SQL Query Abuse || url,wiki.quadrantsec.com/bin/view/Main/6106350 6106402 || [CISCO-SDEE] Samba SPOOLSS Notify Options Heap overflow || url,wiki.quadrantsec.com/bin/view/Main/6106402 6106403 || [CISCO-SDEE] IE Uninitialized Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106403 6106406 || [CISCO-SDEE] DirectShow WAV Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106406 6106408 || [CISCO-SDEE] IE DHTML Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106408 6106409 || [CISCO-SDEE] IE Invalid Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106409 6106410 || [CISCO-SDEE] IE Unsafe Memory Operation || url,wiki.quadrantsec.com/bin/view/Main/6106410 6106412 || [CISCO-SDEE] Malformed BGP Message || url,wiki.quadrantsec.com/bin/view/Main/6106412 6106413 || [CISCO-SDEE] McAfee Subscription Manager ActiveX Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106413 6106414 || [CISCO-SDEE] ClamAV UPX File Handling Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106414 6106416 || [CISCO-SDEE] Microsoft Windows Help HLP File Processing Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106416 6106417 || [CISCO-SDEE] JavaScript Navigator Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106417 6106418 || [CISCO-SDEE] Apache HTTP Server mod_rewrite Module LDAP Scheme Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106418 6106419 || [CISCO-SDEE] Oracle Database dbms_assert Filter Bypass Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106419 6106420 || [CISCO-SDEE] Microsoft Office Malformed GIF File Processing Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106420 6106421 || [CISCO-SDEE] Microsoft Excel Malformed SELECTION Record Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106421 6106422 || [CISCO-SDEE] Microsoft ASP.NET Application Folder Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106422 6106423 || [CISCO-SDEE] Microsoft XML Core Services Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106423 6106424 || [CISCO-SDEE] Microsoft PowerPoint PPT File Parsing Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106424 6106425 || [CISCO-SDEE] Microsoft Excel Malformed OBJECT Record Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106425 6106426 || [CISCO-SDEE] Microsoft Word mso.dll LsCreateLine Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106426 6106427 || [CISCO-SDEE] zlib Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106427 6106430 || [CISCO-SDEE] Microsoft Internet Explorer CSS Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106430 6106431 || [CISCO-SDEE] Oracle Web Cache Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106431 6106432 || [CISCO-SDEE] Subversion svn Protocol String Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106432 6106433 || [CISCO-SDEE] Norton Internet Security NBNS Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106433 6106436 || [CISCO-SDEE] Citrix Program Neighborhood Agent Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106436 6106437 || [CISCO-SDEE] RealNetworks RealPlayer Compressed Skin Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106437 6106443 || [CISCO-SDEE] IMail IMAP Fetch Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106443 6106444 || [CISCO-SDEE] iGateway Content-Length Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106444 6106445 || [CISCO-SDEE] SUSE Remote Manager Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106445 6106446 || [CISCO-SDEE] Adobe Acrobat Reader eBook plug-in Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106446 6106449 || [CISCO-SDEE] Apache Tomcat Mod_jk Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106449 6106450 || [CISCO-SDEE] pcAnywhere Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106450 6106451 || [CISCO-SDEE] MediaWiki Language Option PHP Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106451 6106454 || [CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106454 6106456 || [CISCO-SDEE] Flash Media Server DoS || url,wiki.quadrantsec.com/bin/view/Main/6106456 6106457 || [CISCO-SDEE] Lotus Notes URI Handler Argument Injection || url,wiki.quadrantsec.com/bin/view/Main/6106457 6106458 || [CISCO-SDEE] Microsoft Windows Media Player File Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106458 6106459 || [CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106459 6106462 || [CISCO-SDEE] Microsoft Internet Explorer CDF Cross Domain Scripting || url,wiki.quadrantsec.com/bin/view/Main/6106462 6106466 || [CISCO-SDEE] Squid WCCP Message Parsing Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106466 6106467 || [CISCO-SDEE] Mozilla Firefox Click Event Classification Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106467 6106468 || [CISCO-SDEE] Multiple Vendor AV Gateway Virus Detection Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106468 6106477 || [CISCO-SDEE] Multiple Web Browsers Window Injection. || url,wiki.quadrantsec.com/bin/view/Main/6106477 6106486 || [CISCO-SDEE] Novell iManager Tomcat HTTP POST Request Handling Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106486 6106487 || [CISCO-SDEE] TikiWiki jhot.php Script File Upload Security Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106487 6106488 || [CISCO-SDEE] Symantec Veritas NetBackup Command Chaining || url,wiki.quadrantsec.com/bin/view/Main/6106488 6106489 || [CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106489 6106491 || [CISCO-SDEE] Alt-N MDAEMON IMAP Server Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106491 6106493 || [CISCO-SDEE] Microsoft Windows Graphics Rendering Engine Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106493 6106494 || [CISCO-SDEE] IMAP APPEND Date Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106494 6106496 || [CISCO-SDEE] Microsoft Internet Explorer URL Spoofing Vulnerability Details || url,wiki.quadrantsec.com/bin/view/Main/6106496 6106500 || [CISCO-SDEE] RingZero Trojan || url,wiki.quadrantsec.com/bin/view/Main/6106500 6106501 || [CISCO-SDEE] Tribe Flood Net Client Request || url,wiki.quadrantsec.com/bin/view/Main/6106501 6106502 || [CISCO-SDEE] Tribe Flood Net Server Reply || url,wiki.quadrantsec.com/bin/view/Main/6106502 6106503 || [CISCO-SDEE] Stacheldraht Client Request || url,wiki.quadrantsec.com/bin/view/Main/6106503 6106504 || [CISCO-SDEE] Stacheldraht Server Reply || url,wiki.quadrantsec.com/bin/view/Main/6106504 6106505 || [CISCO-SDEE] Trinoo Client Request || url,wiki.quadrantsec.com/bin/view/Main/6106505 6106506 || [CISCO-SDEE] Trinoo Server Reply || url,wiki.quadrantsec.com/bin/view/Main/6106506 6106507 || [CISCO-SDEE] TFN2K Control Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106507 6106508 || [CISCO-SDEE] Mstream Control Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106508 6106509 || [CISCO-SDEE] Microsoft DXmedia SDK6 ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106509 6106510 || [CISCO-SDEE] GOM Player ActiveX Control Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106510 6106512 || [CISCO-SDEE] Macrovision FlexNet isusweb.dll DownloadAndExecute Method || url,wiki.quadrantsec.com/bin/view/Main/6106512 6106513 || [CISCO-SDEE] Macrovision FlexNet DownloadManager Insecure Methods || url,wiki.quadrantsec.com/bin/view/Main/6106513 6106515 || [CISCO-SDEE] Invalid SIP Response Code || url,wiki.quadrantsec.com/bin/view/Main/6106515 6106517 || [CISCO-SDEE] Malformed Via Header || url,wiki.quadrantsec.com/bin/view/Main/6106517 6106518 || [CISCO-SDEE] SIP Long Header Field || url,wiki.quadrantsec.com/bin/view/Main/6106518 6106520 || [CISCO-SDEE] Long SIP Message || url,wiki.quadrantsec.com/bin/view/Main/6106520 6106521 || [CISCO-SDEE] Call Manager Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106521 6106522 || [CISCO-SDEE] Failed HTTP Login HTTP 401 || url,wiki.quadrantsec.com/bin/view/Main/6106522 6106523 || [CISCO-SDEE] Non-Printable in SIP Header || url,wiki.quadrantsec.com/bin/view/Main/6106523 6106524 || [CISCO-SDEE] Yahoo! Assistant yNotifier.dll ActiveX Control Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106524 6106526 || [CISCO-SDEE] Lighttpd FastCGI Header Overrun || url,wiki.quadrantsec.com/bin/view/Main/6106526 6106527 || [CISCO-SDEE] Microsoft Publisher Invalid Memory Reference RCE || url,wiki.quadrantsec.com/bin/view/Main/6106527 6106528 || [CISCO-SDEE] Oracle Application Server 10G EmChartBeam Remote Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6106528 6106530 || [CISCO-SDEE] SynCE Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106530 6106532 || [CISCO-SDEE] Perdition IMAP Proxy str_vwrite Format String || url,wiki.quadrantsec.com/bin/view/Main/6106532 6106533 || [CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Discovery Service || url,wiki.quadrantsec.com/bin/view/Main/6106533 6106534 || [CISCO-SDEE] Symantec Backup Exec ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106534 6106535 || [CISCO-SDEE] Facebook Photo Uploader ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106535 6106536 || [CISCO-SDEE] Aurigma ImageUploader ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106536 6106537 || [CISCO-SDEE] Kraken Botnet Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106537 6106539 || [CISCO-SDEE] Microsoft Malware Protection Engine DoS || url,wiki.quadrantsec.com/bin/view/Main/6106539 6106540 || [CISCO-SDEE] CUCM Certificate Trust List Memory Consumption DOS || url,wiki.quadrantsec.com/bin/view/Main/6106540 6106541 || [CISCO-SDEE] Microsoft Project Malformed File Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106541 6106542 || [CISCO-SDEE] TFTPServer Error Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106542 6106543 || [CISCO-SDEE] CiscoWorks Common Services Arbitrary Code Injection || url,wiki.quadrantsec.com/bin/view/Main/6106543 6106544 || [CISCO-SDEE] ActiveX Object Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106544 6106545 || [CISCO-SDEE] WINS Local Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6106545 6106546 || [CISCO-SDEE] SNMPv3 Malformed Authentication Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106546 6106702 || [CISCO-SDEE] Microsoft SQL Server 7 TDS Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6106702 6106703 || [CISCO-SDEE] Snort SACK TCP Option Handling Denial of Service Details || url,wiki.quadrantsec.com/bin/view/Main/6106703 6106704 || [CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoofing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106704 6106705 || [CISCO-SDEE] Internet Explorer Drag And Drop Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106705 6106707 || [CISCO-SDEE] Microsoft Windows Remote Desktop Protocol DoS || url,wiki.quadrantsec.com/bin/view/Main/6106707 6106710 || [CISCO-SDEE] Macromedia Flash Player LoadMovie DoS || url,wiki.quadrantsec.com/bin/view/Main/6106710 6106711 || [CISCO-SDEE] Microsoft Internet Explorer Image Download Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6106711 6106712 || [CISCO-SDEE] Microsoft Internet Explorer Script Engine Stack Exhaustion || url,wiki.quadrantsec.com/bin/view/Main/6106712 6106717 || [CISCO-SDEE] Microsoft Internet Explorer Status Bar URL Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6106717 6106718 || [CISCO-SDEE] Multiple AV Vendor Invalid Archive Checksum || url,wiki.quadrantsec.com/bin/view/Main/6106718 6106719 || [CISCO-SDEE] MySQL COM_TABLE_DUMP Function Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106719 6106720 || [CISCO-SDEE] MySQL Login Handshake Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106720 6106721 || [CISCO-SDEE] OpenBSD ISAKMP Message Handling Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6106721 6106722 || [CISCO-SDEE] Oracle Application Server 10g emagent.exe Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106722 6106723 || [CISCO-SDEE] Sun Directory Server LDAP Denial of Service Details || url,wiki.quadrantsec.com/bin/view/Main/6106723 6106727 || [CISCO-SDEE] Nullsoft Winamp Midi File Header Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106727 6106728 || [CISCO-SDEE] Microsoft Windows GUID Folder Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106728 6106730 || [CISCO-SDEE] IBM Tivoli Storage Manager Express Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106730 6106731 || [CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Username Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106731 6106732 || [CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Password Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106732 6106733 || [CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Arbitrary File Upload || url,wiki.quadrantsec.com/bin/view/Main/6106733 6106734 || [CISCO-SDEE] CA ARCserve Backup LGServer Multiple Buffer Overflows || url,wiki.quadrantsec.com/bin/view/Main/6106734 6106735 || [CISCO-SDEE] Microsoft Internet Explorer HHCtrl.ocx Image Property Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106735 6106736 || [CISCO-SDEE] Apple QuickTime FLIC Animation File Buffer Overflow Details || url,wiki.quadrantsec.com/bin/view/Main/6106736 6106737 || [CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Function Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106737 6106739 || [CISCO-SDEE] Novell GroupWise Messenger HTTP POST Request Invalid Memory Access || url,wiki.quadrantsec.com/bin/view/Main/6106739 6106740 || [CISCO-SDEE] Trend Micro OfficeScan Atxconsole ActiveX Control Format String || url,wiki.quadrantsec.com/bin/view/Main/6106740 6106741 || [CISCO-SDEE] Symantec Discovery XFERWAN Buffer overflow || url,wiki.quadrantsec.com/bin/view/Main/6106741 6106742 || [CISCO-SDEE] Microsoft PowerPoint Malformed Record Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106742 6106743 || [CISCO-SDEE] Novell ZENworks Asset Mangement Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106743 6106744 || [CISCO-SDEE] Mozilla FireFox DomNodeRemoved Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106744 6106755 || [CISCO-SDEE] Windows Remote Kernel TCPIP ICMP Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106755 6106757 || [CISCO-SDEE] Microsoft Internet Explorer Page Update Race Condition || url,wiki.quadrantsec.com/bin/view/Main/6106757 6106758 || [CISCO-SDEE] Microsoft Visio Version Number Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106758 6106759 || [CISCO-SDEE] Apple Safari Regular Expression Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106759 6106760 || [CISCO-SDEE] RealPlayer ActiveX Buffer overflow || url,wiki.quadrantsec.com/bin/view/Main/6106760 6106761 || [CISCO-SDEE] Cisco Unified Communications Manager CTL Provider Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106761 6106764 || [CISCO-SDEE] Cisco PIX and ASA Time-to-Live DoS || url,wiki.quadrantsec.com/bin/view/Main/6106764 6106765 || [CISCO-SDEE] Cisco Application Velocity System Default Passwords || url,wiki.quadrantsec.com/bin/view/Main/6106765 6106766 || [CISCO-SDEE] IE Security Zone Bypass and Address Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6106766 6106767 || [CISCO-SDEE] Microsoft Windows RSH Daemon Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106767 6106768 || [CISCO-SDEE] Samba WINS Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106768 6106769 || [CISCO-SDEE] Netware LSASS CIFS.NLM Driver Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106769 6106770 || [CISCO-SDEE] OpenOffice PRTDATA Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106770 6106771 || [CISCO-SDEE] Microsoft Windows WebDAV Mini Redirector || url,wiki.quadrantsec.com/bin/view/Main/6106771 6106773 || [CISCO-SDEE] WordPerfect X3 Printer Selection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106773 6106775 || [CISCO-SDEE] Microsoft Office Works Converter Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106775 6106776 || [CISCO-SDEE] Microsoft Works Converter Input Validation Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106776 6106777 || [CISCO-SDEE] Windows OLE Automation Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106777 6106778 || [CISCO-SDEE] Microsoft Works Converter Index Table Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106778 6106780 || [CISCO-SDEE] IE Argument Handling Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106780 6106781 || [CISCO-SDEE] SIP Proxy Response Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106781 6106782 || [CISCO-SDEE] SIP MIME Request Boundary Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106782 6106784 || [CISCO-SDEE] Adobe PDF Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106784 6106785 || [CISCO-SDEE] Microsoft Visual Basic VBP File Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106785 6106786 || [CISCO-SDEE] Microsoft PowerPoint Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106786 6106787 || [CISCO-SDEE] Microsoft Office Cell Parsing Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106787 6106788 || [CISCO-SDEE] SonicWALL SSL VPN Client Remote ActiveX Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106788 6106789 || [CISCO-SDEE] Winamp Ultravox Stream Title Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106789 6106790 || [CISCO-SDEE] Outlook Web Access Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6106790 6106792 || [CISCO-SDEE] SQL Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106792 6106793 || [CISCO-SDEE] Microsoft Windows GDI Image Handling || url,wiki.quadrantsec.com/bin/view/Main/6106793 6106794 || [CISCO-SDEE] CA BrightStor ARCserve Backup Listservcntrl ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106794 6106795 || [CISCO-SDEE] Panda ActiveScan ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106795 6106798 || [CISCO-SDEE] HP StorageWorks Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106798 6106799 || [CISCO-SDEE] CUCM CTI DoS || url,wiki.quadrantsec.com/bin/view/Main/6106799 6106901 || [CISCO-SDEE] Net Flood ICMP Reply || url,wiki.quadrantsec.com/bin/view/Main/6106901 6106902 || [CISCO-SDEE] Net Flood ICMP Request || url,wiki.quadrantsec.com/bin/view/Main/6106902 6106903 || [CISCO-SDEE] Net Flood ICMP Any || url,wiki.quadrantsec.com/bin/view/Main/6106903 6106910 || [CISCO-SDEE] Net Flood UDP || url,wiki.quadrantsec.com/bin/view/Main/6106910 6106920 || [CISCO-SDEE] Net Flood TCP || url,wiki.quadrantsec.com/bin/view/Main/6106920 6106921 || [CISCO-SDEE] Microsoft Word Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106921 6106922 || [CISCO-SDEE] VBScript JScript Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106922 6106923 || [CISCO-SDEE] Word Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106923 6106924 || [CISCO-SDEE] MS Publisher Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106924 6106925 || [CISCO-SDEE] IE Property Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106925 6106926 || [CISCO-SDEE] Cisco IOS DLSw DoS || url,wiki.quadrantsec.com/bin/view/Main/6106926 6106928 || [CISCO-SDEE] Microsoft Outlook mailto URI Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106928 6106929 || [CISCO-SDEE] Microsoft Excel Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106929 6106930 || [CISCO-SDEE] Office Web Components URL Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106930 6106931 || [CISCO-SDEE] Virtual-Access Interface Exhaustion DoS || url,wiki.quadrantsec.com/bin/view/Main/6106931 6106932 || [CISCO-SDEE] HTML Objects Uninitialized Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106932 6106934 || [CISCO-SDEE] GDI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106934 6106935 || [CISCO-SDEE] CVE-2008-1086 ActiveX Killbit Update || url,wiki.quadrantsec.com/bin/view/Main/6106935 6106936 || [CISCO-SDEE] UCM Disaster Recovery Framework Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6106936 6106937 || [CISCO-SDEE] IE File Handling Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106937 6106938 || [CISCO-SDEE] Microsoft IE Argument Handling Memory Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106938 6106939 || [CISCO-SDEE] Microsoft Project Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106939 6106940 || [CISCO-SDEE] RealPlayer ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106940 6106942 || [CISCO-SDEE] Yahoo ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106942 6106944 || [CISCO-SDEE] CUPS CGI Compile Search Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106944 6106945 || [CISCO-SDEE] HP OpenView OVAS.EXE Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106945 6106946 || [CISCO-SDEE] Web Client Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106946 6106951 || [CISCO-SDEE] Word Drawing Object Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106951 6106952 || [CISCO-SDEE] Word Cascading Style Sheet (CSS) Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106952 6106954 || [CISCO-SDEE] CUCM SIP Stack DoS || url,wiki.quadrantsec.com/bin/view/Main/6106954 6106959 || [CISCO-SDEE] Adobe Flash Null Pointer Dereference || url,wiki.quadrantsec.com/bin/view/Main/6106959 6106960 || [CISCO-SDEE] IE Response Cross-Domain Info Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106960 6106961 || [CISCO-SDEE] IE HTML Objects Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106961 6106962 || [CISCO-SDEE] Cisco Unity DOS || url,wiki.quadrantsec.com/bin/view/Main/6106962 6106963 || [CISCO-SDEE] MJPEG Decoder Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106963 6106964 || [CISCO-SDEE] Asprox Injection Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106964 6106966 || [CISCO-SDEE] Malformed Search File Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106966 6106967 || [CISCO-SDEE] Microsoft SQL Server Privilege Elevation || url,wiki.quadrantsec.com/bin/view/Main/6106967 6106968 || [CISCO-SDEE] Microsoft Access Snapshot Viewer ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106968 6106969 || [CISCO-SDEE] Microsoft Word Smart Tag Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106969 6106970 || [CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106970 6106971 || [CISCO-SDEE] Generic Exploit Component || url,wiki.quadrantsec.com/bin/view/Main/6106971 6106972 || [CISCO-SDEE] Rosoft Media Player Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106972 6106973 || [CISCO-SDEE] IOS FTPd MKD Command Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106973 6106974 || [CISCO-SDEE] Motorola Timbuktu Pro Arbitrary File Deletion/Creation || url,wiki.quadrantsec.com/bin/view/Main/6106974 6106975 || [CISCO-SDEE] Arbitrary File Upload In CA ARCserve || url,wiki.quadrantsec.com/bin/view/Main/6106975 6106976 || [CISCO-SDEE] Microsoft Powerpoint 2003 Viewer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106976 6106977 || [CISCO-SDEE] Wonderware Suitlink Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6106977 6106978 || [CISCO-SDEE] PowerPoint Parsing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106978 6106979 || [CISCO-SDEE] BEA WebLogic Server Apache Connector HTTP Version String BO || url,wiki.quadrantsec.com/bin/view/Main/6106979 6106981 || [CISCO-SDEE] Microsoft PowerPoint Memory Allocation Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106981 6106983 || [CISCO-SDEE] Microsoft PICT Filter Parsing Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106983 6106984 || [CISCO-SDEE] Windows Image Color Management System RCE || url,wiki.quadrantsec.com/bin/view/Main/6106984 6106985 || [CISCO-SDEE] Microsoft Office WPG Image File Heap Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106985 6106986 || [CISCO-SDEE] Microsoft IE HTML Objects Memory Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106986 6106988 || [CISCO-SDEE] WebEx Meeting Manager ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106988 6106989 || [CISCO-SDEE] IOSFW HTTP Inspection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106989 6106990 || [CISCO-SDEE] Visual Studio Msmask32.ocx ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106990 6106991 || [CISCO-SDEE] Symantec Veritas Storage Foundation Null Session || url,wiki.quadrantsec.com/bin/view/Main/6106991 6106994 || [CISCO-SDEE] Cisco Secure ACS EAP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106994 6106995 || [CISCO-SDEE] GDI EMF Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106995 6106996 || [CISCO-SDEE] GDI+ BMP Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106996 6106997 || [CISCO-SDEE] OneNote Uniform Resource Locator Validation Error Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106997 6106998 || [CISCO-SDEE] Microsoft GDI-Plus WMF Buffer Overrun Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106998 6106999 || [CISCO-SDEE] Cisco PIM Multicast Denial of Service Attack || url,wiki.quadrantsec.com/bin/view/Main/6106999 6107000 || [CISCO-SDEE] Data Base TNS Connection || url,wiki.quadrantsec.com/bin/view/Main/6107000 6107001 || [CISCO-SDEE] TNS Redirect Request || url,wiki.quadrantsec.com/bin/view/Main/6107001 6107002 || [CISCO-SDEE] NBT NetBIOS Session Failed Login - Brute Force [5/3] || url,wiki.quadrantsec.com/bin/view/Main/6107002 sagan-1.2.0/rules/ssh-tectia-server.rules0000644000175000017500000000452713310533411017325 0ustar champchamp# Sagan ssh-tectia-server.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER] Authentication Failure - Brute force [5/5]"; content: "Login_failure"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001877; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001877; rev:3;) sagan-1.2.0/rules/dynamic.rules0000644000175000017500000004560713310533411015405 0ustar champchamp# Sagan dynamic.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These are 'dynamic' rules. The purpose of them is to detect logs that might not # be being monitored and automatically enable rules and/or warn the operator! alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Proftp logs detected via program."; program: proftpd; dynamic_load: $RULE_PATH/proftpd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003022; sid:5003022; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Apache logs detected via program."; program: proftpd|httpd; dynamic_load: $RULE_PATH/apache.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003023; sid:5003023; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] APC-EMU logs detected via program."; program: EMU; dynamic_load: $RULE_PATH/apc-emu.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002959; sid:5002959; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Arpalert or Arpwatch logs detected via program."; program: arpalert|arpwatch; dynamic_load: $RULE_PATH/arp.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002960; sid:5002960; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Artillery logs detected via program."; program: Artillery; dynamic_load: $RULE_PATH/artillery.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002961; sid:5002961; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Asterisk logs detected via program."; program: asterisk; dynamic_load: $RULE_PATH/asterisk.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002962; sid:5002962; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Bash logs detected via program."; program: bash|-bash|sh|-sh; dynamic_load: $RULE_PATH/bash.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002963; sid:5002963; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Bind logs detected via program."; program: named; dynamic_load: $RULE_PATH/bind.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002964; sid:5002964; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Bit9 logs detected via program."; program: bit9; dynamic_load: $RULE_PATH/bit9.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002965; sid:5002965; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Bro logs detected via program."; program: bro; dynamic_load: $RULE_PATH/bro-ids.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002966; sid:5002966; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Cisco ASA logs detected via program."; program: %ASA*|%FWSM*; dynamic_load: $RULE_PATH/cisco-pixasa.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002967; sid:5002967; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Courier/IMAP logs detected via program."; program: imapd|imapd-sslcourierlogger; dynamic_load: $RULE_PATH/courier.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002968; sid:5002968; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] OpenSSH logs detected via program."; program: sshd; dynamic_load: $RULE_PATH/openssh.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002969; sid:5002969; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] DigitalPersona logs detected via program."; program: DigitalPersona*; dynamic_load: $RULE_PATH/digitalpersona.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002970; sid:5002970; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Dovecot logs detected via program."; program: dovecot; dynamic_load: $RULE_PATH/dovecot.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002971; sid:5002971; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] FIPAYPIN logs detected via program."; program: *PIPAYPIN*; dynamic_load: $RULE_PATH/fipaypin.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002972; sid:5002972; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] FTPD logs detected via program."; program: ftpd|ftp|FTP|FTPD; dynamic_load: $RULE_PATH/ftpd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002973; sid:5002973; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Grsec logs detected via program."; program: grsec; dynamic_load: $RULE_PATH/grsec.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002974; sid:5002974; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Honeyd logs detected via program."; program: honeyd; dynamic_load: $RULE_PATH/honeyd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002975; sid:5002975; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Horde logs detected via program."; program: HORDE; dynamic_load: $RULE_PATH/hordeimp.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002976; sid:5002976; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Hostapd logs detected via program."; program: hostapd; dynamic_load: $RULE_PATH/hostapd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002977; sid:5002977; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] IMAPD logs detected via program."; program: imapd|imapd-ssl; dynamic_load: $RULE_PATH/imapd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002978; sid:5002978; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] IPOP3D logs detected via program."; program: ipop3d; dynamic_load: $RULE_PATH/ipop3d.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002979; sid:5002979; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Juniper logs detected via program."; program: Juniper; dynamic_load: $RULE_PATH/juniper.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003021; sid:5003021; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Kismet_Server logs detected via program."; program: kismet_server; dynamic_load: $RULE_PATH/kismet.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002980; sid:5002980; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Knockd logs detected via program."; program: knockd; dynamic_load: $RULE_PATH/knockd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002981; sid:5002981; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Linux kernel logs detected via program."; program: kernel; dynamic_load: $RULE_PATH/linux-kernel.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002982; sid:5002982; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] SMTP milter logs detected via program."; program: mimedefang|smf-sav; dynamic_load: $RULE_PATH/milter.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002983; sid:5002983; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] MongoDB logs detected via program."; program: mongodb; dynamic_load: $RULE_PATH/mongodb.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002984; sid:5002984; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] MySQL logs detected via program."; program: mysqld|MySQL; dynamic_load: $RULE_PATH/mysql.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002985; sid:5002985; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] NeXpose logs detected via program."; program: NeXpose; dynamic_load: $RULE_PATH/nexpose.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002986; sid:5002986; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Nfcapd logs detected via program."; program: nfcapd; dynamic_load: $RULE_PATH/nfcapd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002987; sid:5002987; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Nginx logs detected via program."; program: nginx; dynamic_load: $RULE_PATH/nginx.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002988; sid:5002988; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] OpenVPN logs detected via program."; program: openvpn; dynamic_load: $RULE_PATH/openvpn.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002989; sid:5002989; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] OSSEC logs detected via program."; program: ossec; dynamic_load: $RULE_PATH/ossec.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002990; sid:5002990; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Postfix logs detected via program."; program: postfix; dynamic_load: $RULE_PATH/postfix.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002991; sid:5002991; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Postgres logs detected via program."; program: postgres; dynamic_load: $RULE_PATH/postgres.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002992; sid:5002992; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] pptpd logs detected via program."; program: pptpd; dynamic_load: $RULE_PATH/pptpd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002993; sid:5002993; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Pure-FTP logs detected via program."; program: pure-ftpd; dynamic_load: $RULE_PATH/pure-ftpd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002994; sid:5002994; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Racoon logs detected via program."; program: racoon; dynamic_load: $RULE_PATH/racoon.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002995; sid:5002995; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Riverbed logs detected via program."; program: webasd; dynamic_load: $RULE_PATH/riverbed.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002996; sid:5002996; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Roundcube logs detected via program."; program: webasd; dynamic_load: $RULE_PATH/roundcube.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002998; sid:5002998; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Rsync logs detected via program."; program: rsync|rsyncd; dynamic_load: $RULE_PATH/rsync.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5002999; sid:5002999; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Samba logs detected via program."; program: smbd; dynamic_load: $RULE_PATH/samba.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003000; sid:5003000; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Sendmail logs detected via program."; program: sm-mta|sendmail; dynamic_load: $RULE_PATH/sendmail.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003001; sid:5003001; rev:2;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Snort logs detected via program."; program: snort; dynamic_load: $RULE_PATH/snort.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003002; sid:5003002; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Squid logs detected via program."; program: squid; dynamic_load: $RULE_PATH/squid.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003003; sid:5003032; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] SSH-Tectia-Server logs detected via program."; program: SSH_Tectia_Server; dynamic_load: $RULE_PATH/ssh-tectia-server.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003004; sid:5003004; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] su/sudo logs detected via program."; program: -su|su|sudo; dynamic_load: $RULE_PATH/su.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003005; sid:5003005; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Symantec EMS logs detected via program."; program: pgp/client; dynamic_load: $RULE_PATH/symantec-ems.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003006; sid:5003006; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Telnet logs detected via program."; program: telnetd; dynamic_load: $RULE_PATH/telnet.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003007; sid:5003007; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Trendmicro Antivirus logs detected via program."; program: TMCM; dynamic_load: $RULE_PATH/trendmicro.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003008; sid:5003008; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Tripwire logs detected via program."; program: tripwire; dynamic_load: $RULE_PATH/tripwire.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003009; sid:5003009; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Vmpop3d logs detected via program."; program: vm-pop3d; dynamic_load: $RULE_PATH/vmpop3d.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003010; sid:5003010; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] VMWare ESXi logs detected via program."; program: vmware-hostd|vmware-authd|Hostd|vmkernel; dynamic_load: $RULE_PATH/vmware.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003011; sid:5003011; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] VPopmail logs detected via program."; program: vpopmail; dynamic_load: $RULE_PATH/vpopmail.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003012; sid:5003012; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] VSFTPD logs detected via program."; program: vsftpd; dynamic_load: $RULE_PATH/vsftpd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003013; sid:5003013; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Weblabyrinth logs detected via program."; program: weblabyrinth; dynamic_load: $RULE_PATH/weblabrinth.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003014; sid:5003014; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] MSSQL logs detected via program."; program: MSSQL*; dynamic_load: $RULE_PATH/windows-mssql.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003015; sid:5003015; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Windows Sysmon logs detected via program."; program: Sysmon; dynamic_load: $RULE_PATH/windows-sysmon.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003016; sid:5003016; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Wordpress logs detected via program."; program: WPsyslog; dynamic_load: $RULE_PATH/wordpress.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003017; sid:5003017; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] xinetd logs detected via program."; program: xinetd; dynamic_load: $RULE_PATH/xinetd.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003018; sid:5003018; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Yubikey logs detected via program."; program: yk_chkpwd; dynamic_load: $RULE_PATH/yubikey.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003019; sid:5003019; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Zeus logs detected via program."; program: zeus; dynamic_load: $RULE_PATH/zeus.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003020; sid:5003020; rev:2;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DYNAMIC] Cisco ISE detected via program"; program: CISE_Passed_Authentications|CISE_Failed_Attempts|CSCOacs_Failed_Attempts; dynamic_load: $RULE_PATH/cisco-ise.rules; classtype: dynamic-rules; reference: url,wiki.quadrantsec.com/bin/view/Main/5003785; sid:5003785; rev:1;) sagan-1.2.0/rules/vmware-bluedot.rules0000644000175000017500000000574213310533411016712 0ustar champchamp# Sagan vmware-bluedot.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; pcre: "/Accepted password for|login from/i"; default_proto: tcp; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002916; sid:5002916; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; content: " logged in "; default_proto: tcp; classtype: successful-admin; program: Hostd; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002917; sid:5002917; rev:4;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; content: "Accepted password"; default_proto: tcp; classtype: successful-admin; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; program: Hostd; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002918; sid:5002918; rev:3;) sagan-1.2.0/rules/ssh-tectia-server-aetas.rules0000644000175000017500000000441613310533411020415 0ustar champchamp# Sagan ssh-tectia-server-aetas.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-AETAS] Authentication success at suspicious time"; content: "Login_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002054; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002054; rev:3;) sagan-1.2.0/rules/vmpop3d.rules0000644000175000017500000000410713310533411015337 0ustar champchamp# Sagan vmpop3d.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMPOP3D] Authentication failure for POP3"; content: "failed auth"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vm-pop3d; reference: url,wiki.quadrantsec.com/bin/view/Main/5000215; sid: 5000215; rev:4;) sagan-1.2.0/config.guess0000755000175000017500000012355013310533436014074 0ustar champchamp#! /bin/sh # Attempt to guess a canonical system name. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # # Originally written by Per Bothner. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD # # Please send patches with a ChangeLog entry to config-patches@gnu.org. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi trap 'exit 1' 1 2 15 # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. set_cc_for_build=' trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; : ${TMPDIR=/tmp} ; { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; dummy=$tmp/dummy ; tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; case $CC_FOR_BUILD,$HOST_CC,$CC in ,,) echo "int x;" > $dummy.c ; for c in cc gcc c89 c99 ; do if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if (test -f /.attbin/uname) >/dev/null 2>&1 ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_SYSTEM}" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu eval $set_cc_for_build cat <<-EOF > $dummy.c #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc #else LIBC=gnu #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case "${UNAME_VERSION}" in Debian*) release='-gnu' ;; *) release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; *:SolidBSD:*:*) echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} exit ;; macppc:MirBSD:*:*) echo powerpc-unknown-mirbsd${UNAME_RELEASE} exit ;; *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") UNAME_MACHINE="alpha" ;; "EV4.5 (21064)") UNAME_MACHINE="alpha" ;; "LCA4 (21066/21068)") UNAME_MACHINE="alpha" ;; "EV5 (21164)") UNAME_MACHINE="alphaev5" ;; "EV5.6 (21164A)") UNAME_MACHINE="alphaev56" ;; "EV5.6 (21164PC)") UNAME_MACHINE="alphapca56" ;; "EV5.7 (21164PC)") UNAME_MACHINE="alphapca57" ;; "EV6 (21264)") UNAME_MACHINE="alphaev6" ;; "EV6.7 (21264A)") UNAME_MACHINE="alphaev67" ;; "EV6.8CB (21264C)") UNAME_MACHINE="alphaev68" ;; "EV6.8AL (21264B)") UNAME_MACHINE="alphaev68" ;; "EV6.8CX (21264D)") UNAME_MACHINE="alphaev68" ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE="alphaev69" ;; "EV7 (21364)") UNAME_MACHINE="alphaev7" ;; "EV7.9 (21364A)") UNAME_MACHINE="alphaev79" ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead # of the specific Alpha model? echo alpha-pc-interix exit ;; 21064:Windows_NT:50:3) echo alpha-dec-winnt3.5 exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition exit ;; *:z/VM:*:*) echo s390-ibm-zvmoe exit ;; *:OS400:*:*) echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) echo hppa1.1-hitachi-hiuxmpp exit ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. if test "`(/bin/universe) 2>/dev/null`" = att ; then echo pyramid-pyramid-sysv3 else echo pyramid-pyramid-bsd fi exit ;; NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit ;; DRS?6000:unix:4.0:6*) echo sparc-icl-nx6 exit ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) echo i386-pc-auroraux${UNAME_RELEASE} exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH="x86_64" fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` exit ;; sun3*:SunOS:*:*) echo m68k-sun-sunos${UNAME_RELEASE} exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} ;; sun4) echo sparc-sun-sunos${UNAME_RELEASE} ;; esac exit ;; aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) echo m68k-milan-mint${UNAME_RELEASE} exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) echo m68k-hades-mint${UNAME_RELEASE} exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) echo mips-dec-ultrix${UNAME_RELEASE} exit ;; VAX*:ULTRIX*:*:*) echo vax-dec-ultrix${UNAME_RELEASE} exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) echo clipper-intergraph-clix${UNAME_RELEASE} exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`$dummy $dummyarg` && { echo "$SYSTEM_NAME"; exit; } echo mips-mips-riscos${UNAME_RELEASE} exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit ;; Motorola:*:4.3:PL8-*) echo powerpc-harris-powermax exit ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) echo powerpc-harris-powermax exit ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit ;; m88k:CX/UX:7*:*) echo m88k-harris-cxux7 exit ;; m88k:*:4*:R4*) echo m88k-motorola-sysv4 exit ;; m88k:*:3*:R3*) echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ [ ${TARGET_BINARY_INTERFACE}x = x ] then echo m88k-dg-dgux${UNAME_RELEASE} else echo m88k-dg-dguxbcs${UNAME_RELEASE} fi else echo i586-dg-dgux${UNAME_RELEASE} fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; M88*:*:R3*:*) # Delta 88k system running SVR3 echo m88k-motorola-sysv3 exit ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) echo m88k-tektronix-sysv3 exit ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) echo i386-ibm-aix exit ;; ia64:AIX:*:*) if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include main() { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` then echo "$SYSTEM_NAME" else echo rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 else echo rs6000-ibm-aix3.2 fi exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${IBM_ARCH}-ibm-aix${IBM_REV} exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; ibmrt:4.4BSD:*|romp-ibm:BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx exit ;; DPX/2?00:B.O.S.:*:*) echo m68k-bull-sysv3 exit ;; 9000/[34]??:4.3bsd:1.*:*) echo m68k-hp-bsd exit ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if [ ${HP_ARCH} = "hppa2.0w" ] then eval $set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH="hppa2.0w" else HP_ARCH="hppa64" fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit ;; ia64:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` echo ia64-hp-hpux${HPUX_REV} exit ;; 3050*:HI-UX:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) echo hppa1.0-hp-bsd exit ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) echo hppa1.0-hp-osf exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then echo ${UNAME_MACHINE}-unknown-osf1mk else echo ${UNAME_MACHINE}-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} exit ;; sparc*:BSD/OS:*:*) echo sparc-unknown-bsdi${UNAME_RELEASE} exit ;; *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; *:MINGW64*:*) echo ${UNAME_MACHINE}-pc-mingw64 exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) echo ia64-unknown-interix${UNAME_RELEASE} exit ;; esac ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; 8664:Windows_NT:*) echo x86_64-pc-mks exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? echo i586-pc-interix exit ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit ;; prep*:SunOS:5.*:*) echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; *:GNU:*:*) # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; aarch64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="gnulibc1" ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then echo ${UNAME_MACHINE}-unknown-linux-${LIBC} else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi else echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; cris:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; hexagon:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:Linux:*:*) echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) echo sparc-unknown-linux-${LIBC} exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) echo hppa64-unknown-linux-${LIBC} exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; *) echo hppa-unknown-linux-${LIBC} ;; esac exit ;; ppc64:Linux:*:*) echo powerpc64-unknown-linux-${LIBC} exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-${LIBC} exit ;; ppc64le:Linux:*:*) echo powerpc64le-unknown-linux-${LIBC} exit ;; ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; sh64*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; tile*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. echo ${UNAME_MACHINE}-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) echo ${UNAME_MACHINE}-unknown-stop exit ;; i*86:atheos:*:*) echo ${UNAME_MACHINE}-unknown-atheos exit ;; i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} else echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} fi exit ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; paragon:*:*:*) echo i860-intel-osf1 exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) # "miniframe" echo m68010-convergent-sysv exit ;; mc68k:UNIX:SYSTEM5:3.51m) echo m68k-convergent-sysv exit ;; M680?0:D-NIX:5.3:*) echo m68k-diab-dnix exit ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit ;; rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) echo mips-dde-sysv${UNAME_RELEASE} exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 exit ;; RM*:SINIX-*:*:*) echo mips-sni-sysv4 exit ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` echo ${UNAME_MACHINE}-sni-sysv4 else echo ns32k-sni-sysv fi exit ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says echo i586-unisys-sysv4 exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm echo hppa1.1-stratus-sysv4 exit ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. echo ${UNAME_MACHINE}-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) echo m68k-apple-aux${UNAME_RELEASE} exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then echo mips-nec-sysv${UNAME_RELEASE} else echo mips-unknown-sysv${UNAME_RELEASE} fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. echo powerpc-apple-beos exit ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos exit ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; x86_64:Haiku:*:*) echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit ;; SX-6:SUPER-UX:*:*) echo sx6-nec-superux${UNAME_RELEASE} exit ;; SX-7:SUPER-UX:*:*) echo sx7-nec-superux${UNAME_RELEASE} exit ;; SX-8:SUPER-UX:*:*) echo sx8-nec-superux${UNAME_RELEASE} exit ;; SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; *:Rhapsody:*:*) echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown eval $set_cc_for_build if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub # that puts up a graphical alert prompting to install # developer tools. Any system running Mac OS X 10.7 or # later (Darwin 11 and later) is required to have a 64-bit # processor. This is not true of the ARM version of Darwin # that Apple uses in portable devices. UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = "x86"; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux exit ;; BS2000:POSIX*:*:*) echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "$cputype" = "386"; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi echo ${UNAME_MACHINE}-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit ;; *:TENEX:*:*) echo pdp10-unknown-tenex exit ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) echo pdp10-dec-tops20 exit ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) echo pdp10-xkl-tops20 exit ;; *:TOPS-20:*:*) echo pdp10-unknown-tops20 exit ;; *:ITS:*:*) echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; esac ;; *:XENIX:*:SysV) echo i386-pc-xenix exit ;; i*86:skyos:*:*) echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos exit ;; i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; esac cat >&2 < in order to provide the needed information to handle your system. config.guess timestamp = $timestamp uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = ${UNAME_MACHINE} UNAME_RELEASE = ${UNAME_RELEASE} UNAME_SYSTEM = ${UNAME_SYSTEM} UNAME_VERSION = ${UNAME_VERSION} EOF exit 1 # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: sagan-1.2.0/missing0000755000175000017500000001533013310533436013147 0ustar champchamp#! /bin/sh # Common wrapper for a few potentially missing GNU programs. scriptversion=2013-10-28.13; # UTC # Copyright (C) 1996-2013 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. if test $# -eq 0; then echo 1>&2 "Try '$0 --help' for more information" exit 1 fi case $1 in --is-lightweight) # Used by our autoconf macros to check whether the available missing # script is modern enough. exit 0 ;; --run) # Back-compat with the calling convention used by older automake. shift ;; -h|--h|--he|--hel|--help) echo "\ $0 [OPTION]... PROGRAM [ARGUMENT]... Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due to PROGRAM being missing or too old. Options: -h, --help display this help and exit -v, --version output version information and exit Supported PROGRAM values: aclocal autoconf autoheader autom4te automake makeinfo bison yacc flex lex help2man Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and 'g' are ignored when checking the name. Send bug reports to ." exit $? ;; -v|--v|--ve|--ver|--vers|--versi|--versio|--version) echo "missing $scriptversion (GNU Automake)" exit $? ;; -*) echo 1>&2 "$0: unknown '$1' option" echo 1>&2 "Try '$0 --help' for more information" exit 1 ;; esac # Run the given program, remember its exit status. "$@"; st=$? # If it succeeded, we are done. test $st -eq 0 && exit 0 # Also exit now if we it failed (or wasn't found), and '--version' was # passed; such an option is passed most likely to detect whether the # program is present and works. case $2 in --version|--help) exit $st;; esac # Exit code 63 means version mismatch. This often happens when the user # tries to use an ancient version of a tool on a file that requires a # minimum version. if test $st -eq 63; then msg="probably too old" elif test $st -eq 127; then # Program was missing. msg="missing on your system" else # Program was found and executed, but failed. Give up. exit $st fi perl_URL=http://www.perl.org/ flex_URL=http://flex.sourceforge.net/ gnu_software_URL=http://www.gnu.org/software program_details () { case $1 in aclocal|automake) echo "The '$1' program is part of the GNU Automake package:" echo "<$gnu_software_URL/automake>" echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:" echo "<$gnu_software_URL/autoconf>" echo "<$gnu_software_URL/m4/>" echo "<$perl_URL>" ;; autoconf|autom4te|autoheader) echo "The '$1' program is part of the GNU Autoconf package:" echo "<$gnu_software_URL/autoconf/>" echo "It also requires GNU m4 and Perl in order to run:" echo "<$gnu_software_URL/m4/>" echo "<$perl_URL>" ;; esac } give_advice () { # Normalize program name to check for. normalized_program=`echo "$1" | sed ' s/^gnu-//; t s/^gnu//; t s/^g//; t'` printf '%s\n' "'$1' is $msg." configure_deps="'configure.ac' or m4 files included by 'configure.ac'" case $normalized_program in autoconf*) echo "You should only need it if you modified 'configure.ac'," echo "or m4 files included by it." program_details 'autoconf' ;; autoheader*) echo "You should only need it if you modified 'acconfig.h' or" echo "$configure_deps." program_details 'autoheader' ;; automake*) echo "You should only need it if you modified 'Makefile.am' or" echo "$configure_deps." program_details 'automake' ;; aclocal*) echo "You should only need it if you modified 'acinclude.m4' or" echo "$configure_deps." program_details 'aclocal' ;; autom4te*) echo "You might have modified some maintainer files that require" echo "the 'autom4te' program to be rebuilt." program_details 'autom4te' ;; bison*|yacc*) echo "You should only need it if you modified a '.y' file." echo "You may want to install the GNU Bison package:" echo "<$gnu_software_URL/bison/>" ;; lex*|flex*) echo "You should only need it if you modified a '.l' file." echo "You may want to install the Fast Lexical Analyzer package:" echo "<$flex_URL>" ;; help2man*) echo "You should only need it if you modified a dependency" \ "of a man page." echo "You may want to install the GNU Help2man package:" echo "<$gnu_software_URL/help2man/>" ;; makeinfo*) echo "You should only need it if you modified a '.texi' file, or" echo "any other file indirectly affecting the aspect of the manual." echo "You might want to install the Texinfo package:" echo "<$gnu_software_URL/texinfo/>" echo "The spurious makeinfo call might also be the consequence of" echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might" echo "want to install GNU make:" echo "<$gnu_software_URL/make/>" ;; *) echo "You might have modified some files without having the proper" echo "tools for further handling them. Check the 'README' file, it" echo "often tells you about the needed prerequisites for installing" echo "this package. You may also peek at any GNU archive site, in" echo "case some other package contains this missing '$1' program." ;; esac } give_advice "$1" | sed -e '1s/^/WARNING: /' \ -e '2,$s/^/ /' >&2 # Propagate the correct exit status (expected to be 127 for a program # not found, 63 for a program that failed due to version mismatch). exit $st # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: sagan-1.2.0/ChangeLog0000644000175000017500000005024113310533331013314 0ustar champchamp2018/06/14 - Sagan 1.2.0 released. * "meta_content" size limitation/truncation issue fixed. https://github.com/beave/sagan/commit/6640d7384b19712b32603ecde9cc9472e10a5573 * Added new "parse-ip" option to the sagan.yaml. These help control how "parse_src_ip" and "parse_dst_ip" function. New options are "ipv6" (enabled by default) and "ipv4-mapped-ipv6" (disabled by default). This converts IPv4 mapping in IPv6 (for example ffff::192.168.2.1 becomes 192.168.2.1). * New Bluedot TTL/Host option to prevent overloading DNS servers. https://github.com/beave/sagan/commit/319f63ef5dab9b9fccab85707cf44701363a78dc * Better "stripping" of hashes when using the "parse_hash" rule option. https://github.com/beave/sagan/commit/d3b0578dbd872544b12a7afca7ef617f9a4b739e * Fixed issue with "flow.c" when dealing with many flows. Thanks to Michael Riggs! https://github.com/beave/sagan/issues/113 https://github.com/beave/sagan/commit/cb5d6e6aaab6a2c2b7dbbc534e6c9fa6cf5197eb * A lot of processors/bluedot.c fixes that would result in a segfault under extreme loads. * Fixed unsigned char[MAXIPBIT] data alignment issues in various places that might lead to a failure of IP comparisons to fail. * Removed some left behind "debug" code. 2018/05/29 - Sagan 1.1.9 released. * Added IPv6 support. Thanks to Kenneth Shelton @ Netwatcher (https://netwatcher.com). * Added multi-tenancy through the use of a "selector". Thanks to Kenneth Shelton @ Netwatcher (https://netwatcher.com). * "xbits", "after" and "threshold" now store the log information, signature name and ID used during triggering. This data can be displayed using the "saganpeek" utility when this data is using mmap storage. * Can now use pipes with "meta_content". For example "|3a 3a|" https://github.com/beave/sagan/commit/50ef014739d0e745e95769b32821d3372b81c430 * Moved liblognorm/normalization structure to thread local. This should improve normalization preformance. https://github.com/beave/sagan/commit/2862ecad742f2e32e6fda3af54e03f3ab03bdcf0 * Some getaddrinfo() calls had to be converted back to inet_pton() due to performance/errors. https://github.com/beave/sagan/commit/366cc257ab7f03f37b8e5a06520e5b14b5178095 * New "parse_hash" enhancements. These allow extraction of MD5, SHA1, SHA256 automatically from logs. Useful for Sysmon support. https://github.com/beave/sagan/commit/2e6cedafdc9febc1886664734fdff8b33507dce1 * Removed legacy code for isset/isnotset/set for support for & and |. This added unneeded complexity to the code. https://github.com/beave/sagan/commit/4e9ddc431b0d2ca733ea75a36a3bf8f336e0df7b * Fix for issue https://github.com/beave/sagan/issues/107. Rules should respond to "pri" as well as "priority" rule options. https://github.com/beave/sagan/commit/8eb159872c6c0ff99e4435fa2f5f1596dd1dbed7 * Added "force-ipv4" Sagan configuration option. Unified2 can be somewhat strange with Unified2. This option keep the IP version type "4" even if an IPv6 address is encountered. https://github.com/beave/sagan/commit/2dd9b66520c4d8be8c659834669e11e7358d9593 * Sagan will now pass liblognorm JSON output to "external" (rule option) programs. This allows third party "external" programs to access already normalized data. https://github.com/beave/sagan/commit/84970a9bb8f8c3720dbda22914aaa16359687d58 * Fixed Bro-Intel address loading issue. https://github.com/beave/sagan/issues/104 Thanks to Psipher Diaz for reporting this. https://github.com/beave/sagan/commit/8ee6c6ed1cf5ed27b14fc2ccaccb64674f058886 * Fixed Blacklist segfault: https://github.com/beave/sagan/issues/111 * Flow checks where broken. Got those fixed. * Added "xff" EVE/JSON output support. * Fixed i386 compile time error (Thanks Pierre Chifflier). * New "xbit: noeve" option to prevent EVE output while xbit is being set. * A lot of minor bug fixes. For full lists, please see the Sagan issues page: https://github.com/beave/sagan/commits/master * Fix for rules with lots of flows: https://github.com/beave/sagan/issues/113 * Major re-write of parsers/ip.c. This is used by "parse_src_ip" and "parse_dst_ip". Now does everything in one pass and "caches" results for the next rule. 2017/07/25 - Sagan 1.1.8 released. * Big stability fixes in this release. Mostly involving protecting data with in global structures (xbit, threshold, after, client tracking, etc). If upgrading, you'll want to remove all old/legacy IPC data from /var/sagan/ipc or whatever what you have "ipc-directory" configuration option. https://github.com/beave/sagan/commit/d10a92c9d0a6ec39f26c149179ce0494a4ceba96 https://github.com/beave/sagan/commit/d10a92c9d0a6ec39f26c149179ce0494a4ceba96 https://github.com/beave/sagan/commit/d2802f9d6cbe26836195e5400e92a707d0cf0062 * Speed up's.... https://github.com/beave/sagan/commit/466a5ea722209ec63cec544c52622f261659dbae https://github.com/beave/sagan/commit/295221aa6836b017c578663b0185ac63535bfa84 * Sagan threads are now "named". This allows for easier debugging. Thread names are SaganMain, SaganWorker, SaganKey, SaganPlog, SaganSignal, etc. https://github.com/beave/sagan/commit/6767ec707044de62166d00fb7f35d7d3050921c5 * Fixes for "parse_hash" rule option. This allows Sagan to automatically extract MD5, SHA1, SHA256 hashes for lookups. https://github.com/beave/sagan/commit/58f00606f7912b4c122a4c20eb4321c081842882 * Beta Redis "xbit" sharing code added. This is a work in progress. This allows Sagan to "share" xbits between devices on the network. https://github.com/beave/sagan/commit/d25b8e92e00f136623f08f2aee5da442073e5978 https://github.com/beave/sagan/commit/77e33538a054c09ed615a01c6be0e0fc7b373c83 https://github.com/beave/sagan/commit/6a1d6c04c652d4f598e2951949d812578ad53085 https://github.com/beave/sagan/commit/1f288bb6d178ed15859d7fb3cf8ae1ea0ea1e445 https://github.com/beave/sagan/commit/8c2031e21f86a4ec84c62a6d7e0b46d386c3da68 https://github.com/beave/sagan/commit/6828a0ac9cab651046739cd371db8f14cbe0029e https://github.com/beave/sagan/commit/823163aa8dfe1a205d03d6c975ac0f5a8673c0f8 https://github.com/beave/sagan/commit/d1656a1ba8eb6ffa68fc8224d09d88d97d89e1ec https://github.com/beave/sagan/commit/c61c0908177129503e839a81007ec2e8139698cb https://github.com/beave/sagan/commit/8e42d3450afc3c66b5b013b1924df2aed6b13226 * Split after.c and threshold.c from processors/engine.c https://github.com/beave/sagan/commit/b445cd3aba2c1c6c6128bf819337206f6f253653 https://github.com/beave/sagan/commit/7385473512c6b3aa9ed01a34f9dbc4519a471d3f * Typo fix issue #95 reported by "CyberTaoFlow". https://github.com/beave/sagan/commit/b490cf2a9cc3b9d702b1f0c12468a248d2e3e283 * Removed the confusing "email by priority" option. If you want Sagan to e-mail you event(s), the rule must contain the 'email' rule option. https://github.com/beave/sagan/commit/8149e923bb37d7a5ff0ec88ff5c5be57c2388ab1 2017/05/31 - Sagan 1.1.7 released. * The largest and most fundamental change relates to how Sagan rules are written. As of this release, Sagan rules mimic Snort/Suricata rules. In the past, the first part of a Sagan rule (for example, "alert tcp $EXTERNAL_NET -> $HOME_NET 22") would be applied to the log message. Sagan would catorgize the log as being from a "tcp" source and using port "22". This is no longer the case. If Sagan can determine from the log data the protocol, source port, destination port, source address and destinations address, tradition "Snort" like logic can then be applied. For example, a Sagan rule can now apply logic to those logs that match the criteria. The rule writer may only want the rule logic to be applied to logs that are determined to be from a TCP source and on port 22. The idea is to more closely match Snort and Suricata rule functionality. In certain situations, you may want to applied a "default" protocol, source or desitination port. For example, OpenSSH logs do not contain protocol information but we know OpenSSH uses TCP. In those cases, Sagan can apply defaults by using the new "default_proto" (tcp/udp/icmp), "default_dst_port" and "default_src_port". These new rule rule options can use hard coded numeric or $VARIABLE options (for example, "default_dst_port: $SSH_PORT"); More information about these changes can be found with the pull request & commits at: https://github.com/beave/sagan/pull/92 https://github.com/beave/sagan/commit/7eb5caa4ac40f12471f63a3fc9f4759164cd40f9 https://github.com/beave/sagan/commit/709a58f86fd66fb881a4aca2253628d69f4005de Special thanks a "YoichSec" (Yoichi Sagawa) for the pull/code to make this happen! * Large cleanup effort involving Snortsam code. This mainly cleaned up many compile time warning messages. https://github.com/beave/sagan/commit/3a63cb483784ead9a646c66edead9d1610cab98d * Fixed issue of "external" output not being called correctly. https://github.com/beave/sagan/issues/93 * Bro-intel support was broken in 1.1.6. This bug has been fixed. https://github.com/beave/sagan/issues/90 * A large effort and code clean up to standardize the way threads handle data between functions. This greatly increases the codes "readablity" and brings stability in data handling. More information can be found at: https://github.com/beave/sagan/issues/89 https://github.com/beave/sagan/commit/9621976e98dec9ffd3ef2d82b844d61ff1efe8ee https://github.com/beave/sagan/commit/bcb7c0f40d7afc2ee76c93db73d3e2dc7e3d1e2d https://github.com/beave/sagan/commit/29231c0b7bb094c4c43b4984a966e41835584636 https://github.com/beave/sagan/commit/678a6019443a438ee44917e1d7e2b4b4e45a05c2 https://github.com/beave/sagan/commit/e7cb805e62bb5b41f6f85d1453050e5fc0fe3748 https://github.com/beave/sagan/commit/033fe56b6d67ed1a894dfe3ebd6637d9e16e405b https://github.com/beave/sagan/commit/033fe56b6d67ed1a894dfe3ebd6637d9e16e405b https://github.com/beave/sagan/commit/a8ad0bd3f7172750982967b1fac5c12dbb2dedfc https://github.com/beave/sagan/commit/f797e3620105e825deef744f0a413ec8890a62d0 * Error in SMTP output. Bug caused Sagan to always send e-mails reguardless of priority. https://github.com/beave/sagan/issues/88 * Many minor bug fixes and cleanups. 2017/03/20 - Sagan 1.1.6-r1 released. * Resolved minor compile time issues. 2017/03/16 - Sagan 1.1.6 released. * New Suricata EVE "Alert" compatible JSON output! (still beta!). See the "eve-log" in the sagan.yaml. Test with EveBox! * Microsecond resolution added in logging for fast, alert.log & unified2. https://github.com/beave/sagan/commit/5bf1a65270e50a8e1882e4c3a870589dd22b54ad * Rules will now be distributed with Sagan released (see the "rules" directory). * Fixed issue #83 - SMTP YAML configation verses rule option bug. https://github.com/beave/sagan/issues/83 https://github.com/beave/sagan/commit/b2f7e91d6906e87ac436eba91e002bd5729a9940 * Merge YoichSec (https://github.com/YoichSec) new xbit feature to track by source & destination ports. https://github.com/beave/sagan/pull/85 https://github.com/beave/sagan/commit/546867a4ab7c861168acb861abfc9104c1811da6 * Removed "static __thread" from Sagan_u32_Time_To_Human() function. https://github.com/beave/sagan/commit/b6a6d01b8119f7576378e4ed1129193043ae9f8e * Fix for Between_Quotes function related to content:! & meta_content:! rule options. https://github.com/beave/sagan/commit/2541f2a9e37b56e1ef3bd4a2d5e9c036a9f50e79 * Removed "static __thread" from Between_Quotes() function. * Removed "static __thread" from DNS_Lookup() function. * Removed Hex Validate() function (no longer needed) https://github.com/beave/sagan/commit/188322de08c0ef2ba1b2f11b68e5a5f33bf09c66 * Move strlcpy/strlcat prototypes. https://github.com/beave/sagan/commit/7e038dc4098c71a4ce7106d91617227166ce21c7 * Complete re-organization of source tree. Dropped all "sagan-?.c" prefixes. 2017/02/15 - Sagan 1.1.5 released. * Travis-CI (travis.yml) support added to test build Sagan automatically. * Sagan_Log issue that cause segfault in certain situations with "xbits". https://github.com/beave/sagan/commit/ce76ebe41f51b21d38a3ece60adf2ad69a5a795d * Large effort to clean up autoconf/automake fules. https://github.com/beave/sagan/commit/57a457951670ddb3803fe3bd20a1e4b637d3ddc3 https://github.com/beave/sagan/commit/911e895d2d246c5605bd6fd42da20cb2a3e5f75b * --daemon bug fix by Ray Ruvinskiy. This fix moves the --daemon logic earlier in the Sagan code (pre-rule loading, etc). This allows for Sagan to load with less memory being used. See commit for more details. https://github.com/beave/sagan/commit/0a286f06e42a7d509ac662a19bdcc72b777a426f https://github.com/beave/sagan/commit/f86694adafa76092bdcc1378333227d7945de104 * Remove "force-fifo-ownership" YAML option from configuration/code. https://github.com/beave/sagan/commit/3d828ca5c91357231e71842c0ac85c2a58cbb9c0 * "include" in YAML configuration would fail to load in certain situations. This has been corrected. https://github.com/beave/sagan/commit/b27a578082e93eb4f407cdaaa281d57ed4ab88d2 * Bluedot initialization was being called at the wrong time. https://github.com/beave/sagan/commit/172759a1b6e73eae584b1e6a738a2bf2d3303626 2016/12/30 - Sagan 1.1.4 released. * Sagan has adopted YAML for future configuration file formats. For more information on YAML see https://en.wikipedia.org/wiki/YAML. The new YAML format allows for a more stream line & easier to understand configuration. The new 'sagan.yaml' is modeled after the Suricata YAML file. * With the adoption of YAML, Sagan now requires libyaml to be installed. * configure.in libyaml checks added. * Sagan "flowbits" are now known as "xbits". "xbits" represents what Sagan is doing with data rather than "flowbits". * Added new "fast" output format. Works the same as "fast" output format for Suricata/Snort. * Test for OpenBSD RWX mem segments. If not available, then disable PCRE JIT. Brought up by Victor Julian. https://github.com/beave/sagan/commit/65aa4dd4d8880d2c54ddbb67a39089d5e6001b69 * Released from Hamburg, Germany after 33c3! :) 2016/11/07 - Sagan 1.1.3 released. * New "dynamic_load" processor. This allows rules to be created that can load other rules. For example, it is now possible to "detect" new logs coming in and have Sagan automatically load rules for them. * PCRE JIT support added. This allows faster PCRE processing if your library supports it. * Modifications to the configure.ac to detect different PCRE library versions and functions. This was taken from the Suricata project. https://github.com/beave/sagan/commit/04c74d56ac1eff7679636c16fdf853ae4e70c23a * Fixed bug that caused a segfault on reload (SIGHUP). https://github.com/beave/sagan/commit/87cd03dc1887e4fa1cef385974180cac77ca1c2d * Code clean up/redefinition of _Sagan_Event and _Sagan_Proc_Syslog arrays. https://github.com/beave/sagan/commit/db70eed853719521675e11e95b556edf94565542 2016/09/23 - Sagan 1.1.2 released. * Added "srcport" for "threshold" and "after". * Fixes around "dstport" for threshold" and "after" * Fixed display of source/destination IP addresses in tools/sagan-peek.c * Change "artistic" style from "GNU" to "Linux". This allows better formatting of source code on smaller screens. * New pthread mutex to address corruptions of mmap / files. * tools/sagan-peek.c now has command line option to specify mmap file location. Various other improvements. * Better error checking in src/processors/sagan-track-clients.c * New MD5, SHA1 and SHA256 in src/parsers/parse-hash.c * Minor Bluedot lookup fixes. * Fixes for "after" and "threshold" when dealing with "usernames". (Username tracking). * Added "file" option for sagan.conf to reference a file to load. For example, "var MYVAR file:/path/to/my/values.txt". For more information, see https://github.com/beave/sagan/issues/75 2016/08/17 - Sagan 1.1.1 released. * Added meta_offset, meta_depth, meta_within and meta_distince Champ Clark (cclark@quadrantsec.com) * Major changes/restructuring to sagan-meta-content.c - Adam Hall (ahall@quadrantse.com) * Fix major memory issue when loading large sets of rules. Related to meta_content! (Champ Clark) * Minor build fix when liblognorm is disabled - Champ Clark * Minor stdbool.h issue & added PKG_PROG_PKG_CONFIG to configure.ac * Remove old unneeded liblognorm headers. Champ Clark * memset replacement of strlcpy, minor clean up, minor bug fixes. (Adam & Champ) 2016/07/06 - Sagan 1.1.0 released. The Basics: ----------- * Sagan now "remembers" where it left off between restarts/reboots/etc. * You can now create rules that focus on certain IP address or IP address ranges (ie - $EXTERNAL_NET/$HOME_NET). * Sagan can treat "old" Bluedot IP reputation threat Intel differently than "new" threat intel. * We added "qdee.pl", a SDEE poll routine to the "extra" directory. * A lot of bugs were fixed The Details: ------------ * Moved all "threshold", "after", "flowbits", and "client tracking" to mmap files. This means that Sagan "remembers" between restarts where it "left off"! * Introduced "tools/sagan-peek.c" which allows you to exmaine Sagan mmap files. Useful in debugging or just "seeing" what Sagan is "tracking". * $EXTERNAL_NET and $HOME_NET now function as expected. Previous versions of Sagan did not have any concept of $EXTERNAL_NET/$HOME_NET and were ignored. Adam Hall @ Quadrant made Sagan "aware" of "traffic flow". Values in a rule for source/destination are tested _after_ normalization. * Added "mdate" (modification date) and "cdate" (creation data) to Bluedot. This allows Sagan to not trigger "aged" Bluedot Threat Intel. For example, do _not_ alert if an IP address is seen and the Intel is over X hours/days/months/years old. * Threholding based on 'dstport' merged, thanks to Bruno Coudoin. See: https://github.com/beave/sagan/commit/44d6752acf27d61bcd57e35f930b0f6e11dadbc7 * Added parsing for IPTables "SPT" and "DPT"t port for iptables, thanks to Bruno Coudoin. https://github.com/beave/sagan/commit/9de9cffd224a44f93c80eca62e6ead617a4b97a6 * Added "qdee" to the "extra" directory. This allows Sagan to parse older style Cisco IDS output. This polls using the SDEE protocol. See https://github.com/beave/sagan/commit/61c4a7dd611161697785c889630dd3c8333ec8b5 * Removed support for libjsonc (json-c) and moved to libfastjson. The Bugs Fixed: --------------- * Correct issue for when Sagan cannot open a file (-F/--file) due to permissions. * Removed unused "SigArgs" array. * Clean exit when Sagan cannot load Maxmind GeoIP2 data file. * Change "normalize: {type}" to "normalize;". All normalization rules now come from one file. This keeps Sagan in line with liblognorm development. * Sagan now "warns" the user if old style "normalize" is encountered. See: https://github.com/beave/sagan/commit/ba3de9e43bc8623b361e34ce06a2e7808e045f88 and https://github.com/rsyslog/liblognorm/issues/206 * Fix json_object_object_get_e) compile time warnings. See: https://github.com/beave/sagan/commit/e9bdea5b7fa5b25c1d7e740a4c856c70a1046d1d * Minor ARM CPU fixes. * Various "meta_content" fixes. When using "meta_content" with large amounts of search data would sometimes cause failures. * Major bug fixes involving "client tracking". Thanks to Adam Hall @ Quadrant Information Security! * Sagan now attempts to create the FIFO if it is not detected. Thanks to Cabrol Perales. * A lot of smaller bug fixes. See: https://github.com/beave/sagan/commits/master 2015/11/19 - Sagan 1.0.1 released. * Add unified2 "extra data" field to store the orignal syslog source. * Added threshold by "username". * Minor code clean up. 2015/10/23 - Sagan 1.0.0 released. sagan-1.2.0/extra/0000755000175000017500000000000013310531444012666 5ustar champchampsagan-1.2.0/extra/README0000644000175000017500000000122113310531444013542 0ustar champchampThese are "extra" resources that can be used with Sagan. sagan-gtk - Displays a GTK/X11 "popup" window of a Sagan alert. [External plugin for Sagan] sagan-notify - Uses the libnotify X11/GTK function to create a temporary "popup" message. [External Plugin for Sagan] ossec-sagan.pl - This utility takes a series of OSSEC rules, and generates a series of compatible SAGAN rules. This was written by Michael Iverson. [OSSEC to Sagan conversion utility] RPM - Example RPM spec and system files to build Sagan RPM package for CentOS 7 rsyslog - Configuration to send rsyslog data to Sagan. Place this file in /etc/rsyslog.d sagan-1.2.0/extra/qdee/0000755000175000017500000000000013310531444013604 5ustar champchampsagan-1.2.0/extra/qdee/qdee.pl0000755000175000017500000002617013310531444015070 0ustar champchamp#!/usr/bin/perl -w # # Copyright (C) 2009-2018 Quadrant Information Security # Copyright (C) 2009-2018 Champ Clark III # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ############################################################################## # qdee - (Pronounced - "Q Dee"). This program collects IDS/IPS (and syslog!) # events from a Cisco device using the SDEE protocol. Events sucked off the # Cisco device are then sent to a syslog. Sagan can then use it's rules to # detect the events # # Written By Champ Clark III (cclark@quadrantsec.com) # Largely based off of "ids_sdee" (unknown author) ############################################################################## use WWW::Curl::Easy; use XML::Simple; use Data::Dumper; use Sys::Syslog qw(:standard :extended :macros); use strict; # Cisco IPS username/password # my $username="USERNAME"; my $password="PASSWORD"; my $cisco_ip="10.1.1.11"; my $url="https://$cisco_ip/cgi-bin/sdee-server"; my $user_agent="Sagan_QDEE/1.0"; my $cookiesfile = "/tmp/qdee.$$.cookies"; my $debug=0; ############################################################################## # Syslog settings ############################################################################## my $syslog_remote="127.0.0.1"; my $syslog_port=514; my $syslog_program="qdee"; my $xml; my $headers; my $myheaders; my $useragent; my $data; my $j=0; my $msgvalue; my $body; $SIG{'INT'} = 'catch_signal'; $SIG{'ABRT'} = 'catch_signal'; $SIG{'QUIT'} = 'catch_signal'; $SIG{'TERM'} = 'catch_siganl'; $xml = new XML::Simple; print "[*] Getting subscription\n"; our $subscriptionId = openSubscription(); print "[*] Subscription ID: $subscriptionId.\n"; print "[*] Collecting events from $cisco_ip.\n"; my $curl = WWW::Curl::Easy->new(); while (1) { my $uri = "?sessionCookies&subscriptionId=$subscriptionId&maxNbrOfEvents=60&timeout=2"; my $body=""; my $msg=""; open($myheaders, ">", \$headers); my $code = $curl->setopt(CURLOPT_USERAGENT, $useragent); $code = $curl->setopt(CURLOPT_COOKIEJAR, $cookiesfile); $code = $curl->setopt(CURLOPT_COOKIEFILE, $cookiesfile); $code = $curl->setopt(CURLOPT_FOLLOWLOCATION, 1); $code = $curl->setopt(CURLOPT_MAXREDIRS, 10); $code = $curl->setopt(CURLOPT_URL, "$url$uri"); $code = $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0); $code = $curl->setopt(CURLOPT_USERPWD, "$username:$password"); $code = $curl->setopt(CURLOPT_WRITEHEADER, $myheaders ); $code = $curl->setopt(CURLOPT_FILE, \$body); $code = $curl->setopt(CURLOPT_WRITEFUNCTION, \&chunk ); $code = $curl->setopt(CURLOPT_CONNECTTIMEOUT, 0); $curl->perform(); close($myheaders); my $err = $curl->errbuf; if ($err) { print "[E] $err\n"; exit(1); } if ($debug) { print "[D] BODY: $body\n"; } $data = $xml->XMLin($body); if ($debug) { print "[D] DUMPER: " . Dumper($data); } ############################################################################## # Syslog/Health/Other data ############################################################################## if ( $data->{'env:Body'}{'sd:events'}{'evStatus'} ) { if ( ref($data->{'env:Body'}{'sd:events'}{'evStatus'}) eq "ARRAY" ) { if ( $debug ) { print "[D] Syslog data is in a ARRAY.\n"; } for my $in (@{ $data->{'env:Body'}{'sd:events'}{'evStatus'}} ) { # Make sure data is in the array then send it. if ($data->{'env:Body'}{'sd:events'}{'evStatus'}[$j]) { $msgvalue = getEventType($data->{'env:Body'}{'sd:events'}{'evStatus'}[$j]); } $j++; } } else { if ( $debug ) { print "[D] Syslog data is in a HASH.\n"; } $msgvalue = getEventType($data->{'env:Body'}{'sd:events'}{'evStatus'}); } } ############################################################################## # IDS/IPS data ############################################################################## if ( $data->{'env:Body'}{'sd:events'}{'sd:evIdsAlert'} ) { if ( ref($data->{'env:Body'}{'sd:events'}{'sd:evIdsAlert'}) eq "ARRAY" ) { if ( $debug ) { print "[D] IDS/IPS data is in a ARRAY\n"; } for my $in (@{ $data->{'env:Body'}{'sd:events'}{'sd:evIdsAlert'}} ) { # Make sure data is in the array then send it. if ($data->{'env:Body'}{'sd:events'}{'sd:evIdsAlert'}[$j]) { $msgvalue = getEventType($data->{'env:Body'}{'sd:events'}{'sd:evIdsAlert'}[$j]); } $j++; } } else { if ( $debug ) { print "[D] IDS/IPS data is in a HASH\n"; } $msgvalue = getEventType($data->{'env:Body'}{'sd:events'}{'sd:evIdsAlert'}); } } if ($msgvalue) { setlogsock( { type => "udp", port => $syslog_port, host => $syslog_remote } ); openlog($syslog_program, 'ndelay', 'user'); syslog('info', $msgvalue); closelog(); $msgvalue=""; } } ############################################################################## # getEventType - Determines if an event is health, syslog, IDS/IPS, etc. # It then formats a message to stuff into syslog ############################################################################## sub getEventType { my $data = shift; my $msgreturn = ""; # Health if ( $data->{'healthAndSecurity'} ) { print "[*] Got Health/Status event.\n"; $msgreturn = "Health_Status: $data->{'healthAndSecurity'}{'warning'}{'metricStatus'}{'status'} , Health Warning: $data->{'healthAndSecurity'}{'warning'}{'metricStatus'}{'name'} , Timezone: $data->{'time'}{'timeZone'}, Time_Content: $data->{'time'}{'content'} , Time_Offset: $data->{'time'}{'offset'} , Originator_appInstanceId: $data->{'originator'}{'appInstanceId'} , Originator_appName: $data->{'originator'}{'appName'} , Originator_hostID: $data->{'originator'}{'hostId'} , EventID: $data->{'eventId'} , Vendor: $data->{'vendor'}"; return($msgreturn); } # Syslog if ( $data->{'syslogMessage'} ) { print "[*] Got Syslog event.\n"; $msgreturn = "Syslog_Message: \"$data->{'syslogMessage'}{'description'}\" , Timezone: $data->{'time'}{'timeZone'} , Time_Content: $data->{'time'}{'content'} , Time_Offset: $data->{'time'}{'offset'}"; return($msgreturn); } # IDS/IPS if ( $data->{'sd:signature'}{'id'} ) { print "[*] Got IPS/IDS event.\n"; $msgreturn = "Signature_ID: $data->{'sd:signature'}{'id'} , IDS_Event_Description: \"$data->{'sd:signature'}{'description'}\" , Source: $data->{'sd:participants'}{'sd:attacker'}{'sd:addr'}{'content'}:$data->{'sd:participants'}{'sd:attacker'}{'sd:port'} Destination: $data->{'sd:participants'}{'sd:target'}{'sd:addr'}{'content'}:$data->{'sd:participants'}{'sd:target'}{'sd:port'} , Protocol: $data->{'cid:protocol'} , Severity: $data->{'severity'} , CID_Created: $data->{'sd:signature'}{'cid:created'}, CID_Type: $data->{'sd:signature'}{'cid:type'} , CID_Version: $data->{'sd:signature'}{'cid:version'} , Event_ID: $data->{'eventId'} , Vendor: $data->{'vendor'}"; return($msgreturn); } } ############################################################################## # openSubscription - Open and retrieves a subscription ID from the Cisco IPS # device ############################################################################## sub openSubscription { my $curl = WWW::Curl::Easy->new(); my $myheaders; my $body = ""; my $headers = ""; my $uri = "?action=open&sessionCookies"; open($myheaders, ">", \$headers); my $code = $curl->setopt(CURLOPT_USERAGENT, $useragent); $code = $curl->setopt(CURLOPT_COOKIEJAR, $cookiesfile); $code = $curl->setopt(CURLOPT_COOKIEFILE, $cookiesfile); $code = $curl->setopt(CURLOPT_FOLLOWLOCATION, 1); $code = $curl->setopt(CURLOPT_MAXREDIRS, 10); $code = $curl->setopt(CURLOPT_URL, "$url$uri"); $code = $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0); $code = $curl->setopt(CURLOPT_USERPWD, "$username:$password"); $code = $curl->setopt(CURLOPT_WRITEHEADER, $myheaders ); $code = $curl->setopt(CURLOPT_FILE, \$body); $code = $curl->setopt(CURLOPT_WRITEFUNCTION, \&chunk ); $curl->perform(); close($myheaders); my $err = $curl->errbuf; if ($err) { print "ERROR $err\n"; } if ($debug) { print "[D] $body\n"; } if ($body =~ /errLimitExceeded/) { print "[E] Max subscription connections reached!\n"; print "[E] SSH into the device and run 'show stat sdee'. Then run:\n"; print "[E] links \"https://$cisco_ip/cgi-bin/sdee-server?action=close&subscriptionId={subscriptionid}\"\n"; exit(1); } $data = $xml->XMLin($body); return($data->{'env:Body'}{'sd:subscriptionId'}); } ############################################################################## # chunk - Make data into "chunks" (append data) ############################################################################## sub chunk { my ($data,$pointer)=@_; ${$pointer}.=$data; return length($data) } ############################################################################## # catch_signal - Intercepts the signal (control-C, etc) and closes the # subscription with the Cisco device ############################################################################## sub catch_signal { print "[*] Got signal! Unsubscribing \'$subscriptionId\' from $cisco_ip.\n"; my $uri = "?action=close&subscriptionId=$subscriptionId"; my $curl = WWW::Curl::Easy->new(); open($myheaders, ">", \$headers); my $code = $curl->setopt(CURLOPT_USERAGENT, $useragent); $code = $curl->setopt(CURLOPT_COOKIEJAR, $cookiesfile); $code = $curl->setopt(CURLOPT_COOKIEFILE, $cookiesfile); $code = $curl->setopt(CURLOPT_FOLLOWLOCATION, 1); $code = $curl->setopt(CURLOPT_MAXREDIRS, 10); $code = $curl->setopt(CURLOPT_URL, "$url$uri"); $code = $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0); $code = $curl->setopt(CURLOPT_USERPWD, "$username:$password"); $code = $curl->setopt(CURLOPT_WRITEHEADER, $myheaders ); $code = $curl->setopt(CURLOPT_FILE, \$body); $code = $curl->setopt(CURLOPT_WRITEFUNCTION, \&chunk ); $curl->perform(); sleep(1); close($myheaders); my $err = $curl->errbuf; if ($err) { print "[E] $err\n"; exit(1); } if ($body =~ /env:Fault/) { print "[E] Fault while unsubscribing! You might need to manually unsubscribe using the\n"; print "[E] following command:\n"; print "[E] links \"https://$cisco_ip/cgi-bin/sdee-server?action=close&subscriptionId=$subscriptionId\"\n"; print "[E] Exiting!\n"; exit(1); } sleep(1); print "[*] Successfully unsubscibing and exiting.\n"; exit(0); } sagan-1.2.0/extra/qdee/README.md0000644000175000017500000000053313310531444015064 0ustar champchampqdee - (Pronounced - "Q Dee"). This program collects IDS/IPS (and syslog!) events from a Cisco device using the SDEE protocol. Events sucked off the Cisco device are then sent to a syslog. Sagan can then use it's rules to detect the events Written By Champ Clark III (cclark@quadrantsec.com) Largely based off of "ids_sdee" (unknown author) sagan-1.2.0/extra/rc.d-freebsd/0000755000175000017500000000000013310531444015124 5ustar champchampsagan-1.2.0/extra/rc.d-freebsd/sagan0000644000175000017500000000166313310531444016146 0ustar champchamp#!/bin/sh # PROVIDE: sagan # REQUIRE: DAEMON # BEFORE: LOGIN # KEYWORD: shutdown # Add the following lines to /etc/rc.conf to enable sagan: # sagan_enable (bool): Set to YES to enable sagan # Default: NO # sagan_flags (str): Extra flags passed to sagan # Default: -D # sagan_user (str): Run Sagan as this user # Default: sagan # sagan_conf (str): sagan configuration file # Default: /usr/local/etc/sagan/sagan.conf . /etc/rc.subr name="sagan" rcvar=sagan_enable extra_commands=reload command="/usr/local/sbin/sagan" load_rc_config $name [ -z "$sagan_enable" ] && sagan_enable="NO" [ -z "$sagan_conf" ] && sagan_conf="/usr/local/etc/sagan.conf" [ -z "$sagan_user" ] && sagan_user="sagan" [ -z "$sagan_flags" ] && sagan_flags="-D -u $sagan_user" [ -n "$sagan_conf" ] && sagan_flags="$sagan_flags -f $sagan_conf" pidfile="/var/run/sagan/sagan.pid" run_rc_command "$1" sagan-1.2.0/extra/sagan-gtk/0000755000175000017500000000000013310531444014542 5ustar champchampsagan-1.2.0/extra/sagan-gtk/sagan-gtk.c0000644000175000017500000000427613310531444016573 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-gtk.c * This program is called via the Sagan configuration option 'output external:' * option. Using GTK, this creates a "popup" window when a Sagan event * is triggered. */ #include #include #include #define MAX_BUF 10240 static void destroy( GtkWidget *, gpointer ); int main() { GtkWidget *window; GtkWidget *label; char input[MAX_BUF]="\0"; char messageit[MAX_BUF]="\0"; while (fgets(input, MAX_BUF-1, stdin)) { strncat(messageit, input, MAX_BUF-1-strlen(messageit)); } messageit[MAX_BUF-1] = '\0'; /* Avoid overflow and null terminates */ gtk_init(NULL,NULL); window = gtk_window_new(GTK_WINDOW_TOPLEVEL); label = gtk_label_new(NULL); g_signal_connect (window, "destroy", G_CALLBACK (destroy), NULL); gtk_window_set_title(GTK_WINDOW(window), "Sagan Alert Message"); gtk_label_set_markup(GTK_LABEL(label), messageit ); gtk_label_set_justify(GTK_LABEL(label), GTK_JUSTIFY_LEFT); gtk_container_add(GTK_CONTAINER(window), label); gtk_widget_show(label); gtk_window_set_default_size(GTK_WINDOW(window), 300, 100); gtk_widget_show_all(window); gtk_main(); return 0; } static void destroy( GtkWidget *widget, gpointer data ) { gtk_main_quit (); } sagan-1.2.0/extra/sagan-gtk/Makefile0000644000175000017500000000045213310531444016203 0ustar champchampCC = gcc PROGRAM = sagan-gtk PROGRAM_FILES = sagan-gtk.c CFLAGS += -g LDFLAGS += -g LIBS += GTKFLAGS := $(shell pkg-config --cflags --libs gtk+-2.0 gthread-2.0) all: $(PROGRAM) %: %.c $(CC) $(PROGRAM_FILES) $(CFLAGS) $(LDFLAGS) $(GTKFLAGS) -o $(PROGRAM) $(LIBS) clean: @rm -rf $(PROGRAM) sagan-1.2.0/extra/pulledpork/0000755000175000017500000000000013310531444015047 5ustar champchampsagan-1.2.0/extra/pulledpork/fetchcarl.sh0000644000175000017500000001217213310531444017341 0ustar champchamp#!/usr/bin/env bash <&2 "Sagan rulebase ($1) not found."; exit 1; fi if [ ! $(ls -l $1/*.rulebase | grep -v total | wc -l) -gt 0 ]; then echo >&2 "Sagan rulebase contents not found. Aborting."; exit 1; fi } # find or set up a working git environment git_sagan_check() { D_GIT_CLONE_PATH=$TMP_DIR/sagan_rules test -d "$D_GIT_CLONE_PATH" \ && cd "$D_GIT_CLONE_PATH" \ && git status > /dev/null 2>&1 # folder exists? go there. is a good git clone? if [ $? -ne 0 ]; then # not a git repo, create it? echo "the folder ($D_GIT_CLONE_PATH) you specified does not exist or doesn't contain a git repo.. fetching" mkdir -p -v "$D_GIT_CLONE_PATH" # only if it doesn't exist if [ -z "$B_VERBOSE" ]; then git clone --quiet "$SAGAN_REPO_URL" "$D_GIT_CLONE_PATH" else git clone "$SAGAN_REPO_URL" "$D_GIT_CLONE_PATH" fi else if [ -z "$B_VERBOSE" ]; then git checkout --quiet master git pull --quiet else git checkout master git pull fi fi # Validate the pull validate_rulebase "$D_GIT_CLONE_PATH" if [ -n "$B_VERBOSE" ]; then echo "Finished pulling sagan rules." fi } validate_system() { if [ ! -f $SAGAN_CONF ]; then echo >&2 "Sagan configuration is not found. Aborting."; exit 1; fi A_REQUIRED_COMMANDS=( git awk ) for i in "${A_REQUIRED_COMMANDS[@]}" do command -v $i >/dev/null 2>&1 || { echo >&2 "I require $i but it's not installed. Aborting."; exit 1; } done D_CONFIG_DIR=`awk '/(var RULE_PATH )(.*)/ {print $3}' $SAGAN_CONF` if [ ! -d "$D_CONFIG_DIR" ]; then echo >&2 "Sagan configuration directory ($D_CONFIG_DIR) not found. Aborting."; exit 1; fi if [ ! -w "$D_CONFIG_DIR/." ]; then echo >&2 "Sagan configuration directory ($D_CONFIG_DIR) not writable. Aborting."; exit 1; fi if [ ! -w "$TMP_DIR/." ]; then echo >&2 "tmp directory ($TMP_DIR) not writable. Aborting."; exit 1; fi } copy_rulebase() { cp -f $D_GIT_CLONE_PATH/*.rulebase $D_CONFIG_DIR validate_rulebase "$D_CONFIG_DIR" } copy_configs() { cp -f $D_GIT_CLONE_PATH/*.config $D_CONFIG_DIR validate_rulebase "$D_CONFIG_DIR" } ### PERFORM ### for arg do delim="" case "$arg" in --help) args="${args}-h ";; --verbose) args="${args}-v ";; --file) args="${args}-f ";; --url) args="${args}-u ";; # pass through anything else *) [[ "${arg:0:1}" == "-" ]] || delim="\"" args="${args}${delim}${arg}${delim} ";; esac done # reset the translated args eval set -- $args # now we can process with getopt while getopts "f:u:hv" opt; do case $opt in f) SAGAN_CONF=$OPTARG ;; u) SAGAN_REPO_URL=$OPTARG ;; v) B_VERBOSE=1 ;; h) usage exit ;; * ) usage exit 1 esac done validate_system git_sagan_check copy_rulebase copy_configs if [ -n "$B_VERBOSE" ]; then echo -e "Sagan rulebase and config update complete. \n (Note: Sagan *.rules were not updated. Use pulledpork for this process.)" fi exit 0;sagan-1.2.0/extra/pulledpork/pulledpork.sagan.conf0000644000175000017500000000110113310531444021160 0ustar champchamp# Pulled Pork Configuration for Sagan # pulledpork.pl -d -T -vv -c pulledpork.conf rule_url=http://sagan.softwink.com/rules/|sagan-rules-current.tar.gz|open ignore=deleted.rules,experimental.rules,local.rules temp_path=/tmp rule_path=/usr/local/etc/sagan-rules/sagan.rules local_rules=/usr/local/etc/sagan-rules/local.rules sid_msg=/usr/local/etc/sagan-rules/sagan-sid-msg.map sid_changelog=/var/log/sid_changes.log snort_path=/usr/local/sbin/sagan config_path=/usr/local/etc/sagan.conf disablesid=/usr/local/etc/pulledpork/disablesid.conf distro=FreeBSD-8.1 version=0.6.0sagan-1.2.0/extra/sagan-notify/0000755000175000017500000000000013310531444015265 5ustar champchampsagan-1.2.0/extra/sagan-notify/sagan-notify.c0000644000175000017500000000354213310531444020034 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-notify.c * This program is called via the Sagan configuration option 'output external:' * option. Using libnotify, this creates a "popup" window when a Sagan event * is triggered. */ #include #include #include #define MAX_BUF 10240 int main() { char input[MAX_BUF]="\0"; char messageit[MAX_BUF]="\0"; char *title="Sagan Alert"; while (fgets(input, MAX_BUF-1, stdin)) { strncat(messageit, input, MAX_BUF-1-strlen(messageit)); } messageit[MAX_BUF-1] = '\0'; /* Avoid overflow and null terminates */ NotifyNotification *n; notify_init("Sagan"); n = notify_notification_new (title,messageit, NULL, NULL); notify_notification_set_timeout(n, 1000); if (!notify_notification_show (n, NULL)) { g_error("Failed to send notification.\n"); return 1; } g_object_unref(G_OBJECT(n)); return 0; } sagan-1.2.0/extra/sagan-notify/Makefile0000644000175000017500000000046013310531444016725 0ustar champchampCC = gcc PROGRAM = sagan-notify PROGRAM_FILES = sagan-notify.c CFLAGS += -g LDFLAGS += -g LIBS += -lnotify GTKFLAGS := $(shell pkg-config --cflags gtk+-2.0 glib-2.0) all: $(PROGRAM) %: %.c $(CC) $(PROGRAM_FILES) $(CFLAGS) $(LDFLAGS) $(GTKFLAGS) -o $(PROGRAM) $(LIBS) clean: @rm -rf $(PROGRAM) sagan-1.2.0/extra/build-test/0000755000175000017500000000000013310531444014742 5ustar champchampsagan-1.2.0/extra/build-test/build-test.sh0000755000175000017500000000777213310531444017372 0ustar champchamp#!/bin/bash # Simple shell script that compiles Sagan with multiple flags. This helps # hunt down compile time bugs. # # - Public release (06/28/2015) # 2016/07/05 - Champ Clark - Replaced jsonc -> libfastjson # 2017/06/25 - Added "--enable-redis". # 2017/11/07 - Added test for "saganpeek". # 2018/05/08 - Added FLAGS for make # Champ Clark III # --disable-snortsam Disable Snortsam support. # --disable-syslog Disable syslog support. # --disable-lognorm Disable Lognorm (liblognorm) support. # --disable-libfastjson Disable libfastjson. # --disable-libpcap Disable libpcap (plog) support. # --disable-libdnet Disable libdnet (unified2) support. # --enable-bluedot Enable Quadrant\'s "Bluedot" lookups. # --enable-esmtp Enable libesmtp support. # --enable-geoip2 Enable Maxmind GeoIP2 support. # --enable-system-strstr Enable system strstr. # --enable-redis Enable redis support. STANDARD="--disable-bluedot --disable-esmtp --disable-geoip2 --disable-system-strstr --enable-snortsam --enable-syslog --enable-lognorm --enable-libpcap --enable-libdnet" ALLFLAGS="--enable-bluedot --enable-esmtp --enable-geoip2 --enable-system-strstr --enable-snortsam --enable-syslog --enable-lognorm --enable-libpcap --enable-libdnet --enable-libfastjson --enable-redis" NOFLAG="--disable-snortsam --disable-syslog --disable-lognorm --disable-libpcap --disable-libdnet --disable-bluedot --disable-esmtp --disable-geoip2 --disable-system-strstr --disable-system-strstr --disable-libfastjson --disable-redis" LOG="output.log" MAKE_FLAGS="-j5" autoreconf -vfi echo "**** STANDARD BUILD | NO FLAGS ****" echo "**** STANDARD BUILD | NO FLAGS ****" >> $LOG #make clean #cd tools && make clean && cd .. CFLAGS=-Wall ./configure if [ "$?" != "0" ] then echo "./configure failed!"; exit fi make $MAKE_FLAGS 2>> $LOG cd tools && make $MAKE_FLAGS && cd .. 2>> $LOG if [ "$?" != "0" ] then echo "Error on standard build!"; exit fi echo "**** ALL FLAGS ****" echo "**** ALL FLAGS ****" >> $LOG make clean cd tools && make clean && cd .. CFLAGS=-Wall ./configure $ALLFLAGS if [ "$?" != "0" ] then echo "./configure failed!"; exit fi make $MAKE_FLAGS 2>> $LOG cd tools && make $MAKE_FLAGS && cd .. 2>> $LOG if [ "$?" != "0" ] then echo "Error on standard build!"; exit fi echo "**** NO FLAGS ****" echo "**** NO FLAGS ****" >> $LOG make clean cd tools && make clean && cd .. CFLAGS=-Wall ./configure $NOFLAG if [ "$?" != "0" ] then echo "./configure failed!"; exit fi make $MAKE_FLAGS 2>> $LOG cd tools && make $MAKE_FLAGS && cd .. 2>> $LOG if [ "$?" != "0" ] then echo "Error on standard build!"; exit fi for I in $STANDARD do make clean cd tools && make clean && cd .. echo "**** FLAGS $I *****" echo "**** FLAGS $I *****" >> $LOG CFLAGS=-Wall ./configure $I if [ "$?" != "0" ] then echo "./configure failed!"; exit fi make $MAKE_FLAGS 2>> $LOG cd tools && make $MAKE_FLAGS && cd .. 2>> $LOG if [ "$?" != "0" ] then echo "Error on with $I"; exit fi done for I in $ALLFLAGS do make clean cd tools && make clean && cd .. echo "**** FLAGS $I *****" echo "**** FLAGS $I *****" >> $LOG CFLAGS=-Wall ./configure $I if [ "$?" != "0" ] then echo "./configure failed!"; exit fi make $MAKE_FLAGS 2>> $LOG cd tools && make $MAKE_FLAGS && cd .. 2>> $LOG if [ "$?" != "0" ] then echo "Error on with $I"; exit fi done for I in $NOFLAGS do make clean cd tools && make clean && cd .. echo "**** FLAGS $I *****" echo "**** FLAGS $I *****" >> $LOG CFLAGS=-Wall ./configure $I if [ "$?" != "0" ] then echo "./configure failed!"; exit fi make $MAKE_FLAGS 2>> $LOG cd tools && make $MAKE_FLAGS && cd .. 2>> $LOG if [ "$?" != "0" ] then echo "Error on with $I"; exit fi done sagan-1.2.0/extra/barnyard2/0000755000175000017500000000000013310531444014552 5ustar champchampsagan-1.2.0/extra/barnyard2/barnyard2.snorby.conf0000644000175000017500000000125513310531444020623 0ustar champchamp#------------------------------------------------------------- # Barnyard2 configuration file #------------------------------------------------------------- # Use flag settings "-D -f sagan.u2 -d /var/log/sagan -c /usr/local/etc/barnyard2.snorby.conf" config reference_file: /usr/local/etc/sagan-rules/reference.config config classification_file: /usr/local/etc/sagan-rules/classification.config config sid_file: /usr/local/etc/sagan-rules/sagan-sid-msg.map config hostname: sagan config interface: misc config waldo_file: /var/log/sagan/barnyard2.waldo input unified2 output database: log, mysql, user=snorby password=s3cr3tsauce dbname=snorby host=snorby sagan-1.2.0/extra/barnyard2/barnyard2.cli.conf0000644000175000017500000000020013310531444020043 0ustar champchamp# this is not hard, only unified2 is supported ;) input unified2 # Step 3: setup the output plugins output alert_fast: stdout sagan-1.2.0/extra/rsyslog/0000755000175000017500000000000013310531444014370 5ustar champchampsagan-1.2.0/extra/rsyslog/sagan.conf0000644000175000017500000000051313310531444016327 0ustar champchamp# Template and fifo for sending rsyslog data to sagan # This file can go in /etc/rsyslog.d/ $template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n" *.* |/var/run/sagan.fifo;sagan sagan-1.2.0/extra/external-test/0000755000175000017500000000000013310531444015465 5ustar champchampsagan-1.2.0/extra/external-test/external-program0000755000175000017500000000123313310531444020701 0ustar champchamp#!/usr/bin/perl ############################################################################## # This is a exmaple program to test the "external" output format with. This # routine simply writes our a lot file of what it has received. # # Champ Clark III # 08/05/2015 ############################################################################## my $filename = "/tmp/myprogram.$$"; $SIG{'INT'} = \&signal_handler; $SIG{'TERM'} = \&signal_handler; $SIG{'HUP'} = \&signal_handler; open(MYFILE, ">> $filename") || die "Cannot open $filename!\n"; while (<>) { print MYFILE $_; } close(MYFILE); exit(0); sub signal_handler { close(MYFILE); exit(0); } sagan-1.2.0/extra/RPM/0000755000175000017500000000000013310531444013324 5ustar champchampsagan-1.2.0/extra/RPM/sagan.logrotate0000644000175000017500000000035713310531444016344 0ustar champchamp/var/log/sagan/alert /var/log/sagan/sagan.log /var/log/sagan/sagan.stats { compress delaycompress missingok notifempty sharedscripts postrotate /sbin/service sagan reload 2>/dev/null || true endscript } sagan-1.2.0/extra/RPM/README0000644000175000017500000000076113310531444014210 0ustar champchampExample RPM spec and system files for CentOS 7. To prepare source tarballs from the Git repository execute the following commands: 1. For the Sagan cd ~/rpmbuild/SOURCES git clone https://github.com/beave/sagan.git sagan-1.0.0RC5 tar --exclude='.git*' -czf sagan-1.0.0RC5.tar.gz sagan-1.0.0RC5 2. For the Sagan Rules cd ~/rpmbuild/SOURCES git clone https://github.com/beave/sagan-rules.git tar --exclude='.git*' -czf "sagan-rules-`git -C sagan-rules rev-parse --short HEAD`.tar.gz" sagan-rules sagan-1.2.0/extra/RPM/sagan-setup.libexec0000644000175000017500000000070613310531444017113 0ustar champchamp#!/bin/sh config="$1" if [ ! -f "$config" ]; then echo "config file '$config' does not exist" exit 1 fi while read a b c; do if [ "$a" = "var" -a "$b" = "FIFO" ]; then fifo="$c" fi done < "$config" if [ -z "$fifo" ]; then echo "var FIFO is not defined" exit 1 fi if [ ! -p "$fifo" ]; then if ! mkfifo "$fifo" 2>/dev/null; then echo "can't create fifo '$fifo'" exit 1 fi fi chmod 0750 "$fifo" sagan-1.2.0/extra/RPM/sagan.service0000644000175000017500000000054113310531444015777 0ustar champchamp[Unit] Description=Sagan daemon Documentation=man:sagan(8) Before=rsyslog.service syslog-ng.service [Service] Environment=CONFIG=/etc/sagan/sagan.conf ExecStartPre=/usr/libexec/sagan/sagan-setup $CONFIG ExecStart=/usr/sbin/sagan -f $CONFIG ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure StandardOutput=null [Install] WantedBy=multi-user.target sagan-1.2.0/extra/RPM/sagan-sagan.conf.patch0000644000175000017500000002474613310531444017466 0ustar champchampdiff -ur sagan-1.0.0RC5.orig/etc/sagan.conf sagan-1.0.0RC5/etc/sagan.conf --- sagan-1.0.0RC5.orig/etc/sagan.conf 2015-04-30 08:39:26.000000000 +0300 +++ sagan-1.0.0RC5/etc/sagan.conf 2015-04-30 11:35:46.429266091 +0300 @@ -15,13 +15,13 @@ # # [Required] -var FIFO /var/run/sagan.fifo +var FIFO /var/log/sagan/sagan.fifo # This variable contains the path of the Sagan rule sets. It is required. # # [Required] -var RULE_PATH /usr/local/etc/sagan-rules +var RULE_PATH /etc/sagan/sagan-rules # Where Sagan should store it's lock file. # @@ -132,7 +132,7 @@ # you don't want to burn CPU in analyzing them. ############################################################################## -; ignore_list: /usr/local/etc/sagan-ignore-list.txt +; ignore_list: /etc/sagan/sagan-ignore-list.txt ############################################################################## # Maxmind GeoIP support: Sagan will need the --enable-geoip flag for this @@ -150,8 +150,8 @@ # ############################################################################## -; country_database: /usr/local/share/GeoIP/GeoIP.dat -; var HOME_COUNTRY [US, CA] +country_database: /usr/share/GeoIP/GeoIP.dat +var HOME_COUNTRY [US, CA] ############################################################################## # The "WINDOWS_DOMAINS" variable. This is used by some Windows rules to @@ -205,7 +205,7 @@ # of performance or generating graphs with RRDTool. ############################################################################## -; processor perfmonitor: time=600 file=/var/log/sagan/stats/sagan.stats +; processor perfmonitor: time=600 file=/var/log/sagan/sagan.stats ############################################################################## # Websense Threatseeker processor - This is the Sagan Websense processor. @@ -223,7 +223,7 @@ # ############################################################################## -; processor websense: device_id=SAGAN_SIEM max_cache=300000 cache_timeout=1 catagories=/usr/local/etc/sagan-rules/websense-catagories.conf auth=XXXXXXXXXXXX url=http://rp.cloud.threatseeker.com/urlinfo/cat?url= +; processor websense: device_id=SAGAN_SIEM max_cache=300000 cache_timeout=1 catagories=/etc/sagan/sagan-rules/websense-catagories.conf auth=XXXXXXXXXXXX url=http://rp.cloud.threatseeker.com/urlinfo/cat?url= # Define the Websense Catagory to trigger on via rules! @@ -240,7 +240,7 @@ # by a comma ############################################################################## -; processor blacklist: /usr/local/etc/sagan-rules/blacklist.txt +; processor blacklist: /etc/sagan/sagan-rules/blacklist.txt ############################################################################## # The Bro Intellegence framework @@ -440,15 +440,15 @@ # at run time, they are loaded 'as needed' by the Sagan rule sets. These # get triggered by the 'normalize:' flag within a Sagan rule. -normalize: cisco, $RULE_PATH/cisco-normalize.rulebase -normalize: openssh, $RULE_PATH/openssh-normalize.rulebase -normalize: smtp, $RULE_PATH/smtp-normalize.rulebase -normalize: dns, $RULE_PATH/dns-normalize.rulebase -normalize: imap, $RULE_PATH/imap-normalize.rulebase -normalize: su, $RULE_PATH/su-normalize.rulebase -normalize: vmware, $RULE_PATH/vmware-normalize.rulebase -normalize: linux-kernel, $RULE_PATH/linux-kernel-normalize.rulebase -normalize: windows, $RULE_PATH/windows-normalize.rulebase +#normalize: cisco, $RULE_PATH/cisco-normalize.rulebase +#normalize: openssh, $RULE_PATH/openssh-normalize.rulebase +#normalize: smtp, $RULE_PATH/smtp-normalize.rulebase +#normalize: dns, $RULE_PATH/dns-normalize.rulebase +#normalize: imap, $RULE_PATH/imap-normalize.rulebase +#normalize: su, $RULE_PATH/su-normalize.rulebase +#normalize: vmware, $RULE_PATH/vmware-normalize.rulebase +#normalize: linux-kernel, $RULE_PATH/linux-kernel-normalize.rulebase +#normalize: windows, $RULE_PATH/windows-normalize.rulebase ############################################################################# # GeoIP Sagan rule sets @@ -498,96 +498,96 @@ # # It is _UNLIKELY_ you want to have _ALL_ rules enabled! -include $RULE_PATH/adtran.rules -include $RULE_PATH/apache.rules -include $RULE_PATH/apc-emu.rules -include $RULE_PATH/arp.rules -include $RULE_PATH/artillery.rules -include $RULE_PATH/asterisk.rules -include $RULE_PATH/attack.rules -include $RULE_PATH/bash.rules -include $RULE_PATH/bind.rules -include $RULE_PATH/bonding.rules -include $RULE_PATH/bro-ids.rules -include $RULE_PATH/cacti-thold.rules -include $RULE_PATH/cisco-acs.rules -include $RULE_PATH/cisco-cucm.rules -include $RULE_PATH/cisco-ios.rules -include $RULE_PATH/cisco-malware.rules -include $RULE_PATH/cisco-pixasa.rules -include $RULE_PATH/cisco-prime.rules -include $RULE_PATH/cisco-sdee.rules -include $RULE_PATH/cisco-wlc.rules -include $RULE_PATH/citrix.rules -include $RULE_PATH/courier.rules -include $RULE_PATH/deleted.rules -include $RULE_PATH/digitalpersona.rules -include $RULE_PATH/dovecot.rules -include $RULE_PATH/fatpipe.rules -include $RULE_PATH/fortinet-malware.rules -include $RULE_PATH/fortinet.rules -include $RULE_PATH/ftpd.rules -include $RULE_PATH/grsec.rules -include $RULE_PATH/honeyd.rules -include $RULE_PATH/hordeimp.rules -include $RULE_PATH/hostapd.rules -include $RULE_PATH/huawei.rules -include $RULE_PATH/imapd.rules -include $RULE_PATH/ipop3d.rules -include $RULE_PATH/juniper.rules -include $RULE_PATH/kismet.rules -include $RULE_PATH/knockd.rules -include $RULE_PATH/linux-kernel.rules -include $RULE_PATH/milter.rules -include $RULE_PATH/mongodb.rules -include $RULE_PATH/mysql.rules -include $RULE_PATH/nfcapd-malware.rules -include $RULE_PATH/nfcapd.rules -include $RULE_PATH/nginx.rules -include $RULE_PATH/ntp.rules -include $RULE_PATH/openssh.rules -include $RULE_PATH/openvpn.rules -include $RULE_PATH/oracle.rules -include $RULE_PATH/ossec-mi.rules -include $RULE_PATH/ossec.rules -include $RULE_PATH/php.rules -include $RULE_PATH/postfix.rules -include $RULE_PATH/postgresql.rules -include $RULE_PATH/pptp.rules -include $RULE_PATH/procurve.rules -include $RULE_PATH/proftpd.rules -include $RULE_PATH/proxy-malware.rules -include $RULE_PATH/pure-ftpd.rules -include $RULE_PATH/racoon.rules -include $RULE_PATH/riverbed.rules -include $RULE_PATH/roundcube.rules -include $RULE_PATH/rsync.rules -include $RULE_PATH/samba.rules -include $RULE_PATH/sendmail.rules -include $RULE_PATH/snort.rules -include $RULE_PATH/solaris.rules -include $RULE_PATH/sonicwall.rules -include $RULE_PATH/squid.rules -include $RULE_PATH/ssh-tectia-server.rules -include $RULE_PATH/su.rules -include $RULE_PATH/symantec-ems.rules -include $RULE_PATH/syslog.rules -include $RULE_PATH/tcp.rules -include $RULE_PATH/telnet.rules -include $RULE_PATH/tripwire.rules -include $RULE_PATH/vmpop3d.rules -include $RULE_PATH/vmware.rules -include $RULE_PATH/vpopmail.rules -include $RULE_PATH/vsftpd.rules -include $RULE_PATH/web-attack.rules -include $RULE_PATH/weblabrinth.rules -include $RULE_PATH/windows-applocker.rules -include $RULE_PATH/windows-auth.rules -include $RULE_PATH/windows-emet.rules -include $RULE_PATH/windows-malware.rules -include $RULE_PATH/windows-misc.rules -include $RULE_PATH/windows-mssql.rules -include $RULE_PATH/windows.rules -include $RULE_PATH/wordpress.rules -include $RULE_PATH/xinetd.rules -include $RULE_PATH/zeus.rules +#include $RULE_PATH/adtran.rules +#include $RULE_PATH/apache.rules +#include $RULE_PATH/apc-emu.rules +#include $RULE_PATH/arp.rules +#include $RULE_PATH/artillery.rules +#include $RULE_PATH/asterisk.rules +#include $RULE_PATH/attack.rules +#include $RULE_PATH/bash.rules +#include $RULE_PATH/bind.rules +#include $RULE_PATH/bonding.rules +#include $RULE_PATH/bro-ids.rules +#include $RULE_PATH/cacti-thold.rules +#include $RULE_PATH/cisco-acs.rules +#include $RULE_PATH/cisco-cucm.rules +#include $RULE_PATH/cisco-ios.rules +#include $RULE_PATH/cisco-malware.rules +#include $RULE_PATH/cisco-pixasa.rules +#include $RULE_PATH/cisco-prime.rules +#include $RULE_PATH/cisco-sdee.rules +#include $RULE_PATH/cisco-wlc.rules +#include $RULE_PATH/citrix.rules +#include $RULE_PATH/courier.rules +#include $RULE_PATH/deleted.rules +#include $RULE_PATH/digitalpersona.rules +#include $RULE_PATH/dovecot.rules +#include $RULE_PATH/fatpipe.rules +#include $RULE_PATH/fortinet-malware.rules +#include $RULE_PATH/fortinet.rules +#include $RULE_PATH/ftpd.rules +#include $RULE_PATH/grsec.rules +#include $RULE_PATH/honeyd.rules +#include $RULE_PATH/hordeimp.rules +#include $RULE_PATH/hostapd.rules +#include $RULE_PATH/huawei.rules +#include $RULE_PATH/imapd.rules +#include $RULE_PATH/ipop3d.rules +#include $RULE_PATH/juniper.rules +#include $RULE_PATH/kismet.rules +#include $RULE_PATH/knockd.rules +#include $RULE_PATH/linux-kernel.rules +#include $RULE_PATH/milter.rules +#include $RULE_PATH/mongodb.rules +#include $RULE_PATH/mysql.rules +#include $RULE_PATH/nfcapd-malware.rules +#include $RULE_PATH/nfcapd.rules +#include $RULE_PATH/nginx.rules +#include $RULE_PATH/ntp.rules +#include $RULE_PATH/openssh.rules +#include $RULE_PATH/openvpn.rules +#include $RULE_PATH/oracle.rules +#include $RULE_PATH/ossec-mi.rules +#include $RULE_PATH/ossec.rules +#include $RULE_PATH/php.rules +#include $RULE_PATH/postfix.rules +#include $RULE_PATH/postgresql.rules +#include $RULE_PATH/pptp.rules +#include $RULE_PATH/procurve.rules +#include $RULE_PATH/proftpd.rules +#include $RULE_PATH/proxy-malware.rules +#include $RULE_PATH/pure-ftpd.rules +#include $RULE_PATH/racoon.rules +#include $RULE_PATH/riverbed.rules +#include $RULE_PATH/roundcube.rules +#include $RULE_PATH/rsync.rules +#include $RULE_PATH/samba.rules +#include $RULE_PATH/sendmail.rules +#include $RULE_PATH/snort.rules +#include $RULE_PATH/solaris.rules +#include $RULE_PATH/sonicwall.rules +#include $RULE_PATH/squid.rules +#include $RULE_PATH/ssh-tectia-server.rules +#include $RULE_PATH/su.rules +#include $RULE_PATH/symantec-ems.rules +#include $RULE_PATH/syslog.rules +#include $RULE_PATH/tcp.rules +#include $RULE_PATH/telnet.rules +#include $RULE_PATH/tripwire.rules +#include $RULE_PATH/vmpop3d.rules +#include $RULE_PATH/vmware.rules +#include $RULE_PATH/vpopmail.rules +#include $RULE_PATH/vsftpd.rules +#include $RULE_PATH/web-attack.rules +#include $RULE_PATH/weblabrinth.rules +#include $RULE_PATH/windows-applocker.rules +#include $RULE_PATH/windows-auth.rules +#include $RULE_PATH/windows-emet.rules +#include $RULE_PATH/windows-malware.rules +#include $RULE_PATH/windows-misc.rules +#include $RULE_PATH/windows-mssql.rules +#include $RULE_PATH/windows.rules +#include $RULE_PATH/wordpress.rules +#include $RULE_PATH/xinetd.rules +#include $RULE_PATH/zeus.rules sagan-1.2.0/extra/RPM/sagan.spec0000644000175000017500000000764613310531444015306 0ustar champchamp%define sagan_user sagan %define sagan_group sagan %define sagan_rules 4146f4f Name: sagan Version: 1.0.0RC5 Release: 1%{?dist} Summary: High performance, real-time log analysis & correlation engine Group: Applications/System License: GPLv2 URL: http://sagan.quadrantsec.com/ Source0: http://sagan.quadrantsec.com/download/%{name}-%{version}.tar.gz Source1: %{name}-rules-%{sagan_rules}.tar.gz Source2: %{name}.logrotate Source3: %{name}.service Source4: %{name}.tmpfiles Source5: %{name}-setup.libexec Patch0: %{name}-sagan.conf.patch BuildRequires: GeoIP-devel BuildRequires: json-c-devel BuildRequires: libdnet-devel BuildRequires: libesmtp-devel BuildRequires: liblognorm1-devel >= 1.0.0 BuildRequires: pcre-devel Requires: %{name}-rules %systemd_requires %description Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort rule management software and give Sagan the ability to correlate with Snort IDS/IPS data. Sagan can record events to the Snort unified2 output format which makes Sagan compatible with user interfaces such as Snorby, Sguil, BASE and proprietary consoles. Sagan supports different output formats for reporting and analysis, log normalization, script execution on event detection, automatic firewall support via Snortsam, GeoIP detection/alerting, multi-line log support, and time sensitive alerting. %package rules Release: 1.git%{sagan_rules}%{?dist} Summary: Sagan engine rule sets Group: Applications/System BuildArch: noarch %description rules This package contains the Sagan engine rule sets. You probably won't find these useful unless you're actually using Sagan. %prep %setup -q %patch -P0 -p1 %build %configure \ --sysconfdir=%{_sysconfdir}/%{name} \ --enable-esmtp \ --enable-geoip \ --enable-libdnet \ --enable-lognorm \ --enable-snortsam make %{?_smp_mflags} %install make install DESTDIR=%{buildroot} rm -rf %{buildroot}%{_bindir} tar -xzf %{S:1} -C %{buildroot}%{_sysconfdir}/%{name} install -D -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -D -m 0644 %{S:3} %{buildroot}%{_unitdir}/%{name}.service install -D -m 0644 %{S:4} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -D -m 0755 %{S:5} %{buildroot}%{_libexecdir}/%{name}/%{name}-setup %pre getent group %{sagan_group} >/dev/null || \ groupadd -r %{sagan_group} getent passwd %{sagan_user} >/dev/null || \ useradd -c "Sagan daemon" -d %{_localstatedir}/run/%{name} \ -g %{sagan_group} -M -r -s /sbin/nologin %{sagan_user} %post %tmpfiles_create %{name}.conf %systemd_post %{name}.service %preun %systemd_preun %{name}.service %postun %systemd_postun_with_restart %{name}.service %files %defattr(0644, root, root, 0755) %doc AUTHORS ChangeLog COPYING FAQ INSTALL NEWS README TODO %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %attr(0640, root, %{sagan_group}) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %attr(0750, root, %{sagan_group}) %dir %{_sysconfdir}/%{name} %attr(0750, %{sagan_user}, %{sagan_group}) %dir %{_localstatedir}/log/%{name} %attr(0750, %{sagan_user}, %{sagan_group}) %dir %{_localstatedir}/run/%{name} %dir %{_libexecdir}/%{name} %attr(0755, root, root) %{_libexecdir}/%{name}/%{name}-setup %attr(0755, root, root) %{_sbindir}/%{name} %{_mandir}/man8/sagan.8.gz %{_tmpfilesdir}/%{name}.conf %{_unitdir}/%{name}.service %files rules %defattr(0644, root, root, 0755) %config(noreplace) %{_sysconfdir}/%{name}/%{name}-rules %changelog * Fri May 8 2015 Aleksey Chudov - 1.0.0RC5 - Build sagan-rules subpackage * Fri Apr 17 2015 Aleksey Chudov - 1.0.0RC5 - Initial spec sagan-1.2.0/extra/RPM/sagan.tmpfiles0000644000175000017500000000004413310531444016160 0ustar champchampd /var/run/sagan 0750 sagan sagan - sagan-1.2.0/extra/conversion/0000755000175000017500000000000013310531444015053 5ustar champchampsagan-1.2.0/extra/conversion/ossec-sagan.pl0000644000175000017500000002172413310531444017621 0ustar champchamp#!/usr/bin/perl ## ossec-sagan.pl -- ## This utility takes a series of OSSEC rules, and generates a series of compatible SAGAN rules. ## Originally developed by Michael Iverson. ## ## Copyright (c) 2009-2011, Quadrant Information Security ## All rights reserved. ## ## Please submit any custom rules or ideas sagan-sigs@quadrantsec.com mailing list ## ##************************************************************* ## Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ## following conditions are met: ## ## * Redistributions of source code must retain the above copyright notice, this list of conditions and the following ## disclaimer. ## * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ## following disclaimer in the documentation and/or other materials provided with the distribution. ## * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived ## from this software without specific prior written permission. ## ## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, ## INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ## DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ## SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE ## USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## ##************************************************************* ## ## History: ## v0.1 2010-12-27 - Initial version ## # Does not like the format of the XML groupnames when used as hash keys, so use strict is out. #use strict; #use warnings; #use diagnostics; use XML::Simple; # used to manage config file in XML format #use Data::Dumper; # For debugging of data structures ## Define default configuration settings. ## These can be overridden by command line options. ## # Input file my $inputFile = ""; # temporary file my $tempFile = "/tmp/ossec-rules.tmp"; # This defined the default OSSEC alert level. # Rules with levels <= this number are commented out by default. my $commentLevel = "4"; ## Open temporary file, and write a header to it. ## open my $TEMPFILE, ">", "$tempFile" or die "$tempFile Error: Can't open temporary file: $!\n"; print $TEMPFILE "\n"; ## Read command line parameters, and process xml files passed to the ## my $p; while ($p = shift) { # if we specify a comment level if (($p eq "-c") || ($p eq '--comment')) { $commentLevel = shift; } elsif (($p eq '-h') || ($p eq '--help')) { # Print usage instructions die q{Usage: ossec-sagan.pl [OPTION] [FILES] Summary: Convert the supplied list of OSSEC xml rule files into a monolithic block of SAGAN rules. Converted rules are written to stdout. Options: -c n or --config n Comment out alerts with OSSEC levels less than or equal to n. (default is 4) -h or --help Print help message. Note: Options must appear BEFORE file arguments. } } else { # Assume that the parameter is an OSSEC xml rule file # we'll read in each one, and process out unnecessary tags that might get us in trouble. # output will be written to the temporary file. $inputFile = $p; # Check the input file for obvious issues. # die "$inputFile Error: Input file does not exist.\n" if (!(-e $inputFile)); die "$inputFile Error: Input file is not the correct type.\n" if (!(-f $inputFile)); die "$inputFile Error: Input file is not readable.\n" if (!(-r $inputFile)); # die "$inputFile Error: Output directory does not exist.\n" # if (!(-d $outFolder)); # Open up our input file. # open my $INFILE, "<", "$inputFile" or die "$inputFile Error: Can't open input file: $!\n"; # read through file, only matching relevant lines while (<$INFILE>) { # We need to add the filename to the group name, since XML:Simple can't handle # duplicate hash keys s/)/); } close $INFILE; } } ## Close temporary file, but write trailer to it first. ## print $TEMPFILE "\n"; close $TEMPFILE; ## Read in preprocessed XML rules from temporary file ## my $xmltree = XML::Simple->new(); my $cfg = $xmltree->XMLin($tempFile,ForceArray => ['description','rule']); # debug data structure #print Dumper($cfg); ## Print header ## print q{## ## OSSEC SAGAN RULES (autogenerated) ## ## Sagan is: ## Copyright (c) 2009-2010, Quadrant Information Security. ## All rights reserved. ## ## Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list ## ##************************************************************* ## Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ## following conditions are met: ## ## * Redistributions of source code must retain the above copyright notice, this list of conditions and the following ## disclaimer. ## * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ## following disclaimer in the documentation and/or other materials provided with the distribution. ## * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived ## from this software without specific prior written permission. ## ## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, ## INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ## DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ## SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE ## USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## ##************************************************************* ## These rules were autogenerated from ossec rules using the ossec-sagan.pl script. ## OSSEC and its supplied rules are: ## ## Copyright (C) 2009 Trend Micro Inc. ## All rights reserved. ## ## This program is a free software; you can redistribute it ## and/or modify it under the terms of the GNU General Public ## License (version 2) as published by the FSF - Free Software ## Foundation. ## ## License details: http://www.ossec.net/en/licensing.html ## }; ## For each group... foreach my $group ( keys %{$cfg->{'group'}} ) { # Strip the annoying comma from the group name. my $tmpgrp = $group; $tmpgrp =~ s/,$//; # Keep groups neatly separated in output file print "\n\n## Rule group: $tmpgrp\n##\n"; # debug data structure. #print Dumper($cfg->{'group'}->{$group}); # For each rule within the group... foreach my $rule ( keys %{$cfg->{'group'}->{$group}->{'rule'}} ) { # Sample SAGAN Rule # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Alert Level 5"; content: "Alert Level: 5;"; classtype: system-event; program: ossec; sid: 6000001; rev:1;) # Assign the alert level to a local variable, as we will use it a lot. my $level = $cfg->{'group'}->{$group}->{'rule'}->{$rule}->{'level'}; # check if the level is beneath the comment threshold. If it is, comment it out # We'll print the level number in the comment to make it easy to remove comments later. print "#(Level $level) " if ($level <= $commentLevel); # print beginning of the rule, including description (ossec can have multiple description lines) print "alert syslog \$EXTERNAL_NET any -> \$HOME_NET any (msg: \"[OSSEC] Level $level - "; foreach my $desc (@{$cfg->{'group'}->{$group}->{'rule'}->{$rule}->{'description'}}) { print "$desc"; } # print group name print " ($tmpgrp)\"; "; # classify rule based on OSSEC priority level print "content: \"Rule: $rule \"; classtype: "; if ($level == 0) { print "tcp-connection; "; } elsif ($level < 5) { print "not-suspicious; "; } elsif ($level < 10) { print "system-event; "; } else { print "exploit-attempt; "; } # embed the ossec id in the sid of the rule printf "program: ossec; sid: 6%06s; rev:1;)\n", $rule; } } sagan-1.2.0/etc/0000755000175000017500000000000013310531444012316 5ustar champchampsagan-1.2.0/etc/sagan.80000644000175000017500000000502013310531444013475 0ustar champchamp.\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH SAGAN 8 "April 15, 2012" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME sagan \- Real-time System & Event Log Monitoring System .SH SYNOPSIS .B sagan .RI [ options ] .br .SH DESCRIPTION This manual page documents briefly the .B sagan command. .PP .\" TeX users may be more comfortable with the \fB\fP and .\" \fI\fP escape sequences to invode bold face and italics, .\" respectively. \fBsagan\fP is a multi-threaded, real time system- and event-log monitoring system, but with a twist. Sagan uses a "Snort" like rule set for detecting malicious events happening on your network and/or computer systems. .br If Sagan detects a potentially bad event, that event can be stored to a Snort database (MySQL/PostgreSQL), send it to a SIEM tool like Prelude, or send an email. .br Sagan is meant to be used in a "centralized" logging environment, but will work fine as part of a standalone Host IDS system for workstations. .SH OPTIONS These programs follow the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below. .TP .B \-h, \-\-help Show summary of options. .TP .B \-d, \-\-debug [option] Enable debugging. Options are syslog, load, fwsam, sql, smtp, normalize and plog .TP .B \-D, \-\-daemon Make process a daemon (fork to the background) .TP .B \-u, \-\-user [username] Run as user (defaults to 'sagan') .TP .B \-c, \-\-chroot [directory] Chroots the Sagan process to the specified directory .TP .B \-f, \-\-config [file] Sagan configuration file to load .TP .B \-F, \-\-file [file] Sagan FIFO over ride. This forces Sagan to read from a FILE rather than a FIFO. The FILE needs to be in the Sagan format! .TP .B \-l, \-\-log [file] Set log file locaton and name. .SH AUTHOR Sagan was written by Champ Clark III .PP This manual page was written by Pierre Chifflier , for the Debian project (and may be used by others). sagan-1.2.0/etc/sagan.yaml0000644000175000017500000006272413310531444014306 0ustar champchamp%YAML 1.1 --- # ,-._,-. Sagan configuration file [http://sagan.quadrantsec.com] # \/)"(\/ Champ Clark III & The Quadrant Infosec Team: http://quadrantsec.com # (_o_) Copyright (C) 2009-2018 Quadrant Information Security., et al. # / \/) # (|| ||) # oo-oo ############################################################################## # This section defines variables commonly used by the Sagan core, rules # and configuration. These variables need to be at the head of the sagan.yaml # so that they can be used later in the configuration. ############################################################################## vars: # 'Core' variables used by Sagan. sagan-groups: FIFO: "/var/sagan/fifo/sagan.fifo" RULE_PATH: "/usr/local/etc/sagan-rules" LOCKFILE: "/var/run/sagan/sagan.pid" LOG_PATH: "/var/log/sagan" # HOME_NET and EXTERNAL_NET function similar to Suricata/Snort. However, # it's rare you'll want to set them. In most situations leaving it set # to "any" is best. address-groups: HOME_NET: "any" EXTERNAL_NET: "any" # Common ports used by common protocols. These variables are used by # rule sets. port-groups: SSH_PORT: 22 HTTP_PORT: 80 HTTPS_PORT: 443 TELNET_PORT: 23 DNS_PORT: 53 SNMP_PORT: 161 POP3_PORT: 110 IMAP_PORT: 143 SMTP_PORT: 25 MYSQL_PORT: 3306 MSSQL_PORT: 1433 NTP_PORT: 123 OPENVPN_PORT: 1194 PPTP_PORT: 1723 FTP_PORT: 21 RSYNC_PORT: 873 SQUID_PORT: 3128 # If you are using the -geoip rule sets & Sagan is compile with Maxmind # GeoIP2 support (https://github.com/maxmind/libmaxminddb/releases), # you'll want to define your $HOME_COUNTRY. ISO GeoIP country codes can # be found at http://dev.maxmind.com/geoip/legacy/codes/iso3166/ geoip-groups: HOME_COUNTRY: "US,CA" # If you want to use -aetas, also know as time based rule sets, you'll # want to define the $SAGAN_HOURS and $SAGAN_DAYS variables. $SAGAN_HOURS is # considered "normal" hours in a 24 hour clock format from "start time" to # "end time". $SAGAN_DAYS is the day of the week (0 == Sunday -> # Saturday). For more information, see: # # https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference aetas-groups: SAGAN_HOURS: "0700-1800" SAGAN_DAYS: "12345" # The "bluedot-groups" is used by the Sagan "Bluedot" processor. See the # "bluedot" processor later in this configuration file fore more # information. bluedot-groups: BLUEDOT: "Malicious" # Variable for the max number of entires Sagan will retain via IPC. mmap-groups: MMAP_DEFAULT: 10000 # Miscellaneous variables used by rules. misc-groups: CREDIT_CARD_PREFIXES: "4,34,37,300,301,302,303,304,305,2014,2149,309,36,38,39,54,55,6011,6221,6222, 6223,6224,6225,6226,\ 6227,6228,6229,644,645,646,647,648,649,65,636,637,638,639,22,23,24,25,26,27,51,52,53,53,55" RFC1918: "10.,192.168.,172.16.,172.17.,172.18.,172.19.,172.20.,172.21.,172.22.,172.23.,172.24.,172.25.,172.26.,172.27.,\ 172.28.,172.29.,172.30.,172.31." # $WINDOWS_DOMAINS is used by some Windows rule sets to determine if a log # message contains or does not contain a valid DOMAIN for your organization. # For more information, see: # # https://quadrantsec.com/about/blog/detecting_pass_the_hash_attacks_with_sagan_in_real_time/ WINDOWS_DOMAINS: "MYCOMPANYDOMAIN,EXAMPLEDOMAIN,ANOTHER_DOMAIN" # Known valid Microsoft PSExec MD5 sums. Versions v1.98, v2.00, v2.10, v2.11, v2.11 (2016). PSEXEC_MD5: "CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3, 9A46E577206D306D9D2B2AB2F72689E4F5F38FB1,\ 2EDEEFB431663F20A36A63C853108E083F4DA895,B5C62D79EDA4F7E4B60A9CAA5736A3FDC2F1B27E,\ A7F7A0F74C8B48F1699858B3B6C11EDA" ############################################################################## # Sagan "core" configuration settings. ############################################################################## sagan-core: # Settings used by the Sagan's core engine. core: sensor-name: "default_sensor_name" # Unique name for this sensor (no spaces) default-host: 192.168.2.1 default-port: 514 default-proto: udp dns-warnings: disabled source-lookup: disabled fifo-size: 1048576 # System must support F_GETPIPE_SZ/F_SETPIPE_SZ. max-threads: 100 classification: "$RULE_PATH/classification.config" reference: "$RULE_PATH/reference.config" gen-msg-map: "$RULE_PATH/gen-msg.map" protocol-map: "$RULE_PATH/protocol.map" xbit-storage: mmap # xbit storage engine. ("mmap" or "redis") # This controls how the "parse_src_ip" and "parse_dst_ip" function within a rule. parse-ip: ipv6: enabled # Parse IPv6 Addresses ipv4-mapped-ipv6: disabled # Map ffff::192.168.1.1 back to 192.168.1.1 # The "selector" adds "multi-tenancy" into Sagan. Using the "selector" allows Sagan to # track IP source, IP destinations, etc. in order to ensure overlapping logs from different # environments are tracked separately. selector: enabled: no name: "selector name" # Log entry must be normalized and this value must # be present in the normalized result # Redis configuration. Redis can be used to act as a global storage engine for data # like xbits. redis-server: enabled: no server: 127.0.0.1 port: 6379 #password: "mypassword" # Comment out to disable authentication. writer_threads: 10 # Sagan creates "memory mapped" files to keep track of xbits, thresholds, # and afters. This allows Sagan to "remember" threshold, xbits and after # data between system restarts (including system reboots!). # This also allows Sagan to share information with other Sagan processes. # For exampe, if one Sagan instance is monitoring "Linux" logs & another is # monitoring "Windows" logs, Sagan can communicate between the two Sagan # processes using these memory mapped files. A "xbit" that is "set" by the # "Linux" process accessable and "known" to the Windows instance. # The storage is pre-allocated when the memory mapped files are created # The values can be increased/decreased by altering the $MMAP_DEFAULT # variable. 10,000 entires is the system default. mmap-ipc: ipc-directory: /var/sagan/ipc xbit: $MMAP_DEFAULT threshold-by-src: $MMAP_DEFAULT threshold-by-dst: $MMAP_DEFAULT threshold-by-username: $MMAP_DEFAULT after-by-src: $MMAP_DEFAULT after-by-dst: $MMAP_DEFAULT after-by-username: $MMAP_DEFAULT track-clients: $MMAP_DEFAULT # A "short circuit" list of terms or strings to ignore. If the the string # is found in pre-processing a log message, it will be dropped. This can # be useful when you have log messages repeating without any useful # information & you don't want to burn CPU cycles analyzing them. Items # that match will be "short circuit" in pre-processing before rules & # processors are applied. ignore_list: enabled: no ignore_file: "$RULE_PATH/sagan-ignore-list.txt" # Maxmind GeoIP2 support allows Sagan to categorize events by their country # code. For example; a rule can be created to track "authentication # successes" & associate the country the successful login came from. If the # successful login is from outside your country code, via the $HOME_COUNTRY # variable, an alert can be generated. Sagan will need to be compiled with # --enable-geoip2 flag. # # Maxmind GeoLite2 Free database: # http://dev.maxmind.com/geoip/geoip2/geolite2/ # # Country code (ISO3166): # http://dev.maxmind.com/geoip/legacy/codes/iso3166/ # # More information about Sagan & GeoIP, see: # https://quadrantsec.com/about/blog/detecting_adversary_with_sagan_geoip/ geoip: enabled: no country_database: "/usr/local/share/GeoIP2/GeoLite2-Country.mmdb" # Liblognorm is a fast sample-base log normalization library. Sagan uses # this library to rapidly extract useful data (IP address, hashes, etc) from # log messages. While this library is not required it is recommended that # Sagan be built with liblognorm enabled. For more information, see: # # https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm # # The normalize_rulebase are the samples to use to normalize log messages # Sagan receives. liblognorm: enabled: yes normalize_rulebase: "$RULE_PATH/normalization.rulebase" # 'Plog', the promiscuous syslog injector, allows Sagan to 'listen' on a # network interface and 'suck' UDP syslog message off the wire. When a # syslog packet is detected, it is injected into /dev/log. This is based # on work by Marcus J. Ranum in 2004 with his permission. # # For more information, please see: # # https://raw.githubusercontent.com/beave/sagan/master/src/sagan-plog.c plog: enabled: no interface: eth0 bpf-filter: "port 514" log-device: /dev/log promiscuous: yes ############################################################################## # Processors ############################################################################## # "Processors" are functions that operate outside normal "rule sets". processors: # The "tracking clients" processor keeps track of the systems (IP addresses), # reporting to Sagan. If Sagan stops receiving logs from a client for a # specified amount of time ("timeout"), an alert/notification is created. # With the # system comes back online, another alert/notification is # created. - track-clients: enabled: no timeout: 1440 # In minutes # The "perfmonitor" processor write statistical information every specified # number of seconds ("time") to a CSV file. This data can be useful for # tracking the performance of Sagan. This data can also be used with # RRDTool to generate graphs. - perfmonitor: enabled: no time: 600 filename: "$LOG_PATH/stats/sagan.stats" # The "blacklist" process reads in a list of hosts/networks that are # considered "bad". For example, you might pull down a list like SANS # DShield (http://feeds.dshield.org/block.txt) for Sagan to use. If Sagan # identifies any hosts/networks in a log message from the list, an alert # will be generated. The list can be in a IP (192.168.1.1) or CIDR format # (192.168.1.0/24). Rule identified as -blacklist.rules use this data. # You can load multiple blacklists by seperating them via comma. For # example; filename: "$RULE_PATH/list1.txt, $RULE_PATH/list2.txt". - blacklist: enabled: no filename: "$RULE_PATH/blacklist.txt" # The "bluedot" processor extracts information from logs (URLs, file hashes, # IP address) and queries the Quadrant Information Security "Bluedot" threat # intellegence database. This database is 'closed' at this time. For more # information, please conact Quadrant Information Security @ 1-800-538-9357 # (+1-904-296-9100) or e-mail info@quadrantsec.com for more information. # Rules idenfified with the -bluedot.rules extention use this data. - bluedot: enabled: no device-id: "Device_ID" max-cache: 500000 cache-timeout: 120 categories: "$RULE_PATH/bluedot-categories.conf" host: "bluedot.qis.io" ttl: 86400 uri: "q.php?qipapikey=APIKEYHERE" # The "bro-intel" processor allows Sagan to use threat intellegence data # from the "Bro Intellegence Framework". Rules identified with the # -brointel.rules use this data. For more inforamation about this # processor, see: # # https://quadrantsec.com/about/blog/using_sagan_with_bro_intelligence_feeds/ # https://wiki.quadrantsec.com/bin/view/Main/SaganRuleReference#bro_intel_src_ipaddr_dst_ipaddr # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html # https://www.bro.org/sphinx-git/frameworks/intel.html # # A good aggregate source of Bro Intellegence data is at: # # https://intel.criticalstack.com/ - bro-intel: enabled: no filename: "/opt/critical-stack/frameworks/intel/master-public.bro.dat" # The 'dynamic_load' prcessor uses rule with the "dynamic_load" rule option # enabled. These rules tells Sagan to load additional rules when new log # traffic is detected. For example, if Sagan does not have 'proftpd.rules' # enabled but detects 'proftp' log traffic, a dynamic rule can automatically # load the 'proftpd.rules' for you. Dynamic detection rules are named # 'dynamic.rules' in the Sagan rule set. The "sample-rate" limits amount of # CPU to dedicated to detection new logs. The "type" informs the process # "what" to do. Valid types are "dynamic_load" (load & alert when new rules # are loaded), "log_only" (only writes detection to the sagan.log file) and # "alert" (create's an alert about new logs being detected). - dynamic_load: enabled: no sample-rate: 100 # How often to 'test for new samples. type: dynamic_load # What to do on detection of new logs. ############################################################################## # Output formats. ############################################################################## # "outputs" inform Sagan on how to handle data upon detection. outputs: # Experimental Code!!! # # WORK IN PROGRESS - Output in the Suricata EVE/Alert format. # ONLY supports "regular" and "alerts" at this time! # EVE alerts can be load into software like Elasticsearch and is a good # replacement for "unified2" with software like "Meer". Check out: # https://github.com/beave/meer - eve-log: enabled: no filetype: regular #regular|syslog|unix_dgram|unix_stream|redis interface: logs alerts: yes # Logs alerts logs: no # Log everything filename: "$LOG_PATH/eve.json" # The 'alert' output format allows Sagan to write alerts, in detail, in a # traditional Snort style "alert log" ASCII format. - alert: enabled: yes filename: "$LOG_PATH/alert.log" # The 'fast' output format allows Sagan to write alerts in a format similar # to Snort's 'fast' output format. - fast: enabled: no filename: "$LOG_PATH/fast.log" # The 'unified2' output allows Sagan to write in Snort's unified2 format. # This allows events/alerts generates by Sagan to be read and queued for # external programs like Barnyard2 (http://www.securixlive.com/barnyard2/). # Barnyard2 can then record events to various formats (Sguil, PostgreSQL, # MySQL, MS-SQL, Oracle, etc). Sagan must be compiled with libdnet support # to use this function. - unified2: enabled: no force-ipv4: no filename: "$LOG_PATH/unified2.alert" limit: 128 # Max size in MB # The 'external' output calls an external program when a event is triggered # by a rule and/or processor. Sagan calls execl() system call & executes # the program supplied by "command". Data is supplied to the "command" via # STDIN. - external: enabled: no command: "/home/sagan/myprogram" # The 'smtp' output allows Sagan to e-mail alerts that trigger. The rules # you want e-mail need to contain the 'email' rule option and Sagan must # be compiled with libesmtp support. - smtp: enabled: no from: sagan-alert@example.com server: 192.168.0.1:25 subject: "** Sagan Alert **" # The 'snortsam' output allows Sagan to send block information Snortsam # agents. If a rule the fwsam: option in it, the offending IP address can # be firewall/blocked. For example, if a rule is triggered with the 'fwsam' # option, Sagan can instruct a firewall (iptables/ebtable/pf/iwpf/Cisco/etc) # to firewall off the source or destination. # # In order for Sagan to send a blocking request to the SnortSam agent, # that agent has to be listed, including the port it listens on, and the # encryption key it is using. The server option is formated like this: # # server: {Snortsam Station}:{port}/{password} # # {SnortSam Station}: IP address or host name of the host where SnortSam is # running. # {port}: The port the remote SnortSam agent listens on. # {password}: The password, or key, used for encryption of the # communication to the remote agent. # # At the very least, the IP address or host name of the host running SnortSam # needs to be specified. If the port is omitted, it defaults to TCP port 898. # If the password is omitted, it defaults to a preset password. # # More than one host can be specified, but has to be done on the same line. # Just separate them with one or more spaces. - snortsam: enabled: no server: 127.0.0.1/mykey # The 'syslog' output allows Sagan to send alerts to syslog. The syslog # output format used is exactly the same of Snorts. This means that your # SIEMs Snort log parsers should work with Sagan. - syslog: enabled: no facility: LOG_AUTH priority: LOG_ALERT extra: LOG_PID ############################################################################## # Rule sets! - "Arrgh Villains! Sagan neither takes nor gives mercy!" ############################################################################## # It is unlikely you want to have _all_ rules enabled! You'll want to tailor # & enable rules for your specific needs! rules-files: ############################################################################# # Dynamic rules - Only use if you have the 'dynamic_load' processor enabled # ############################################################################# #- $RULE_PATH/dynamic.rules ############################################################################# # GeoIP rules - Only use if you have $HOME_COUNTRY and 'geoip' core enabled # ############################################################################# #- $RULE_PATH/cisco-geoip.rules #- $RULE_PATH/citrix-geoip.rules #- $RULE_PATH/courier-geoip.rules #- $RULE_PATH/f5-big-ip-geoip.rules #- $RULE_PATH/fatpipe-geoip.rules #- $RULE_PATH/fortinet-geoip.rules #- $RULE_PATH/imapd-geoip.rules #- $RULE_PATH/juniper-geoip.rules #- $RULE_PATH/openssh-geoip.rules #- $RULE_PATH/proftpd-geoip.rules #- $RULE_PATH/riverbed-geoip.rules #- $RULE_PATH/snort-geoip.rules #- $RULE_PATH/ssh-tectia-server-geoip.rules #- $RULE_PATH/vmware-geoip.rules #- $RULE_PATH/vsftpd-geoip.rules #- $RULE_PATH/windows-geoip.rules #- $RULE_PATH/windows-owa-geoip.rules #- $RULE_PATH/zimbra-geoip.rules ############################################################################# # Aetas rules - Only use if $SAGAN_HOUR/$SAGAN_DAY is defined! # ############################################################################# #- $RULE_PATH/cisco-aetas.rules #- $RULE_PATH/fatpipe-aetas.rules #- $RULE_PATH/fortinet-aetas.rules #- $RULE_PATH/juniper-aetas.rules #- $RULE_PATH/openssh-aetas.rules #- $RULE_PATH/proftpd-aetas.rules #- $RULE_PATH/riverbed-aetas.rules #- $RULE_PATH/ssh-tectia-server-aetas.rules #- $RULE_PATH/windows-aetas.rules ############################################################################# # Malware rules - Rules useful for detecting malware. # ############################################################################# #- $RULE_PATH/cisco-malware.rules #- $RULE_PATH/fortinet-malware.rules #- $RULE_PATH/nfcapd-malware.rules #- $RULE_PATH/proxy-malware.rules #- $RULE_PATH/windows-malware.rules ############################################################################# # Blacklist rules - Make sure the 'blacklist' processor is enabled! # ############################################################################# #- $RULE_PATH/blacklist.rules #- $RULE_PATH/cisco-blacklist.rules #- $RULE_PATH/citrix-blacklist.rules #- $RULE_PATH/windows-blacklist.rules #- $RULE_PATH/windows-owa-blacklist.rules ############################################################################# # Bro Intel rules - Make sure the 'bro-intel processor is enabled! # ############################################################################# #- $RULE_PATH/cisco-brointel.rules #- $RULE_PATH/citrix-brointel.rules #- $RULE_PATH/windows-brointel.rules #- $RULE_PATH/windows-owa-brointel.rules #- $RULE_PATH/bro-intel.rules ############################################################################# # Bluedot rules - Make sure the 'bluedot' processor is enabled! # ############################################################################# #- $RULE_PATH/bluedot.rules #- $RULE_PATH/bro-bluedot.rules #- $RULE_PATH/cisco-bluedot.rules #- $RULE_PATH/citrix-bluedot.rules #- $RULE_PATH/courier-bluedot.rules #- $RULE_PATH/f5-big-ip-bluedot.rules #- $RULE_PATH/fatpipe-bluedot.rules #- $RULE_PATH/fortinet-bluedot.rules #- $RULE_PATH/imapd-bluedot.rules #- $RULE_PATH/juniper-bluedot.rules #- $RULE_PATH/openssh-bluedot.rules #- $RULE_PATH/proftpd-bluedot.rules #- $RULE_PATH/riverbed-bluedot.rules #- $RULE_PATH/snort-bluedot.rules #- $RULE_PATH/ssh-tectia-server-bluedot.rules #- $RULE_PATH/vmware-bluedot.rules #- $RULE_PATH/vsftpd-bluedot.rules #- $RULE_PATH/windows-bluedot.rules #- $RULE_PATH/windows-owa-bluedot.rules ############################################################################# # Correlated rules - Rules that use xbits to detect malicious behavor # ############################################################################# - $RULE_PATH/cisco-correlated.rules - $RULE_PATH/citrix-correlated.rules - $RULE_PATH/courier-correlated.rules - $RULE_PATH/fatpipe-correlated.rules - $RULE_PATH/fortinet-correlated.rules - $RULE_PATH/imapd-correlated.rules - $RULE_PATH/openssh-correlated.rules - $RULE_PATH/ssh-tectia-server-correlated.rules - $RULE_PATH/vmware-correlated.rules - $RULE_PATH/vsftpd-correlated.rules - $RULE_PATH/windows-correlated.rules - $RULE_PATH/windows-owa-correlated.rules ############################################################################# # Standard rules - Rules that do not require any dependencies. # ############################################################################# #- $RULE_PATH/as400.rules - $RULE_PATH/adtran.rules - $RULE_PATH/apache.rules - $RULE_PATH/apc-emu.rules - $RULE_PATH/arp.rules #- $RULE_PATH/artillery.rules - $RULE_PATH/asterisk.rules - $RULE_PATH/attack.rules - $RULE_PATH/barracuda.rules - $RULE_PATH/bash.rules - $RULE_PATH/bind.rules - $RULE_PATH/carbonblack.rules - $RULE_PATH/bonding.rules - $RULE_PATH/bro-ids.rules - $RULE_PATH/cacti-thold.rules - $RULE_PATH/cisco-acs.rules - $RULE_PATH/cisco-cucm.rules - $RULE_PATH/cisco-ios.rules - $RULE_PATH/cisco-meraki.rules - $RULE_PATH/cisco-pixasa.rules #- $RULE_PATH/cisco-prime.rules #- $RULE_PATH/cisco-sdee.rules - $RULE_PATH/cisco-wlc.rules - $RULE_PATH/citrix.rules - $RULE_PATH/courier.rules - $RULE_PATH/cylance.rules #- $RULE_PATH/deleted.rules #- $RULE_PATH/digitalpersona.rules - $RULE_PATH/dovecot.rules - $RULE_PATH/f5-big-ip.rules - $RULE_PATH/fatpipe.rules - $RULE_PATH/fipaypin.rules - $RULE_PATH/fortinet.rules - $RULE_PATH/ftpd.rules - $RULE_PATH/grsec.rules - $RULE_PATH/honeyd.rules #- $RULE_PATH/hordeimp.rules #- $RULE_PATH/hostapd.rules - $RULE_PATH/huawei.rules - $RULE_PATH/imapd.rules - $RULE_PATH/ipop3d.rules - $RULE_PATH/juniper.rules #- $RULE_PATH/kismet.rules - $RULE_PATH/knockd.rules - $RULE_PATH/linux-kernel.rules - $RULE_PATH/milter.rules - $RULE_PATH/mongodb.rules - $RULE_PATH/mysql.rules - $RULE_PATH/nexpose.rules - $RULE_PATH/nfcapd.rules - $RULE_PATH/nginx.rules - $RULE_PATH/ntp.rules - $RULE_PATH/openssh.rules - $RULE_PATH/openvpn.rules - $RULE_PATH/oracle.rules #- $RULE_PATH/ossec-mi.rules #- $RULE_PATH/ossec.rules - $RULE_PATH/palo-alto.rules - $RULE_PATH/php.rules - $RULE_PATH/postfix.rules - $RULE_PATH/postgresql.rules - $RULE_PATH/pptp.rules - $RULE_PATH/procurve.rules - $RULE_PATH/proftpd.rules - $RULE_PATH/pure-ftpd.rules - $RULE_PATH/racoon.rules - $RULE_PATH/riverbed.rules - $RULE_PATH/roundcube.rules - $RULE_PATH/rsync.rules - $RULE_PATH/samba.rules - $RULE_PATH/sendmail.rules - $RULE_PATH/snort.rules - $RULE_PATH/solaris.rules - $RULE_PATH/sonicwall.rules - $RULE_PATH/squid.rules - $RULE_PATH/ssh-tectia-server.rules - $RULE_PATH/su.rules - $RULE_PATH/symantec-ems.rules - $RULE_PATH/syslog.rules - $RULE_PATH/tcp.rules - $RULE_PATH/telnet.rules - $RULE_PATH/trendmicro.rules - $RULE_PATH/tripwire.rules - $RULE_PATH/vmpop3d.rules - $RULE_PATH/vmware.rules - $RULE_PATH/vpopmail.rules - $RULE_PATH/vsftpd.rules - $RULE_PATH/web-attack.rules #- $RULE_PATH/weblabrinth.rules - $RULE_PATH/windows-applocker.rules - $RULE_PATH/windows-auth.rules - $RULE_PATH/windows-emet.rules - $RULE_PATH/windows-misc.rules - $RULE_PATH/windows-mssql.rules - $RULE_PATH/windows-security.rules - $RULE_PATH/windows-owa.rules - $RULE_PATH/windows.rules - $RULE_PATH/windows-sysmon.rules - $RULE_PATH/windows-security.rules - $RULE_PATH/wordpress.rules - $RULE_PATH/xinetd.rules - $RULE_PATH/yubikey.rules - $RULE_PATH/zeus.rules - $RULE_PATH/zimbra.rules # # Include other configs # # Includes. Files included here will be handled as if they were # inlined in this configuration file. #include: "/usr/local/etc/include1.yaml" #include: "$RULE_PATH/include2.yaml" sagan-1.2.0/config.sub0000755000175000017500000010577513310533436013550 0ustar champchamp#! /bin/sh # Configuration validation subroutine script. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-09-11' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS $0 [OPTION] ALIAS Canonicalize a configuration name. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" exit 1 ;; *local*) # First pass through any local machine types. echo $1 exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; android-linux) os=-linux-android basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] then os=`echo $1 | sed 's/.*-/-/'` else os=; fi ;; esac ### Let's recognize common machines as not being operating systems so ### that things like config.sub decstation-3100 work. We also ### recognize some manufacturers as not being operating systems, so we ### can provide default operating systems below. case $os in -sun*os*) # Prevent following clause from handling this invalid input. ;; -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; -bluegene*) os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 ;; -scout) ;; -wrs) os=-vxworks basic_machine=$1 ;; -chorusos*) os=-chorusos basic_machine=$1 ;; -chorusrdb) os=-chorusrdb basic_machine=$1 ;; -hiux*) os=-hiuxwe2 ;; -sco6) os=-sco5v6 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco4) os=-sco3.2v4 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2.[4-9]*) os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2v[4-9]*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5v6*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -udk*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -isc) os=-isc2.2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -clix*) basic_machine=clipper-intergraph ;; -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -lynx*178) os=-lynxos178 ;; -lynx*5) os=-lynxos5 ;; -lynx*) os=-lynxos ;; -ptx*) basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` ;; -windowsnt*) os=`echo $os | sed -e 's/windowsnt/winnt/'` ;; -psos*) os=-psos ;; -mint | -mint[0-9]*) basic_machine=m68k-atari os=-mint ;; esac # Decode aliases for certain CPU-COMPANY combinations. case $basic_machine in # Recognize the basic CPU types without company name. # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ | mips64r5900 | mips64r5900el \ | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ | riscv32 | riscv64 \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; c54x) basic_machine=tic54x-unknown ;; c55x) basic_machine=tic55x-unknown ;; c6x) basic_machine=tic6x-unknown ;; m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; ms1) basic_machine=mt-unknown ;; strongarm | thumb | xscale) basic_machine=arm-unknown ;; xgate) basic_machine=$basic_machine-unknown os=-none ;; xscaleeb) basic_machine=armeb-unknown ;; xscaleel) basic_machine=armel-unknown ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. i*86 | x86_64) basic_machine=$basic_machine-pc ;; # Object if more than one company name word. *-*-*) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ | mips64r5900-* | mips64r5900el-* \ | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ | tron-* \ | ubicom32-* \ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) basic_machine=i386-unknown os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) basic_machine=m68000-att ;; 3b*) basic_machine=we32k-att ;; a29khif) basic_machine=a29k-amd os=-udi ;; abacus) basic_machine=abacus-unknown ;; adobe68k) basic_machine=m68010-adobe os=-scout ;; alliant | fx80) basic_machine=fx80-alliant ;; altos | altos3068) basic_machine=m68k-altos ;; am29k) basic_machine=a29k-none os=-bsd ;; amd64) basic_machine=x86_64-pc ;; amd64-*) basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl os=-sysv ;; amiga | amiga-*) basic_machine=m68k-unknown ;; amigaos | amigados) basic_machine=m68k-unknown os=-amigaos ;; amigaunix | amix) basic_machine=m68k-unknown os=-sysv4 ;; apollo68) basic_machine=m68k-apollo os=-sysv ;; apollo68bsd) basic_machine=m68k-apollo os=-bsd ;; aros) basic_machine=i386-pc os=-aros ;; aux) basic_machine=m68k-apple os=-aux ;; balance) basic_machine=ns32k-sequent os=-dynix ;; blackfin) basic_machine=bfin-unknown os=-linux ;; blackfin-*) basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) basic_machine=powerpc-ibm os=-cnk ;; c54x-*) basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c55x-*) basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c6x-*) basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray os=-unicos ;; cegcc) basic_machine=arm-unknown os=-cegcc ;; convex-c1) basic_machine=c1-convex os=-bsd ;; convex-c2) basic_machine=c2-convex os=-bsd ;; convex-c32) basic_machine=c32-convex os=-bsd ;; convex-c34) basic_machine=c34-convex os=-bsd ;; convex-c38) basic_machine=c38-convex os=-bsd ;; cray | j90) basic_machine=j90-cray os=-unicos ;; craynv) basic_machine=craynv-cray os=-unicosmp ;; cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; crds | unos) basic_machine=m68k-crds ;; crisv32 | crisv32-* | etraxfs*) basic_machine=crisv32-axis ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; crx) basic_machine=crx-unknown os=-elf ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; decsystem10* | dec10*) basic_machine=pdp10-dec os=-tops10 ;; decsystem20* | dec20*) basic_machine=pdp10-dec os=-tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola ;; delta88) basic_machine=m88k-motorola os=-sysv3 ;; dicos) basic_machine=i686-pc os=-dicos ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx ;; dpx2* | dpx2*-bull) basic_machine=m68k-bull os=-sysv3 ;; ebmon29k) basic_machine=a29k-amd os=-ebmon ;; elxsi) basic_machine=elxsi-elxsi os=-bsd ;; encore | umax | mmax) basic_machine=ns32k-encore ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson os=-ose ;; fx2800) basic_machine=i860-alliant ;; genix) basic_machine=ns32k-ns ;; gmicro) basic_machine=tron-gmicro os=-sysv ;; go32) basic_machine=i386-pc os=-go32 ;; h3050r* | hiux*) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; h8300hms) basic_machine=h8300-hitachi os=-hms ;; h8300xray) basic_machine=h8300-hitachi os=-xray ;; h8500hms) basic_machine=h8500-hitachi os=-hms ;; harris) basic_machine=m88k-harris os=-sysv3 ;; hp300-*) basic_machine=m68k-hp ;; hp300bsd) basic_machine=m68k-hp os=-bsd ;; hp300hpux) basic_machine=m68k-hp os=-hpux ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) basic_machine=m68000-hp ;; hp9k3[2-9][0-9]) basic_machine=m68k-hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) basic_machine=hppa1.1-hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) basic_machine=hppa1.1-hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; hppa-next) os=-nextstep3 ;; hppaosf) basic_machine=hppa1.1-hp os=-osf ;; hppro) basic_machine=hppa1.1-hp os=-proelf ;; i370-ibm* | ibm*) basic_machine=i370-ibm ;; i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; i386-vsta | vsta) basic_machine=i386-unknown os=-vsta ;; iris | iris4d) basic_machine=mips-sgi case $os in -irix*) ;; *) os=-irix4 ;; esac ;; isi68 | isi) basic_machine=m68k-isi os=-sysv ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; m88k-omron*) basic_machine=m88k-omron ;; magnum | m3230) basic_machine=mips-mips os=-sysv ;; merlin) basic_machine=ns32k-utek os=-sysv ;; microblaze*) basic_machine=microblaze-xilinx ;; mingw64) basic_machine=x86_64-pc os=-mingw64 ;; mingw32) basic_machine=i686-pc os=-mingw32 ;; mingw32ce) basic_machine=arm-unknown os=-mingw32ce ;; miniframe) basic_machine=m68000-convergent ;; *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) basic_machine=m68k-atari os=-mint ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k os=-coff ;; morphos) basic_machine=powerpc-unknown os=-morphos ;; moxiebox) basic_machine=moxie-unknown os=-moxiebox ;; msdos) basic_machine=i386-pc os=-msdos ;; ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) basic_machine=i686-pc os=-msys ;; mvs) basic_machine=i370-ibm os=-mvs ;; nacl) basic_machine=le32-unknown os=-nacl ;; ncr3000) basic_machine=i486-ncr os=-sysv4 ;; netbsd386) basic_machine=i386-unknown os=-netbsd ;; netwinder) basic_machine=armv4l-rebel os=-linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony os=-newsos ;; news1000) basic_machine=m68030-sony os=-newsos ;; news-3600 | risc-news) basic_machine=mips-sony os=-newsos ;; necv70) basic_machine=v70-nec os=-sysv ;; next | m*-next ) basic_machine=m68k-next case $os in -nextstep* ) ;; -ns2*) os=-nextstep2 ;; *) os=-nextstep3 ;; esac ;; nh3000) basic_machine=m68k-harris os=-cxux ;; nh[45]000) basic_machine=m88k-harris os=-cxux ;; nindy960) basic_machine=i960-intel os=-nindy ;; mon960) basic_machine=i960-intel os=-mon960 ;; nonstopux) basic_machine=mips-compaq os=-nonstopux ;; np1) basic_machine=np1-gould ;; neo-tandem) basic_machine=neo-tandem ;; nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) basic_machine=nsr-tandem ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf ;; openrisc | openrisc-*) basic_machine=or32-unknown ;; os400) basic_machine=powerpc-ibm os=-os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose ;; os68k) basic_machine=m68k-none os=-os68k ;; pa-hitachi) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; paragon) basic_machine=i860-intel os=-osf ;; parisc) basic_machine=hppa-unknown os=-linux ;; parisc-*) basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pc98) basic_machine=i386-pc ;; pc98-*) basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; pentium4) basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium4-*) basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm ;; pw32) basic_machine=i586-unknown os=-pw32 ;; rdos | rdos64) basic_machine=x86_64-pc os=-rdos ;; rdos32) basic_machine=i386-pc os=-rdos ;; rom68k) basic_machine=m68k-rom68k os=-coff ;; rm[46]00) basic_machine=mips-siemens ;; rtpc | rtpc-*) basic_machine=romp-ibm ;; s390 | s390-*) basic_machine=s390-ibm ;; s390x | s390x-*) basic_machine=s390x-ibm ;; sa29200) basic_machine=a29k-amd os=-udi ;; sb1) basic_machine=mipsisa64sb1-unknown ;; sb1el) basic_machine=mipsisa64sb1el-unknown ;; sde) basic_machine=mipsisa32-sde os=-elf ;; sei) basic_machine=mips-sei os=-seiux ;; sequent) basic_machine=i386-sequent ;; sh) basic_machine=sh-hitachi os=-hms ;; sh5el) basic_machine=sh5le-unknown ;; sh64) basic_machine=sh64-unknown ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; sps7) basic_machine=m68k-bull os=-sysv2 ;; spur) basic_machine=spur-unknown ;; st2000) basic_machine=m68k-tandem ;; stratus) basic_machine=i860-stratus os=-sysv4 ;; strongarm-* | thumb-*) basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun ;; sun2os3) basic_machine=m68000-sun os=-sunos3 ;; sun2os4) basic_machine=m68000-sun os=-sunos4 ;; sun3os3) basic_machine=m68k-sun os=-sunos3 ;; sun3os4) basic_machine=m68k-sun os=-sunos4 ;; sun4os3) basic_machine=sparc-sun os=-sunos3 ;; sun4os4) basic_machine=sparc-sun os=-sunos4 ;; sun4sol2) basic_machine=sparc-sun os=-solaris2 ;; sun3 | sun3-*) basic_machine=m68k-sun ;; sun4) basic_machine=sparc-sun ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; sv1) basic_machine=sv1-cray os=-unicos ;; symmetry) basic_machine=i386-sequent os=-dynix ;; t3e) basic_machine=alphaev5-cray os=-unicos ;; t90) basic_machine=t90-cray os=-unicos ;; tile*) basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; toad1) basic_machine=pdp10-xkl os=-tops20 ;; tower | tower-32) basic_machine=m68k-ncr ;; tpf) basic_machine=s390x-ibm os=-tpf ;; udi29k) basic_machine=a29k-amd os=-udi ;; ultra3) basic_machine=a29k-nyu os=-sym1 ;; v810 | necv810) basic_machine=v810-nec os=-none ;; vaxv) basic_machine=vax-dec os=-sysv ;; vms) basic_machine=vax-dec os=-vms ;; vpp*|vx|vx-*) basic_machine=f301-fujitsu ;; vxworks960) basic_machine=i960-wrs os=-vxworks ;; vxworks68) basic_machine=m68k-wrs os=-vxworks ;; vxworks29k) basic_machine=a29k-wrs os=-vxworks ;; w65*) basic_machine=w65-wdc os=-none ;; w89k-*) basic_machine=hppa1.1-winbond os=-proelf ;; xbox) basic_machine=i686-pc os=-mingw32 ;; xps | xps100) basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; z80-*-coff) basic_machine=z80-unknown os=-sim ;; none) basic_machine=none-none os=-none ;; # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) basic_machine=hppa1.1-winbond ;; op50n) basic_machine=hppa1.1-oki ;; op60c) basic_machine=hppa1.1-oki ;; romp) basic_machine=romp-ibm ;; mmix) basic_machine=mmix-knuth ;; rs6000) basic_machine=rs6000-ibm ;; vax) basic_machine=vax-dec ;; pdp10) # there are many clones, so DEC is not a safe bet basic_machine=pdp10-unknown ;; pdp11) basic_machine=pdp11-dec ;; we32k) basic_machine=we32k-att ;; sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; cydra) basic_machine=cydra-cydrome ;; orion) basic_machine=orion-highlevel ;; orion105) basic_machine=clipper-highlevel ;; mac | mpw | mac-mpw) basic_machine=m68k-apple ;; pmac | pmac-mpw) basic_machine=powerpc-apple ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; *) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` ;; *-commodore*) basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if [ x"$os" != x"" ] then case $os in # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; -solaris) os=-solaris2 ;; -svr4*) os=-sysv4 ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; # First accept the basic system types. # The portable systems comes first. # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) case $basic_machine in x86-* | i*86-*) ;; *) os=-nto$os ;; esac ;; -nto-qnx*) ;; -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) os=`echo $os | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) os=`echo $os | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition ;; -os400*) os=-os400 ;; -wince*) os=-wince ;; -osfrose*) os=-osfrose ;; -osf*) os=-osf ;; -utek*) os=-bsd ;; -dynix*) os=-bsd ;; -acis*) os=-aos ;; -atheos*) os=-atheos ;; -syllable*) os=-syllable ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; -nova*) os=-rtmk-nova ;; -ns2 ) os=-nextstep2 ;; -nsk*) os=-nsk ;; # Preserve the version number of sinix5. -sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; -sinix*) os=-sysv4 ;; -tpf*) os=-tpf ;; -triton*) os=-sysv3 ;; -oss*) os=-sysv3 ;; -svr4) os=-sysv4 ;; -svr3) os=-sysv3 ;; -sysvr4) os=-sysv4 ;; # This must come after -sysvr4. -sysv*) ;; -ose*) os=-ose ;; -es1800*) os=-ose ;; -xenix) os=-xenix ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; -aros*) os=-aros ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; -nacl*) ;; -none) ;; *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 exit 1 ;; esac else # Here we handle the default operating systems that come with various machines. # The value should be what the vendor currently ships out the door with their # machine or put another way, the most popular os provided with the machine. # Note that if you're going to try to match "-MANUFACTURER" here (say, # "-sun"), then you have to tell the case statement up towards the top # that MANUFACTURER isn't an operating system. Otherwise, code above # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. case $basic_machine in score-*) os=-elf ;; spu-*) os=-elf ;; *-acorn) os=-riscix1.2 ;; arm*-rebel) os=-linux ;; arm*-semi) os=-aout ;; c4x-* | tic4x-*) os=-coff ;; c8051-*) os=-elf ;; hexagon-*) os=-elf ;; tic54x-*) os=-coff ;; tic55x-*) os=-coff ;; tic6x-*) os=-coff ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; pdp11-*) os=-none ;; *-dec | vax-*) os=-ultrix4.2 ;; m68*-apollo) os=-domain ;; i386-sun) os=-sunos4.0.2 ;; m68000-sun) os=-sunos3 ;; m68*-cisco) os=-aout ;; mep-*) os=-elf ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; or32-*) os=-coff ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; sparc-* | *-sun) os=-sunos4.1.1 ;; *-be) os=-beos ;; *-haiku) os=-haiku ;; *-ibm) os=-aix ;; *-knuth) os=-mmixware ;; *-wec) os=-proelf ;; *-winbond) os=-proelf ;; *-oki) os=-proelf ;; *-hp) os=-hpux ;; *-hitachi) os=-hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) os=-sysv ;; *-cbm) os=-amigaos ;; *-dg) os=-dgux ;; *-dolphin) os=-sysv3 ;; m68k-ccur) os=-rtu ;; m88k-omron*) os=-luna ;; *-next ) os=-nextstep ;; *-sequent) os=-ptx ;; *-crds) os=-unos ;; *-ns) os=-genix ;; i370-*) os=-mvs ;; *-next) os=-nextstep3 ;; *-gould) os=-sysv ;; *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; *-sgi) os=-irix ;; *-siemens) os=-sysv4 ;; *-masscomp) os=-rtu ;; f30[01]-fujitsu | f700-fujitsu) os=-uxpv ;; *-rom68k) os=-coff ;; *-*bug) os=-coff ;; *-apple) os=-macos ;; *-atari*) os=-mint ;; *) os=-none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. vendor=unknown case $basic_machine in *-unknown) case $os in -riscix*) vendor=acorn ;; -sunos*) vendor=sun ;; -cnk*|-aix*) vendor=ibm ;; -beos*) vendor=be ;; -hpux*) vendor=hp ;; -mpeix*) vendor=hp ;; -hiux*) vendor=hitachi ;; -unos*) vendor=crds ;; -dgux*) vendor=dg ;; -luna*) vendor=omron ;; -genix*) vendor=ns ;; -mvs* | -opened*) vendor=ibm ;; -os400*) vendor=ibm ;; -ptx*) vendor=sequent ;; -tpf*) vendor=ibm ;; -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) vendor=apple ;; -hms*) vendor=hitachi ;; -mpw* | -macos*) vendor=apple ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) vendor=atari ;; -vos*) vendor=stratus ;; esac basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac echo $basic_machine$os exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: sagan-1.2.0/config.h.in0000644000175000017500000002475413310533435013604 0ustar champchamp/* config.h.in. Generated from configure.ac by autoheader. */ /* Define if building universal (internal helper macro) */ #undef AC_APPLE_UNIVERSAL_BUILD /* Sagan configuration file */ #undef CONFIG_FILE_PATH /* Define to 1 if you have the `access' function. */ #undef HAVE_ACCESS /* Support Altivec instructions */ #undef HAVE_ALTIVEC /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H /* Support AVX (Advanced Vector Extensions) instructions */ #undef HAVE_AVX /* Define to 1 if you have the `connect' function. */ #undef HAVE_CONNECT /* Define to 1 if you have the header file. */ #undef HAVE_CTYPE_H /* Define to 1 if you have the header file. */ #undef HAVE_DNET_H /* Define to 1 if you have the header file. */ #undef HAVE_DUMBNET_H /* Define to 1 if you have the `dup2' function. */ #undef HAVE_DUP2 /* Define to 1 if you have the header file. */ #undef HAVE_ERRNO_H /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H /* Define to 1 if you have the `fork' function. */ #undef HAVE_FORK /* Define to 1 if you have the `ftruncate' function. */ #undef HAVE_FTRUNCATE /* Define to 1 if you have the `gethostbyname' function. */ #undef HAVE_GETHOSTBYNAME /* Define to 1 if you have the header file. */ #undef HAVE_GETOPT_H /* Define to 1 if you have the `getopt_long' function. */ #undef HAVE_GETOPT_LONG /* F_GETPIPE_SZ is supported */ #undef HAVE_GETPIPE_SZ /* Define to 1 if you have the `gettimeofday' function. */ #undef HAVE_GETTIMEOFDAY /* Define to 1 if you have the `htons' function. */ #undef HAVE_HTONS /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have the `curl' library (-lcurl). */ #undef HAVE_LIBCURL /* Define to 1 if you have the `dnet' library (-ldnet). */ #undef HAVE_LIBDNET /* Define to 1 if you have the `dumbnet' library (-ldumbnet). */ #undef HAVE_LIBDUMBNET /* Define to 1 if you have the `esmtp' library (-lesmtp). */ #undef HAVE_LIBESMTP /* Define to 1 if you have the `estr' library (-lestr). */ #undef HAVE_LIBESTR /* Define to 1 if you have the `hiredis' library (-lhiredis). */ #undef HAVE_LIBHIREDIS /* Define to 1 if you have the `lognorm' library (-llognorm). */ #undef HAVE_LIBLOGNORM /* Define to 1 if you have the `m' library (-lm). */ #undef HAVE_LIBM /* Define to 1 if you have the `maxminddb' library (-lmaxminddb). */ #undef HAVE_LIBMAXMINDDB /* Define to 1 if you have the `pcap' library (-lpcap). */ #undef HAVE_LIBPCAP /* Define to 1 if you have the `pcre' library (-lpcre). */ #undef HAVE_LIBPCRE /* Define to 1 if you have the `pthread' library (-lpthread). */ #undef HAVE_LIBPTHREAD /* Define to 1 if you have the `rt' library (-lrt). */ #undef HAVE_LIBRT /* Define to 1 if you have the `yaml' library (-lyaml). */ #undef HAVE_LIBYAML /* Define to 1 if you have the header file. */ #undef HAVE_LIMITS_H /* Define to 1 if your system has a GNU libc compatible `malloc' function, and to 0 otherwise. */ #undef HAVE_MALLOC /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 if you have the `memset' function. */ #undef HAVE_MEMSET /* Define to 1 if you have the `mmap' function. */ #undef HAVE_MMAP /* Support mmx instructions */ #undef HAVE_MMX /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H /* Pcre pcre_free_study supported */ #undef HAVE_PCRE_FREE_STUDY /* Define to 1 if your system has a GNU libc compatible `realloc' function, and to 0 otherwise. */ #undef HAVE_REALLOC /* Define to 1 if you have the `recv' function. */ #undef HAVE_RECV /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT /* Define to 1 if you have the `send' function. */ #undef HAVE_SEND /* F_SETPIPE_SZ is supported */ #undef HAVE_SETPIPE_SZ /* Define to 1 if you have the `shm_open' function. */ #undef HAVE_SHM_OPEN /* Define to 1 if you have the `sizeof' function. */ #undef HAVE_SIZEOF /* Define to 1 if you have the `snprintf' function. */ #undef HAVE_SNPRINTF /* Define to 1 if you have the `socket' function. */ #undef HAVE_SOCKET /* Support SSE (Streaming SIMD Extensions) instructions */ #undef HAVE_SSE /* Support SSE2 (Streaming SIMD Extensions 2) instructions */ #undef HAVE_SSE2 /* Support SSE3 (Streaming SIMD Extensions 3) instructions */ #undef HAVE_SSE3 /* Support SSSE4.1 (Streaming SIMD Extensions 4.1) instructions */ #undef HAVE_SSE4_1 /* Support SSSE4.2 (Streaming SIMD Extensions 4.2) instructions */ #undef HAVE_SSE4_2 /* Support SSSE3 (Supplemental Streaming SIMD Extensions 3) instructions */ #undef HAVE_SSSE3 /* Define to 1 if `stat' has the bug that it succeeds when given the zero-length file name argument. */ #undef HAVE_STAT_EMPTY_STRING_BUG /* Define to 1 if you have the header file. */ #undef HAVE_STDARG_H /* Define to 1 if you have the header file. */ #undef HAVE_STDBOOL_H /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDIO_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `strchr' function. */ #undef HAVE_STRCHR /* Define to 1 if you have the `strcmp' function. */ #undef HAVE_STRCMP /* Define to 1 if you have the `strdup' function. */ #undef HAVE_STRDUP /* Define to 1 if you have the `strerror' function. */ #undef HAVE_STRERROR /* Define to 1 if you have the `strftime' function. */ #undef HAVE_STRFTIME /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the `strlcat' function. */ #undef HAVE_STRLCAT /* Define to 1 if you have the `strlcpy' function. */ #undef HAVE_STRLCPY /* Define to 1 if you have the `strlen' function. */ #undef HAVE_STRLEN /* Define to 1 if you have the `strncat' function. */ #undef HAVE_STRNCAT /* Define to 1 if you have the `strspn' function. */ #undef HAVE_STRSPN /* Define to 1 if you have the `strstr' function. */ #undef HAVE_STRSTR /* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAN_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAP_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_PRCTL_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SELECT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have that is POSIX.1 compatible. */ #undef HAVE_SYS_WAIT_H /* Define to 1 if you have the header file. */ #undef HAVE_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the `vfork' function. */ #undef HAVE_VFORK /* Define to 1 if you have the header file. */ #undef HAVE_VFORK_H /* Define to 1 if `fork' works. */ #undef HAVE_WORKING_FORK /* Define to 1 if `vfork' works. */ #undef HAVE_WORKING_VFORK /* Define to 1 if you have the `write' function. */ #undef HAVE_WRITE /* Define to 1 if `lstat' dereferences a symlink specified with a trailing slash. */ #undef LSTAT_FOLLOWS_SLASHED_SYMLINK /* Pcre PCRE_EXTRA_MATCH_LIMIT_RECURSION not available */ #undef NO_PCRE_MATCH_RLIMIT /* Name of package */ #undef PACKAGE /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* Pcre with JIT compiler support enabled */ #undef PCRE_HAVE_JIT /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE /* Define to the type of arg 1 for `select'. */ #undef SELECT_TYPE_ARG1 /* Define to the type of args 2, 3 and 4 for `select'. */ #undef SELECT_TYPE_ARG234 /* Define to the type of arg 5 for `select'. */ #undef SELECT_TYPE_ARG5 /* The size of `size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME /* Define to 1 if your declares `struct tm'. */ #undef TM_IN_SYS_TIME /* Enable extensions on AIX 3, Interix. */ #ifndef _ALL_SOURCE # undef _ALL_SOURCE #endif /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # undef _GNU_SOURCE #endif /* Enable threading extensions on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # undef _POSIX_PTHREAD_SEMANTICS #endif /* Enable extensions on HP NonStop. */ #ifndef _TANDEM_SOURCE # undef _TANDEM_SOURCE #endif /* Enable general extensions on Solaris. */ #ifndef __EXTENSIONS__ # undef __EXTENSIONS__ #endif /* Version number of package */ #undef VERSION /* With Bluedot */ #undef WITH_BLUEDOT /* With Snortsam */ #undef WITH_SNORTSAM /* With Syslog */ #undef WITH_SYSLOG /* With system strstr */ #undef WITH_SYSSTRSTR /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ #if defined AC_APPLE_UNIVERSAL_BUILD # if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 # endif #else # ifndef WORDS_BIGENDIAN # undef WORDS_BIGENDIAN # endif #endif /* Define to 1 if on MINIX. */ #undef _MINIX /* Define to 2 if the system does not provide POSIX.1 features except with this defined. */ #undef _POSIX_1_SOURCE /* Define to 1 if you need to in order for `stat' and other things to work. */ #undef _POSIX_SOURCE /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to rpl_malloc if the replacement function should be used. */ #undef malloc /* Define to `int' if does not define. */ #undef pid_t /* Define to rpl_realloc if the replacement function should be used. */ #undef realloc /* Define to `unsigned int' if does not define. */ #undef size_t /* Define as `fork' if `vfork' does not work. */ #undef vfork sagan-1.2.0/configure.ac0000644000175000017500000005167713310531444014051 0ustar champchamp# -*- Autoconf -*- # Process this file with autoconf to produce a configure script. VERSION=`cat src/version.h | grep "#define VERSION " | sed -e 's/^.*\"\(.*\)\"/\1/'` AC_INIT([sagan], m4_esyscmd_s([cat src/version.h | cut -d\" -f2])) AC_CONFIG_SRCDIR([src]) AC_CANONICAL_SYSTEM AC_GNU_SOURCE AC_CONFIG_MACRO_DIR([m4]) AM_MAINTAINER_MODE([disable]) # Check OS AC_MSG_CHECKING([host os]) # If no host OS, try uname if test -z "$host" ; then host="`uname`" fi echo -n "installation for $host OS... " case "$host" in *-*-*freebsd*) CFLAGS="${CFLAGS} -D__FreeBSD__" CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/usr/local/include/libnet11" LDFLAGS="${LDFLAGS} -L/usr/local/lib -L/usr/local/lib/libnet11" ;; *-*-openbsd*) CFLAGS="${CFLAGS} -D__OpenBSD__" CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/usr/local/include/libnet-1.1" LDFLAGS="${LDFLAGS} -L/usr/local/lib -I/usr/local/lib/libnet-1.1" ;; *darwin*|*Darwin*) CFLAGS="${CFLAGS} -D__Darwin__" CPPFLAGS="${CPPFLAGS} -I/opt/local/include" LDFLAGS="${LDFLAGS} -L/opt/local/lib" ;; *-*-linux*) CFLAGS="${CFLAGS} -D__Linux__" #for now do nothing ;; # *-*-mingw32*) # CFLAGS="${CFLAGS} -DOS_WIN32" # LDFLAGS="${LDFLAGS} -lws2_32" # WINDOWS_PATH="yes" # ;; # *-*-cygwin) # WINDOWS_PATH="yes" # ;; # *-*-solaris*) # AC_MSG_WARN([support for Solaris/Illumos/SunOS is experimental]) # LDFLAGS="${LDFLAGS} -lsocket -lnsl" # ;; *) AC_MSG_WARN([unsupported OS this may or may not work]) ;; esac AC_MSG_RESULT(ok) AC_C_BIGENDIAN(AC_SUBST([ENDIAN],[big]),AC_SUBST([ENDIAN],[little])) AC_ARG_ENABLE(snortsam, [ --disable-snortsam Disable Snortsam support.], [ SNORTSAM="$enableval"], [ SNORTSAM="yes" ] ) AC_ARG_ENABLE(bluedot, [ --enable-bluedot Enable Quadrant\'s "Bluedot" lookups.], [ BLUEDOT="$enableval"], [ BLUEDOT="no" ] ) AC_ARG_ENABLE(esmtp, [ --enable-esmtp Enable libesmtp support.], [ ESMTP="$enableval"], [ ESMTP="no" ] ) AC_ARG_ENABLE(geoip2, [ --enable-geoip2 Enable Maxmind GeoIP2 support.], [ GEOIP2="$enableval"], [ GEOIP2="no" ] ) AC_ARG_ENABLE(syslog, [ --disable-syslog Disable syslog support.], [ SYSLOG="$enableval"], [ SYSLOG="yes" ] ) AC_ARG_ENABLE(system-strstr, [ --enable-system-strstr Enable system strstr.], [ SYSSTRSTR="$enableval"], [ SYSSTRSTR="no" ] ) AC_ARG_ENABLE(redis, [ --enable-redis Enable Redis support.], [ REDIS="$enableval"], [ REDIS="no" ] ) AC_ARG_WITH(esmtp_includes, [ --with-esmtp-includes=DIR libesmtp include directory], [with_esmtp_includes="$withval"],[with_esmtp_includes="no"]) AC_ARG_WITH(esmtp_libraries, [ --with-esmtp-libraries=DIR libesmtp library directory], [with_esmtp_libraries="$withval"],[with_esmtp_libraries="no"]) if test "x$with_esmtp_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_esmtp_includes}" fi if test "x$with_esmtp_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_esmtp_libraries}" fi AC_ARG_WITH(geoip2_includes, [ --with-geoip2-includes=DIR Maxmind GeoIP2 include directory], [with_geoip2_includes="$withval"],[with_geoip2_includes="no"]) AC_ARG_WITH(geoip2_libraries, [ --with-geoip2-libraries=DIR Maxmind GeoIP2 library directory], [with_geoip2_libraries="$withval"],[with_geoip2_libraries="no"]) if test "x$with_geoip2_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_geoip2_includes}" fi if test "x$with_geoip2_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_geoip2_libraries}" fi AC_ARG_ENABLE(lognorm, [ --disable-lognorm Disable Lognorm (liblognorm) support.], [ LOGNORM="$enableval"], [ LOGNORM="yes" ] ) AC_ARG_WITH(lognorm_includes, [ --with-lognorm-includes=DIR liblognorm include directory], [with_lognorm_includes="$withval"],[with_lognorm_includes="no"]) AC_ARG_WITH(lognorm_libraries, [ --with-lognorm-libraries=DIR liblognorm library directory], [with_lognorm_libraries="$withval"],[with_lognorm_libraries="no"]) if test "x$with_lognorm_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_lognorm_includes}" fi if test "x$with_lognorm_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_lognorm_libraries}" fi # -- AC_ARG_ENABLE(libfastjson, [ --disable-libfastjson Disable libfastjson support.], [ FASTJSON="$enableval"], [ FASTJSON="yes" ] ) AC_ARG_WITH(libfastjson_includes, [ --with-libfastjson-includes=DIR libfastjson include directory], [with_libfastjson_includes="$withval"],[with_libfastjson_includes="no"]) AC_ARG_WITH(libfastjson_c_libraries, [ --with-libfastjson-libraries=DIR libfastjson library directory], [with_libfastjson_libraries="$withval"],[with_libfastjson_libraries="no"]) if test "x$with_libfastjson_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libfastjson_includes}" fi if test "x$with_libfastjson_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libfastjson_libraries}" fi # -- AC_ARG_ENABLE(libpcap, [ --disable-libpcap Disable libpcap (plog) support.], [ LIBPCAP="$enableval"], [ LIBPCAP="no" ] ) AC_ARG_WITH(libpcap_includes, [ --with-libpcap-includes=DIR libpcap include directory], [with_libpcap_includes="$withval"],[with_libpcap_includes="no"]) AC_ARG_WITH(libpcap_libraries, [ --with-libpcap-libraries=DIR libpcap library directory], [with_libpcap_libraries="$withval"],[with_libpcap_libraries="no"]) if test "x$with_libpcap_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}" fi if test "x$with_libpcap_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" fi AC_ARG_ENABLE(libdnet, [ --enable-libdnet Disable libdnet (unified2) support.], [ LIBDNET="$enableval"], [ LIBDNET="no" ] ) AC_ARG_WITH(libdnet_includes, [ --with-libdnet-includes=DIR libdnet include directory], [with_libdnet_includes="$withval"],[with_libdnet_includes="no"]) AC_ARG_WITH(libdnet_libraries, [ --with-libdnet-libraries=DIR libdnet library directory], [with_libdnet_libraries="$withval"],[with_libdnet_libraries="no"]) if test "x$with_libdnet_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libdnet_includes}" fi if test "x$with_libdnet_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libdnet_libraries}" fi AC_SUBST(VERSION) AM_INIT_AUTOMAKE([subdir-objects]) AC_CONFIG_HEADER(config.h) # Checks for programs. AC_PROG_CC AC_PROG_INSTALL AC_LANG_C AC_PROG_MAKE_SET AM_PROG_CC_C_O PKG_PROG_PKG_CONFIG # Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT AC_CHECK_HEADERS([stdio.h stdlib.h sys/types.h unistd.h stdint.h inttypes.h ctype.h errno.h fcntl.h sys/stat.h string.h getopt.h time.h stdarg.h limits.h stdbool.h arpa/inet.h netinet/in.h sys/time.h sys/socket.h sys/mmap.h sys/mman.h sys/prctl.h]) AC_CHECK_SIZEOF([size_t]) # F_SETPIPE_SZ in fcntl.h AC_MSG_CHECKING([for F_SETPIPE_SZ in fcntl.h]) AC_EGREP_CPP([yes_have_f_setpipe_sz], [ #define _GNU_SOURCE #include #ifdef F_SETPIPE_SZ yes_have_f_setpipe_sz #endif ], [ AC_MSG_RESULT([yes]) AC_DEFINE([HAVE_SETPIPE_SZ], [], [F_SETPIPE_SZ is supported]) ], [ AC_MSG_RESULT([no]) AC_MSG_NOTICE([F_SETPIPE_SZ not found, cannot alter FIFO]) ]) # F_GETPIPE_SZ in fcntl.h AC_MSG_CHECKING([for F_GETPIPE_SZ in fcntl.h]) AC_EGREP_CPP([yes_have_f_getpipe_sz], [ #define _GNU_SOURCE #include #ifdef F_GETPIPE_SZ yes_have_f_getpipe_sz #endif ], [ AC_MSG_RESULT([yes]) AC_DEFINE([HAVE_GETPIPE_SZ], [], [F_GETPIPE_SZ is supported]) ], [ AC_MSG_RESULT([no]) AC_MSG_NOTICE([F_GETPIPE_SZ not found, cannot alter FIFO]) ]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_HEADER_TIME # Checks for library functions. AC_PROG_GCC_TRADITIONAL AC_FUNC_MALLOC AC_FUNC_SELECT_ARGTYPES AC_FUNC_STAT AC_TYPE_SIGNAL AC_FUNC_STRFTIME AC_FUNC_FORK AC_FUNC_REALLOC AC_TYPE_PID_T AC_TYPE_SIZE_T AC_STRUCT_TM AX_EXT AM_PROG_AS AC_CHECK_FUNCS([select strstr strchr strcmp strlen sizeof write snprintf strncat strlcat strlcpy getopt_long gethostbyname socket htons connect send recv dup2 strspn strdup memset access ftruncate strerror mmap shm_open gettimeofday]) AC_CHECK_LIB(m, main,,AC_MSG_ERROR(Sagan needs libm!)) # OSX doesn't have librt - this needs to be fixed! AC_CHECK_LIB(rt, main,,AC_MSG_ERROR(Sagan needs librt!)) # libpthread AC_ARG_WITH(libpthread_includes, [ --with-libpthread-includes=DIR libpthread include directory], [with_libpthread_includes="$withval"],[with_libpthread_includes=no]) AC_ARG_WITH(libpthread_libraries, [ --with-libpthread-libraries=DIR libpthread library directory], [with_libpthread_libraries="$withval"],[with_libpthread_libraries="no"]) if test "$with_libpthread_includes" != "no"; then CPPFLAGS="${CPPFLAGS} -I${with_libpthread_includes}" fi dnl AC_CHECK_HEADER(pthread.h,,[AC_ERROR(pthread.h not found ...)]) if test "$with_libpthread_libraries" != "no"; then LDFLAGS="${LDFLAGS} -L${with_libpthread_libraries}" fi PTHREAD="" AC_CHECK_LIB(pthread, pthread_create,, PTHREAD="no") if test "$PTHREAD" = "no"; then echo echo " ERROR! libpthread library not found," echo exit 1 fi # libyaml AC_ARG_WITH(libyaml_includes, [ --with-libyaml-includes=DIR libyaml include directory], [with_libyaml_includes="$withval"],[with_libyaml_includes=no]) AC_ARG_WITH(libyaml_libraries, [ --with-libyaml-libraries=DIR libyaml library directory], [with_libyaml_libraries="$withval"],[with_libyaml_libraries="no"]) if test "$with_libyaml_includes" != "no"; then CPPFLAGS="${CPPFLAGS} -I${with_libyaml_includes}" fi AC_CHECK_HEADER(yaml.h,,LIBYAML="no") if test "$with_libyaml_libraries" != "no"; then LDFLAGS="${LDFLAGS} -L${with_libyaml_libraries}" fi LIBYAML="" AC_CHECK_LIB(yaml,yaml_parser_initialize,,LIBYAML="no") if test "$LIBYAML" = "no"; then echo echo " ERROR! libyaml library not found, go get it" echo " from http://pyyaml.org/wiki/LibYAML " echo " or your distribution:" echo echo " Debian/Ubuntu: apt-get install libyaml-dev" echo " Fedora: yum install libyaml-devel" echo exit 1 fi ############################################################################## # libpcre - This section was taken from the Suricata configure.ac. It does # some extra checks and enabled PCRE JIT - 2016/11/01 ############################################################################## AC_ARG_WITH(libpcre_includes, [ --with-libpcre-includes=DIR libpcre include directory], [with_libpcre_includes="$withval"],[with_libpcre_includes=no]) AC_ARG_WITH(libpcre_libraries, [ --with-libpcre-libraries=DIR libpcre library directory], [with_libpcre_libraries="$withval"],[with_libpcre_libraries="no"]) if test "$with_libpcre_includes" != "no"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" fi AC_CHECK_HEADER(pcre.h,,[AC_ERROR(pcre.h not found ...)]) if test "$with_libpcre_libraries" != "no"; then LDFLAGS="${LDFLAGS} -L${with_libpcre_libraries}" fi PCRE="" AC_CHECK_LIB(pcre, pcre_get_substring,, PCRE="no") if test "$PCRE" = "no"; then echo echo " ERROR! pcre library not found, go get it" echo " from www.pcre.org." echo exit 1 fi # libpcre 8.35 (especially on debian) has a known issue that results in segfaults if test "$with_libpcre_libraries" = "no"; then PKG_CHECK_MODULES(LIBPCREVERSION, [libpcre = 8.35],[libpcre_buggy_found="yes"],[libprce_buggy_found="no"]) if test "$libpcre_buggy_found" = "yes"; then echo echo " Warning! vulnerable libpcre version 8.35 found" echo " This version has a known issue that could result in segfaults" echo " please upgrade to a newer version of pcre which you can get from" echo " www.pcre.org. For more information, see issue #1693" echo echo " Continuing for now with JIT disabled..." echo fi fi # To prevent duping the lib link we reset LIBS after this check. Setting action-if-found to NULL doesn't seem to work # see: http://blog.flameeyes.eu/2008/04/29/i-consider-ac_check_lib-harmful PCRE="" TMPLIBS="${LIBS}" AC_CHECK_LIB(pcre, pcre_dfa_exec,, PCRE="no") if test "$PCRE" = "no"; then echo echo " ERROR! pcre library was found but version was < 6.0" echo " please upgrade to a newer version of pcre which you can get from" echo " www.pcre.org." echo exit 1 fi LIBS="${TMPLIBS}" AC_TRY_COMPILE([ #include ], [ int eo = 0; eo |= PCRE_EXTRA_MATCH_LIMIT_RECURSION; ], [ pcre_match_limit_recursion_available=yes ], [:] ) if test "$pcre_match_limit_recursion_available" != "yes"; then echo echo " Warning! pcre extra opt PCRE_EXTRA_MATCH_LIMIT_RECURSION not found" echo " This could lead to potential DoS please upgrade to pcre >= 6.5" echo " from www.pcre.org." echo " Continuing for now...." echo AC_DEFINE([NO_PCRE_MATCH_RLIMIT],[1],[Pcre PCRE_EXTRA_MATCH_LIMIT_RECURSION not available]) fi TMPCFLAGS="${CFLAGS}" CFLAGS="-O0 -g -Werror -Wall" AC_TRY_COMPILE([ #include ], [ pcre_extra *extra = NULL; pcre_free_study(extra); ], [ AC_DEFINE([HAVE_PCRE_FREE_STUDY], [1], [Pcre pcre_free_study supported])], [:] ) CFLAGS="${TMPCFLAGS}" #enable support for PCRE-jit available since pcre-8.20 AC_MSG_CHECKING(for PCRE JIT support) AC_TRY_COMPILE([ #include ], [ int jit = 0; pcre_config(PCRE_CONFIG_JIT, &jit); ], [ pcre_jit_available=yes ], [ pcre_jit_available=no ] ) # bug 1693, libpcre 8.35 is broken and debian jessie is still using that if test "$libpcre_buggy_found" = "yes"; then pcre_jit_available="no, libpcre 8.35 blacklisted" fi if test "x$pcre_jit_available" = "xyes"; then AC_MSG_RESULT(yes) AC_DEFINE([PCRE_HAVE_JIT], [1], [Pcre with JIT compiler support enabled]) AC_MSG_CHECKING(for PCRE JIT support usability) AC_TRY_COMPILE([ #include ], [ const char* regexstr = "(a|b|c|d)"; pcre *re; const char *error; pcre_extra *extra; int err_offset; re = pcre_compile(regexstr,0, &error, &err_offset,NULL); extra = pcre_study(re, PCRE_STUDY_JIT_COMPILE, &error); if (extra == NULL) exit(EXIT_FAILURE); int jit = 0; int ret = pcre_fullinfo(re, extra, PCRE_INFO_JIT, &jit); if (ret != 0 || jit != 1) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); ], [ pcre_jit_works=yes ], [:] ) if test "x$pcre_jit_works" != "xyes"; then AC_MSG_RESULT(no) echo echo " PCRE JIT support detection worked but testing it failed" echo " something odd is going on, please file a bug report." echo exit 1 else AC_MSG_RESULT(yes) fi else AC_MSG_RESULT(no) fi #### End of PCRE ############################################################ # We don't want to use the Sagan_strstr assembly code if this is a 32 bit # system. We force SYSSTRSR="yes" when it is. # 32 bit linux. case "${host}" in # Linux | i386 | 32 bit i386*-*-linux* | i686*-*-linux*) SYSSTRSTR="yes" ;; i386*-*-darwin* | i686*-*-darwin*) SYSSTRSTR="yes" ;; esac if test "$SYSSTRSTR" = "yes"; then AC_MSG_RESULT([using build in strstr()...]) AC_DEFINE(WITH_SYSSTRSTR, 1, With system strstr) fi if test "$SYSLOG" = "yes"; then AC_MSG_RESULT([------- Syslog support is enabled -------]) AC_CHECK_HEADER([syslog.h]) AC_DEFINE(WITH_SYSLOG, 1, With Syslog) fi if test "$REDIS" = "yes"; then AC_MSG_RESULT([------- Redis support is enabled -------]) AC_CHECK_HEADER([hiredis/hiredis.h]) AC_CHECK_LIB(hiredis, main,,AC_MSG_ERROR(The Hiredis (Redis) library cannot be found. If you're not interested in Redis support use the --disable-redis flag.)) fi if test "$GEOIP2" = "yes"; then AC_MSG_RESULT([------- Maxmind GeoIP2 support is enabled -------]) AC_CHECK_HEADER([maxminddb.h]) AC_CHECK_LIB(maxminddb, main,,AC_MSG_ERROR(The Maxmind GeoIP2 library cannot be found. If you're not interested in GeoIP2 support use the --disable-geoip2 flag.)) fi if test "$ESMTP" = "yes"; then AC_MSG_RESULT([------- libesmtp support is enabled -------]) AC_CHECK_HEADER([libesmtp.h]) AC_CHECK_LIB(esmtp, main,,AC_MSG_ERROR(The libesmtp library cannot be found. If you're not interested in libesmtp support use the --disable-esmtp flag.)) fi if test "$FASTJSON" = "yes"; then AC_MSG_RESULT([------- libfastjson support is enabled -------]) PKG_CHECK_MODULES(LIBFASTJSON, libfastjson >= 0.0.0) fi if test "$LOGNORM" = "yes"; then AC_MSG_RESULT([------- liblognorm support is enabled -------]) PKG_CHECK_MODULES(LIBESTR, libestr >= 0.0.0) PKG_CHECK_MODULES(LIBLOGNORM, lognorm >= 1.0.0) PKG_CHECK_MODULES(LIBFASTJSON, libfastjson >= 0.0.0) AC_CHECK_HEADER([liblognorm.h]) AC_CHECK_HEADER([libestr.h]) AC_CHECK_LIB(estr, main,,AC_MSG_ERROR(The libestr library cannot be found. This library is important for the correlation aspects of Sagan! Please see https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm. To disable this feature use the --disable-lognorm flag. )) AC_CHECK_LIB(lognorm, main,,AC_MSG_ERROR(The liblognorm library cannot be found. This library is important for the correlation aspects of Sagan! Please see https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm. To disable this feature use the --disable-lognorm flag. )) fi if test "$LIBPCAP" = "yes"; then AC_MSG_RESULT([------- libpcap support is enabled -------]) AC_CHECK_HEADER([pcap.h]) AC_CHECK_HEADER([net/if.h]) AC_CHECK_HEADER([net/if_arp.h]) AC_CHECK_HEADER([netinet/in_systm.h]) AC_CHECK_HEADER([netinet/if_ether.h]) AC_CHECK_HEADER([netinet/ip.h]) AC_CHECK_HEADER([netinet/udp.h]) AC_CHECK_LIB(pcap, main,,AC_MSG_ERROR(The libpcap library cannot be found. This library is used to run Sagan in a syslog 'sniffer' mode. Please see https://wiki.quadrantsec.com/bin/view/Main/PLog. To disable this feature use the --disable-libpcap flag. )) fi if test "$LIBDNET" = "yes"; then AC_MSG_RESULT([------- libdnet support is enabled -------]) AC_CHECK_HEADERS(dnet.h,,DNET_H="no") AC_CHECK_HEADERS(dumbnet.h,,DUMBNET_H="no") if test "x$DNET_H" = "xno" -a "x$DUMBNET_H" = "xno"; then echo echo " The libdnet headers cannot be found. This library is used for Sagan's" echo " Unified2 output support. Please see:" echo " https://wiki.quadrantsec.com/bin/view/Main/Unified2Output" echo " To disable this feature use the --disable-libdnet flag." exit 1 fi AC_CHECK_LIB(dnet, eth_set,,[DNET="no"]) AC_CHECK_LIB(dumbnet, eth_set,,[DUMBNET="no"]) if test "x$DNET" = "xno" -a "x$DUMBNET" = "xno"; then echo echo " The libdnet headers cannot be found. This library is used for Sagan's" echo " Unified2 output support. Please see:" echo " https://wiki.quadrantsec.com/bin/view/Main/Unified2Output" echo " To disable this feature use the --disable-libdnet flag." exit 1 fi fi if test "$BLUEDOT" = "yes"; then AC_MSG_RESULT([------- Quadrant "Bluedot" is enabled -------]) AC_CHECK_LIB(curl, main,,AC_MSG_ERROR(The libcurl library cannot be found. This library is used for Sagan's / "Bluedot" support. Please see https://quadrantsec.com for more information. To disable this feature use the --disable-bluedot flag. )) AC_DEFINE(WITH_BLUEDOT, 1, With Bluedot) AC_CHECK_HEADER([curl/curl.h]) PKG_CHECK_MODULES(LIBFASTJSON, libfastjson >= 0.0.0) fi if test "$SNORTSAM" = "yes"; then AC_MSG_RESULT([------- Snortsam support is enabled -------]) AC_DEFINE(WITH_SNORTSAM, 1, With Snortsam) fi test "x$prefix" = x. || test "x$prefix" = xNONE && prefix=/usr/local AC_DEFINE_UNQUOTED(CONFIG_FILE_PATH, "`eval echo "${sysconfdir}/sagan.yaml"`", [Sagan configuration file]) AC_DEFINE_UNQUOTED(PACKAGE_NAME, "sagan" ) AC_DEFINE_UNQUOTED(PACKAGE_STRING, "Sagan $VERSION") AC_DEFINE_UNQUOTED(PACKAGE_BUGREPORT, "cclark@quadrantsec.com" ) AC_DEFINE_UNQUOTED(PACKAGE_TARNAME, "sagan" ) AC_DEFINE_UNQUOTED(PACKAGE_VERSION, "$VERSION" ) AC_CONFIG_FILES([ \ Makefile \ src/Makefile \ tools/Makefile]) # AC_OUTPUT(Makefile) AC_OUTPUT AC_MSG_RESULT([]) AC_MSG_RESULT([ ,-._,-. Sagan has been configured!]) AC_MSG_RESULT([ \/)"(\/ ]) AC_MSG_RESULT([ (_o_) Champ Clark III & The Quadrant InfoSec Team [[quadrantsec.com]]]) AC_MSG_RESULT([ / \/) Copyright (C) 2009-2018 Quadrant Information Security, et al.]) AC_MSG_RESULT([ (|| ||) ]) AC_MSG_RESULT([ oo-oo ]) AC_MSG_RESULT([]) sagan-1.2.0/config.h.in~0000644000175000017500000002475413310531444014000 0ustar champchamp/* config.h.in. Generated from configure.ac by autoheader. */ /* Define if building universal (internal helper macro) */ #undef AC_APPLE_UNIVERSAL_BUILD /* Sagan configuration file */ #undef CONFIG_FILE_PATH /* Define to 1 if you have the `access' function. */ #undef HAVE_ACCESS /* Support Altivec instructions */ #undef HAVE_ALTIVEC /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H /* Support AVX (Advanced Vector Extensions) instructions */ #undef HAVE_AVX /* Define to 1 if you have the `connect' function. */ #undef HAVE_CONNECT /* Define to 1 if you have the header file. */ #undef HAVE_CTYPE_H /* Define to 1 if you have the header file. */ #undef HAVE_DNET_H /* Define to 1 if you have the header file. */ #undef HAVE_DUMBNET_H /* Define to 1 if you have the `dup2' function. */ #undef HAVE_DUP2 /* Define to 1 if you have the header file. */ #undef HAVE_ERRNO_H /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H /* Define to 1 if you have the `fork' function. */ #undef HAVE_FORK /* Define to 1 if you have the `ftruncate' function. */ #undef HAVE_FTRUNCATE /* Define to 1 if you have the `gethostbyname' function. */ #undef HAVE_GETHOSTBYNAME /* Define to 1 if you have the header file. */ #undef HAVE_GETOPT_H /* Define to 1 if you have the `getopt_long' function. */ #undef HAVE_GETOPT_LONG /* F_GETPIPE_SZ is supported */ #undef HAVE_GETPIPE_SZ /* Define to 1 if you have the `gettimeofday' function. */ #undef HAVE_GETTIMEOFDAY /* Define to 1 if you have the `htons' function. */ #undef HAVE_HTONS /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have the `curl' library (-lcurl). */ #undef HAVE_LIBCURL /* Define to 1 if you have the `dnet' library (-ldnet). */ #undef HAVE_LIBDNET /* Define to 1 if you have the `dumbnet' library (-ldumbnet). */ #undef HAVE_LIBDUMBNET /* Define to 1 if you have the `esmtp' library (-lesmtp). */ #undef HAVE_LIBESMTP /* Define to 1 if you have the `estr' library (-lestr). */ #undef HAVE_LIBESTR /* Define to 1 if you have the `hiredis' library (-lhiredis). */ #undef HAVE_LIBHIREDIS /* Define to 1 if you have the `lognorm' library (-llognorm). */ #undef HAVE_LIBLOGNORM /* Define to 1 if you have the `m' library (-lm). */ #undef HAVE_LIBM /* Define to 1 if you have the `maxminddb' library (-lmaxminddb). */ #undef HAVE_LIBMAXMINDDB /* Define to 1 if you have the `pcap' library (-lpcap). */ #undef HAVE_LIBPCAP /* Define to 1 if you have the `pcre' library (-lpcre). */ #undef HAVE_LIBPCRE /* Define to 1 if you have the `pthread' library (-lpthread). */ #undef HAVE_LIBPTHREAD /* Define to 1 if you have the `rt' library (-lrt). */ #undef HAVE_LIBRT /* Define to 1 if you have the `yaml' library (-lyaml). */ #undef HAVE_LIBYAML /* Define to 1 if you have the header file. */ #undef HAVE_LIMITS_H /* Define to 1 if your system has a GNU libc compatible `malloc' function, and to 0 otherwise. */ #undef HAVE_MALLOC /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 if you have the `memset' function. */ #undef HAVE_MEMSET /* Define to 1 if you have the `mmap' function. */ #undef HAVE_MMAP /* Support mmx instructions */ #undef HAVE_MMX /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H /* Pcre pcre_free_study supported */ #undef HAVE_PCRE_FREE_STUDY /* Define to 1 if your system has a GNU libc compatible `realloc' function, and to 0 otherwise. */ #undef HAVE_REALLOC /* Define to 1 if you have the `recv' function. */ #undef HAVE_RECV /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT /* Define to 1 if you have the `send' function. */ #undef HAVE_SEND /* F_SETPIPE_SZ is supported */ #undef HAVE_SETPIPE_SZ /* Define to 1 if you have the `shm_open' function. */ #undef HAVE_SHM_OPEN /* Define to 1 if you have the `sizeof' function. */ #undef HAVE_SIZEOF /* Define to 1 if you have the `snprintf' function. */ #undef HAVE_SNPRINTF /* Define to 1 if you have the `socket' function. */ #undef HAVE_SOCKET /* Support SSE (Streaming SIMD Extensions) instructions */ #undef HAVE_SSE /* Support SSE2 (Streaming SIMD Extensions 2) instructions */ #undef HAVE_SSE2 /* Support SSE3 (Streaming SIMD Extensions 3) instructions */ #undef HAVE_SSE3 /* Support SSSE4.1 (Streaming SIMD Extensions 4.1) instructions */ #undef HAVE_SSE4_1 /* Support SSSE4.2 (Streaming SIMD Extensions 4.2) instructions */ #undef HAVE_SSE4_2 /* Support SSSE3 (Supplemental Streaming SIMD Extensions 3) instructions */ #undef HAVE_SSSE3 /* Define to 1 if `stat' has the bug that it succeeds when given the zero-length file name argument. */ #undef HAVE_STAT_EMPTY_STRING_BUG /* Define to 1 if you have the header file. */ #undef HAVE_STDARG_H /* Define to 1 if you have the header file. */ #undef HAVE_STDBOOL_H /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDIO_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `strchr' function. */ #undef HAVE_STRCHR /* Define to 1 if you have the `strcmp' function. */ #undef HAVE_STRCMP /* Define to 1 if you have the `strdup' function. */ #undef HAVE_STRDUP /* Define to 1 if you have the `strerror' function. */ #undef HAVE_STRERROR /* Define to 1 if you have the `strftime' function. */ #undef HAVE_STRFTIME /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the `strlcat' function. */ #undef HAVE_STRLCAT /* Define to 1 if you have the `strlcpy' function. */ #undef HAVE_STRLCPY /* Define to 1 if you have the `strlen' function. */ #undef HAVE_STRLEN /* Define to 1 if you have the `strncat' function. */ #undef HAVE_STRNCAT /* Define to 1 if you have the `strspn' function. */ #undef HAVE_STRSPN /* Define to 1 if you have the `strstr' function. */ #undef HAVE_STRSTR /* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAN_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAP_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_PRCTL_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SELECT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have that is POSIX.1 compatible. */ #undef HAVE_SYS_WAIT_H /* Define to 1 if you have the header file. */ #undef HAVE_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the `vfork' function. */ #undef HAVE_VFORK /* Define to 1 if you have the header file. */ #undef HAVE_VFORK_H /* Define to 1 if `fork' works. */ #undef HAVE_WORKING_FORK /* Define to 1 if `vfork' works. */ #undef HAVE_WORKING_VFORK /* Define to 1 if you have the `write' function. */ #undef HAVE_WRITE /* Define to 1 if `lstat' dereferences a symlink specified with a trailing slash. */ #undef LSTAT_FOLLOWS_SLASHED_SYMLINK /* Pcre PCRE_EXTRA_MATCH_LIMIT_RECURSION not available */ #undef NO_PCRE_MATCH_RLIMIT /* Name of package */ #undef PACKAGE /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* Pcre with JIT compiler support enabled */ #undef PCRE_HAVE_JIT /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE /* Define to the type of arg 1 for `select'. */ #undef SELECT_TYPE_ARG1 /* Define to the type of args 2, 3 and 4 for `select'. */ #undef SELECT_TYPE_ARG234 /* Define to the type of arg 5 for `select'. */ #undef SELECT_TYPE_ARG5 /* The size of `size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME /* Define to 1 if your declares `struct tm'. */ #undef TM_IN_SYS_TIME /* Enable extensions on AIX 3, Interix. */ #ifndef _ALL_SOURCE # undef _ALL_SOURCE #endif /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # undef _GNU_SOURCE #endif /* Enable threading extensions on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # undef _POSIX_PTHREAD_SEMANTICS #endif /* Enable extensions on HP NonStop. */ #ifndef _TANDEM_SOURCE # undef _TANDEM_SOURCE #endif /* Enable general extensions on Solaris. */ #ifndef __EXTENSIONS__ # undef __EXTENSIONS__ #endif /* Version number of package */ #undef VERSION /* With Bluedot */ #undef WITH_BLUEDOT /* With Snortsam */ #undef WITH_SNORTSAM /* With Syslog */ #undef WITH_SYSLOG /* With system strstr */ #undef WITH_SYSSTRSTR /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ #if defined AC_APPLE_UNIVERSAL_BUILD # if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 # endif #else # ifndef WORDS_BIGENDIAN # undef WORDS_BIGENDIAN # endif #endif /* Define to 1 if on MINIX. */ #undef _MINIX /* Define to 2 if the system does not provide POSIX.1 features except with this defined. */ #undef _POSIX_1_SOURCE /* Define to 1 if you need to in order for `stat' and other things to work. */ #undef _POSIX_SOURCE /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to rpl_malloc if the replacement function should be used. */ #undef malloc /* Define to `int' if does not define. */ #undef pid_t /* Define to rpl_realloc if the replacement function should be used. */ #undef realloc /* Define to `unsigned int' if does not define. */ #undef size_t /* Define as `fork' if `vfork' does not work. */ #undef vfork sagan-1.2.0/compile0000755000175000017500000001624513310533436013134 0ustar champchamp#! /bin/sh # Wrapper for compilers which do not understand '-c -o'. scriptversion=2012-10-14.11; # UTC # Copyright (C) 1999-2013 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # This file is maintained in Automake, please report # bugs to or send patches to # . nl=' ' # We need space, tab and new line, in precisely that order. Quoting is # there to prevent tools from complaining about whitespace usage. IFS=" "" $nl" file_conv= # func_file_conv build_file lazy # Convert a $build file to $host form and store it in $file # Currently only supports Windows hosts. If the determined conversion # type is listed in (the comma separated) LAZY, no conversion will # take place. func_file_conv () { file=$1 case $file in / | /[!/]*) # absolute file, and not a UNC file if test -z "$file_conv"; then # lazily determine how to convert abs files case `uname -s` in MINGW*) file_conv=mingw ;; CYGWIN*) file_conv=cygwin ;; *) file_conv=wine ;; esac fi case $file_conv/,$2, in *,$file_conv,*) ;; mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; cygwin/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) file=`winepath -w "$file" || echo "$file"` ;; esac ;; esac } # func_cl_dashL linkdir # Make cl look for libraries in LINKDIR func_cl_dashL () { func_file_conv "$1" if test -z "$lib_path"; then lib_path=$file else lib_path="$lib_path;$file" fi linker_opts="$linker_opts -LIBPATH:$file" } # func_cl_dashl library # Do a library search-path lookup for cl func_cl_dashl () { lib=$1 found=no save_IFS=$IFS IFS=';' for dir in $lib_path $LIB do IFS=$save_IFS if $shared && test -f "$dir/$lib.dll.lib"; then found=yes lib=$dir/$lib.dll.lib break fi if test -f "$dir/$lib.lib"; then found=yes lib=$dir/$lib.lib break fi if test -f "$dir/lib$lib.a"; then found=yes lib=$dir/lib$lib.a break fi done IFS=$save_IFS if test "$found" != yes; then lib=$lib.lib fi } # func_cl_wrapper cl arg... # Adjust compile command to suit cl func_cl_wrapper () { # Assume a capable shell lib_path= shared=: linker_opts= for arg do if test -n "$eat"; then eat= else case $1 in -o) # configure might choose to run compile as 'compile cc -o foo foo.c'. eat=1 case $2 in *.o | *.[oO][bB][jJ]) func_file_conv "$2" set x "$@" -Fo"$file" shift ;; *) func_file_conv "$2" set x "$@" -Fe"$file" shift ;; esac ;; -I) eat=1 func_file_conv "$2" mingw set x "$@" -I"$file" shift ;; -I*) func_file_conv "${1#-I}" mingw set x "$@" -I"$file" shift ;; -l) eat=1 func_cl_dashl "$2" set x "$@" "$lib" shift ;; -l*) func_cl_dashl "${1#-l}" set x "$@" "$lib" shift ;; -L) eat=1 func_cl_dashL "$2" ;; -L*) func_cl_dashL "${1#-L}" ;; -static) shared=false ;; -Wl,*) arg=${1#-Wl,} save_ifs="$IFS"; IFS=',' for flag in $arg; do IFS="$save_ifs" linker_opts="$linker_opts $flag" done IFS="$save_ifs" ;; -Xlinker) eat=1 linker_opts="$linker_opts $2" ;; -*) set x "$@" "$1" shift ;; *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) func_file_conv "$1" set x "$@" -Tp"$file" shift ;; *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) func_file_conv "$1" mingw set x "$@" "$file" shift ;; *) set x "$@" "$1" shift ;; esac fi shift done if test -n "$linker_opts"; then linker_opts="-link$linker_opts" fi exec "$@" $linker_opts exit 1 } eat= case $1 in '') echo "$0: No command. Try '$0 --help' for more information." 1>&2 exit 1; ;; -h | --h*) cat <<\EOF Usage: compile [--help] [--version] PROGRAM [ARGS] Wrapper for compilers which do not understand '-c -o'. Remove '-o dest.o' from ARGS, run PROGRAM with the remaining arguments, and rename the output as expected. If you are trying to build a whole package this is not the right script to run: please start by reading the file 'INSTALL'. Report bugs to . EOF exit $? ;; -v | --v*) echo "compile $scriptversion" exit $? ;; cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac ofile= cfile= for arg do if test -n "$eat"; then eat= else case $1 in -o) # configure might choose to run compile as 'compile cc -o foo foo.c'. # So we strip '-o arg' only if arg is an object. eat=1 case $2 in *.o | *.obj) ofile=$2 ;; *) set x "$@" -o "$2" shift ;; esac ;; *.c) cfile=$1 set x "$@" "$1" shift ;; *) set x "$@" "$1" shift ;; esac fi shift done if test -z "$ofile" || test -z "$cfile"; then # If no '-o' option was seen then we might have been invoked from a # pattern rule where we don't need one. That is ok -- this is a # normal compilation that the losing compiler can handle. If no # '.c' file was seen then we are probably linking. That is also # ok. exec "$@" fi # Name of file we expect compiler to create. cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` # Create the lock directory. # Note: use '[/\\:.-]' here to ensure that we don't use the same name # that we are using for the .o file. Also, base the name on the expected # object file name, since that is what matters with a parallel build. lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d while true; do if mkdir "$lockdir" >/dev/null 2>&1; then break fi sleep 1 done # FIXME: race condition here if user kills between mkdir and trap. trap "rmdir '$lockdir'; exit 1" 1 2 15 # Run the compile. "$@" ret=$? if test -f "$cofile"; then test "$cofile" = "$ofile" || mv "$cofile" "$ofile" elif test -f "${cofile}bj"; then test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" fi rmdir "$lockdir" exit $ret # Local Variables: # mode: shell-script # sh-indentation: 2 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: sagan-1.2.0/AUTHORS0000644000175000017500000000021113310531444012605 0ustar champchampPrimary code development was done by Champ Clark III (champ@quadrantsec.com). For more contributors, please see: src/sagan-credits.c sagan-1.2.0/src/0000755000175000017500000000000013310533436012335 5ustar champchampsagan-1.2.0/src/json-handler.h0000644000175000017500000000301413310531444015065 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-json.h * * Functions that handle JSON output * */ #include void Format_JSON_Alert_EVE( _Sagan_Event *, char *, size_t); /* Suricata EVE Alert output */ #define EVE_ALERT "{\"timestamp\":\"\%s\",\"flow_id\":%" PRIu64 ",\"in_iface\":\"%s\",\"event_type\":\"alert\",\"src_ip\":\"%s\",\"src_port\":%d,\"dest_ip\":\"%s\",\"dest_port\":%d,\"proto\":\"%s\",\"alert\":{\"action\":\"%s\",\"gid\":%lu,\"signature_id\":%s,\"rev\":%s,\"signature\":\"%s\",\"category\":\"%s\",\"severity\":%d},\"payload\":\"%s\",\"stream\":0,\"packet\":\"%s\",\"packet_info\":{\"linktype\":1},\"xff\":\"%s\",\"normalize\":%s}" sagan-1.2.0/src/Makefile.am0000644000175000017500000001053013310531444014365 0ustar champchampACLOCAL_AMFLAGS = -I m4 AUTOMAKE_OPIONS=foreign no-dependencies subdir-objects bin_PROGRAMS = sagan sagan_CPPFLAGS = -I$(top_srcdir) $(LIBFASTJSON_CFLAGS) $(LIBESTR_CFLAGS) sagan_LDADD = $(LIBFASTJSON_LIBS) $(LIBLOGNORM_LIBS) $(LIBESTR_LIBS) sagan_SOURCES = sagan.c \ classifications.c \ config-yaml.c \ lockfile.c \ references.c \ rules.c \ signal-handler.c \ key.c \ stats.c \ usage.c \ plog.c \ output.c \ processor.c \ gen-msg.c \ liblognormalize.c \ ignore-list.c \ send-alert.c \ credits.c \ protocol-map.c \ geoip2.c \ meta-content.c \ redis.c \ xbit.c \ xbit-mmap.c \ xbit-redis.c \ flow.c\ aetas.c \ ipc.c \ util.c \ after.c \ threshold.c \ util-time.c \ util-strlcpy.c \ util-strlcat.c \ util-base64.c \ json-handler.c \ parsers/ip.c \ parsers/port.c \ parsers/proto.c \ parsers/hash.c \ parsers/strstr-asm/strstr-hook.c \ parsers/strstr-asm/strstr_sse2.S \ parsers/strstr-asm/strstr_sse4_2.S \ output-plugins/alert.c \ output-plugins/fast.c \ output-plugins/esmtp.c \ output-plugins/external.c \ output-plugins/unified2.c \ output-plugins/snortsam-twofish.c \ output-plugins/snortsam.c \ output-plugins/syslog-handler.c \ output-plugins/eve.c \ processors/engine.c \ processors/track-clients.c \ processors/bluedot.c \ processors/blacklist.c \ processors/perfmon.c \ processors/bro-intel.c \ processors/dynamic-rules.c install-data-local: sagan-1.2.0/src/xbit.h0000644000175000017500000000220513310531444013450 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ int Xbit_Type ( char *, int, const char *); sbool Xbit_Condition ( int, char *, char *, int, int, char * ); sbool Xbit_Count ( int, char *, char *, char * ); void Xbit_Set(int, char *, char *, int ,int, char *, _Sagan_Proc_Syslog * ); sagan-1.2.0/src/threshold.c0000644000175000017500000005440413310531444014501 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* threshold.c - Logic for "threshold" in rules */ /* TODO: Need to test IPC limits for threshold/after/client tracking */ /* DEBUG: Forgot port information */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "rules.h" #include "threshold.h" #include "ipc.h" pthread_mutex_t Thresh_By_Src_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t Thresh_By_Dst_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t Thresh_By_Src_Port_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t Thresh_By_Dst_Port_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t Thresh_By_Username_Mutex=PTHREAD_MUTEX_INITIALIZER; struct thresh_by_src_ipc *threshbysrc_ipc; struct thresh_by_dst_ipc *threshbydst_ipc; struct thresh_by_srcport_ipc *threshbysrcport_ipc; struct thresh_by_dstport_ipc *threshbydstport_ipc; struct thresh_by_username_ipc *threshbyusername_ipc; struct _Sagan_IPC_Counters *counters_ipc; struct _SaganCounters *counters; struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganConfig *config; /***********************/ /* Threshold by source */ /***********************/ sbool Thresh_By_Src ( int rule_position, char *ip_src, unsigned char *ip_src_bits, char *selector, char *syslog_message ) { time_t t; struct tm *now; char timet[20]; sbool thresh_log_flag = false; uint64_t thresh_oldtime; int i; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); /* Check array for matching src / sid */ for (i = 0; i < counters_ipc->thresh_count_by_src; i++ ) { /* Short circuit if no selector match */ if ( ( selector == NULL && threshbysrc_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, threshbysrc_ipc[i].selector)) ) { continue; } if ( !memcmp(threshbysrc_ipc[i].ipsrc, ip_src_bits, sizeof(threshbysrc_ipc[i].ipsrc)) && !strcmp(threshbysrc_ipc[i].sid, rulestruct[rule_position].s_sid )) { File_Lock(config->shm_thresh_by_src); pthread_mutex_lock(&Thresh_By_Src_Mutex); threshbysrc_ipc[i].count++; thresh_oldtime = atol(timet) - threshbysrc_ipc[i].utime; threshbysrc_ipc[i].utime = atol(timet); strlcpy(threshbysrc_ipc[i].syslog_message, syslog_message, sizeof(threshbysrc_ipc[i].syslog_message)); strlcpy(threshbysrc_ipc[i].signature_msg, rulestruct[rule_position].s_msg, sizeof(threshbysrc_ipc[i].signature_msg)); if ( thresh_oldtime > rulestruct[rule_position].threshold_seconds ) { threshbysrc_ipc[i].count=1; threshbysrc_ipc[i].utime = atol(timet); thresh_log_flag = false; } if ( rulestruct[rule_position].threshold_count < threshbysrc_ipc[i].count ) { thresh_log_flag = true; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "Threshold SID %s by source IP address. [%s]", threshbysrc_ipc[i].sid, ip_src); } counters->threshold_total++; } pthread_mutex_unlock(&Thresh_By_Src_Mutex); File_Unlock(config->shm_thresh_by_src); return(thresh_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(THRESH_BY_SRC) == 0 ) { File_Lock(config->shm_thresh_by_src); pthread_mutex_lock(&Thresh_By_Src_Mutex); memcpy(threshbysrc_ipc[counters_ipc->thresh_count_by_src].ipsrc, ip_src_bits, sizeof(threshbysrc_ipc[counters_ipc->thresh_count_by_src].ipsrc)); strlcpy(threshbysrc_ipc[counters_ipc->thresh_count_by_src].sid, rulestruct[rule_position].s_sid, sizeof(threshbysrc_ipc[counters_ipc->thresh_count_by_src].sid)); selector == NULL ? threshbysrc_ipc[counters_ipc->thresh_count_by_src].selector[0] = '\0' : strlcpy(threshbysrc_ipc[counters_ipc->thresh_count_by_src].selector, selector, MAXSELECTOR); threshbysrc_ipc[counters_ipc->thresh_count_by_src].count = 1; threshbysrc_ipc[counters_ipc->thresh_count_by_src].utime = atol(timet); threshbysrc_ipc[counters_ipc->thresh_count_by_src].expire = rulestruct[rule_position].threshold_seconds; strlcpy(threshbysrc_ipc[counters_ipc->thresh_count_by_src].syslog_message, syslog_message, sizeof(threshbysrc_ipc[counters_ipc->thresh_count_by_src].syslog_message)); strlcpy(threshbysrc_ipc[counters_ipc->thresh_count_by_src].signature_msg, rulestruct[rule_position].s_msg, sizeof(threshbysrc_ipc[counters_ipc->thresh_count_by_src].signature_msg)); counters_ipc->thresh_count_by_src++; pthread_mutex_unlock(&Thresh_By_Src_Mutex); File_Unlock(config->shm_thresh_by_src); } return(false); } /****************************/ /* Threshold by destination */ /****************************/ sbool Thresh_By_Dst ( int rule_position, char *ip_dst, unsigned char *ip_dst_bits, char *selector, char *syslog_message ) { time_t t; struct tm *now; char timet[20]; sbool thresh_log_flag = false; uint64_t thresh_oldtime; int i; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); /* Check array for matching dst / sid */ for (i = 0; i < counters_ipc->thresh_count_by_dst; i++ ) { /* Short circuit if no selector match */ if ( ( selector == NULL && threshbydst_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, threshbydst_ipc[i].selector)) ) { continue; } if ( !memcmp(threshbydst_ipc[i].ipdst, ip_dst_bits, sizeof(threshbydst_ipc[i].ipdst)) && !strcmp(threshbydst_ipc[i].sid, rulestruct[rule_position].s_sid )) { File_Lock(config->shm_thresh_by_dst); pthread_mutex_lock(&Thresh_By_Dst_Mutex); threshbydst_ipc[i].count++; thresh_oldtime = atol(timet) - threshbydst_ipc[i].utime; threshbydst_ipc[i].utime = atol(timet); strlcpy(threshbydst_ipc[i].syslog_message, syslog_message, sizeof(threshbydst_ipc[i].syslog_message)); strlcpy(threshbydst_ipc[i].signature_msg, rulestruct[rule_position].s_msg, sizeof(threshbydst_ipc[i].signature_msg)); if ( thresh_oldtime > rulestruct[rule_position].threshold_seconds ) { threshbydst_ipc[i].count=1; threshbydst_ipc[i].utime = atol(timet); thresh_log_flag = false; } if ( rulestruct[rule_position].threshold_count < threshbydst_ipc[i].count ) { thresh_log_flag = true; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "Threshold SID %s by destination IP address. [%s]", threshbydst_ipc[i].sid, ip_dst); } counters->threshold_total++; } pthread_mutex_unlock(&Thresh_By_Dst_Mutex); File_Unlock(config->shm_thresh_by_dst); return(thresh_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(THRESH_BY_DST) == 0 ) { File_Lock(config->shm_thresh_by_dst); pthread_mutex_lock(&Thresh_By_Dst_Mutex); memcpy(threshbydst_ipc[counters_ipc->thresh_count_by_dst].ipdst, ip_dst_bits, sizeof(threshbydst_ipc[counters_ipc->thresh_count_by_dst].ipdst)); strlcpy(threshbydst_ipc[counters_ipc->thresh_count_by_dst].sid, rulestruct[rule_position].s_sid, sizeof(threshbydst_ipc[counters_ipc->thresh_count_by_dst].sid)); selector == NULL ? threshbydst_ipc[counters_ipc->thresh_count_by_dst].selector[0] = '\0' : strlcpy(threshbydst_ipc[counters_ipc->thresh_count_by_dst].selector, selector, MAXSELECTOR); threshbydst_ipc[counters_ipc->thresh_count_by_dst].count = 1; threshbydst_ipc[counters_ipc->thresh_count_by_dst].utime = atol(timet); threshbydst_ipc[counters_ipc->thresh_count_by_dst].expire = rulestruct[rule_position].threshold_seconds; strlcpy(threshbydst_ipc[counters_ipc->thresh_count_by_dst].syslog_message, syslog_message, sizeof(threshbydst_ipc[counters_ipc->thresh_count_by_dst].syslog_message)); strlcpy(threshbydst_ipc[counters_ipc->thresh_count_by_dst].signature_msg, rulestruct[rule_position].s_msg, sizeof(threshbydst_ipc[counters_ipc->thresh_count_by_dst].signature_msg)); counters_ipc->thresh_count_by_dst++; pthread_mutex_unlock(&Thresh_By_Dst_Mutex); File_Unlock(config->shm_thresh_by_dst); } return(false); } /*************************/ /* Threshold by username */ /*************************/ sbool Thresh_By_Username( int rule_position, char *normalize_username, char *selector, char *syslog_message ) { time_t t; struct tm *now; char timet[20]; sbool thresh_log_flag = false; uint64_t thresh_oldtime; int i; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); /* Check array fror matching username / sid */ for (i = 0; i < counters_ipc->thresh_count_by_username; i++) { /* Short circuit if no selector match */ if ( ( selector == NULL && threshbyusername_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, threshbyusername_ipc[i].selector)) ) { continue; } if ( !strcmp(threshbyusername_ipc[rule_position].username, normalize_username) && !strcmp(threshbyusername_ipc[rule_position].sid, rulestruct[rule_position].s_sid )) { File_Lock(config->shm_thresh_by_username); pthread_mutex_lock(&Thresh_By_Username_Mutex); threshbyusername_ipc[rule_position].count++; thresh_oldtime = atol(timet) - threshbyusername_ipc[rule_position].utime; threshbyusername_ipc[rule_position].utime = atol(timet); strlcpy(threshbyusername_ipc[i].syslog_message, syslog_message, sizeof(threshbyusername_ipc[i].syslog_message)); strlcpy(threshbyusername_ipc[i].signature_msg, rulestruct[rule_position].s_msg, sizeof(threshbyusername_ipc[i].signature_msg)); if ( thresh_oldtime > rulestruct[rule_position].threshold_seconds ) { threshbyusername_ipc[rule_position].count=1; threshbyusername_ipc[rule_position].utime = atol(timet); thresh_log_flag = false; } if ( rulestruct[rule_position].threshold_count < threshbyusername_ipc[rule_position].count ) { thresh_log_flag = true; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "Threshold SID %s by_username / by_string. [%s]", threshbyusername_ipc[rule_position].sid, normalize_username); } counters->threshold_total++; } pthread_mutex_unlock(&Thresh_By_Username_Mutex); File_Unlock(config->shm_thresh_by_username); return(thresh_log_flag); } } /* Username not found, add it to array */ if ( Clean_IPC_Object(THRESH_BY_USERNAME) == 0 ) { File_Lock(config->shm_thresh_by_username); pthread_mutex_lock(&Thresh_By_Username_Mutex); strlcpy(threshbyusername_ipc[counters_ipc->thresh_count_by_username].username, normalize_username, sizeof(threshbyusername_ipc[counters_ipc->thresh_count_by_username].username)); strlcpy(threshbyusername_ipc[counters_ipc->thresh_count_by_username].sid, rulestruct[rule_position].s_sid, sizeof(threshbyusername_ipc[counters_ipc->thresh_count_by_username].sid)); selector == NULL ? threshbyusername_ipc[counters_ipc->thresh_count_by_username].selector[0] = '\0' : strlcpy(threshbyusername_ipc[counters_ipc->thresh_count_by_username].selector, selector, MAXSELECTOR); threshbyusername_ipc[counters_ipc->thresh_count_by_username].count = 1; threshbyusername_ipc[counters_ipc->thresh_count_by_username].utime = atol(timet); threshbyusername_ipc[counters_ipc->thresh_count_by_username].expire = rulestruct[rule_position].threshold_seconds; strlcpy(threshbyusername_ipc[counters_ipc->thresh_count_by_username].syslog_message, syslog_message, sizeof(threshbyusername_ipc[counters_ipc->thresh_count_by_username].syslog_message)); strlcpy(threshbyusername_ipc[counters_ipc->thresh_count_by_username].signature_msg, rulestruct[rule_position].s_msg, sizeof(threshbyusername_ipc[counters_ipc->thresh_count_by_username].signature_msg)); counters_ipc->thresh_count_by_username++; pthread_mutex_unlock(&Thresh_By_Username_Mutex); File_Unlock(config->shm_thresh_by_username); } return(false); } /*********************************/ /* Threshold by destination port */ /*********************************/ sbool Thresh_By_DstPort( int rule_position, uint32_t ip_dstport_u32, char *selector ) { time_t t; struct tm *now; char timet[20]; sbool thresh_log_flag = false; uint64_t thresh_oldtime; int i; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); /* Check array for matching dst port / sid */ for (i = 0; i < counters_ipc->thresh_count_by_dstport; i++ ) { /* Short circuit if no selector match */ if ( ( selector == NULL && threshbydstport_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, threshbydstport_ipc[i].selector)) ) { continue; } if ( threshbydstport_ipc[rule_position].ipdstport == ip_dstport_u32 && !strcmp(threshbydstport_ipc[rule_position].sid, rulestruct[rule_position].s_sid )) { File_Lock(config->shm_thresh_by_dstport); pthread_mutex_lock(&Thresh_By_Dst_Port_Mutex); threshbydstport_ipc[rule_position].count++; thresh_oldtime = atol(timet) - threshbydstport_ipc[rule_position].utime; threshbydstport_ipc[rule_position].utime = atol(timet); if ( thresh_oldtime > rulestruct[rule_position].threshold_seconds ) { threshbydstport_ipc[rule_position].count=1; threshbydstport_ipc[rule_position].utime = atol(timet); thresh_log_flag = false; } if ( rulestruct[rule_position].threshold_count < threshbydstport_ipc[rule_position].count ) { thresh_log_flag = true; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "Threshold SID %s by destination IP port. [%s]", threshbydstport_ipc[rule_position].sid, ip_dstport_u32); } counters->threshold_total++; } pthread_mutex_unlock(&Thresh_By_Dst_Port_Mutex); File_Unlock(config->shm_thresh_by_dstport); return(thresh_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(THRESH_BY_DSTPORT) == 0 ) { File_Lock(config->shm_thresh_by_dstport); pthread_mutex_lock(&Thresh_By_Dst_Port_Mutex); threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].ipdstport = ip_dstport_u32; strlcpy(threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].sid, rulestruct[rule_position].s_sid, sizeof(threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].sid)); selector == NULL ? threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].selector[0] = '\0' : strlcpy(threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].selector, selector, MAXSELECTOR); threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].count = 1; threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].utime = atol(timet); threshbydstport_ipc[counters_ipc->thresh_count_by_dstport].expire = rulestruct[rule_position].threshold_seconds; counters_ipc->thresh_count_by_dstport++; pthread_mutex_unlock(&Thresh_By_Dst_Port_Mutex); File_Unlock(config->shm_thresh_by_dstport); } return(false); } /****************************/ /* Threshold by source port */ /****************************/ sbool Thresh_By_SrcPort( int rule_position, uint32_t ip_srcport_u32, char *selector ) { time_t t; struct tm *now; char timet[20]; sbool thresh_log_flag = false; uint64_t thresh_oldtime; int i; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); /* Check array for matching src port / sid */ for (i = 0; i < counters_ipc->thresh_count_by_srcport; i++ ) { /* Short circuit if no selector match */ if ( ( selector == NULL && threshbysrcport_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, threshbysrcport_ipc[i].selector )) ) { continue; } if ( threshbysrcport_ipc[rule_position].ipsrcport == ip_srcport_u32 && !strcmp(threshbysrcport_ipc[rule_position].sid, rulestruct[rule_position].s_sid )) { File_Lock(config->shm_thresh_by_srcport); pthread_mutex_lock(&Thresh_By_Src_Port_Mutex); threshbysrcport_ipc[rule_position].count++; thresh_oldtime = atol(timet) - threshbysrcport_ipc[rule_position].utime; threshbysrcport_ipc[rule_position].utime = atol(timet); if ( thresh_oldtime > rulestruct[rule_position].threshold_seconds ) { threshbysrcport_ipc[rule_position].count=1; threshbysrcport_ipc[rule_position].utime = atol(timet); thresh_log_flag = false; } if ( rulestruct[rule_position].threshold_count < threshbysrcport_ipc[rule_position].count ) { thresh_log_flag = true; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "Threshold SID %s by source IP port. [%s]", threshbysrcport_ipc[rule_position].sid, ip_srcport_u32); } counters->threshold_total++; } pthread_mutex_unlock(&Thresh_By_Src_Port_Mutex); File_Unlock(config->shm_thresh_by_srcport); return(thresh_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(THRESH_BY_SRCPORT) == 0 ) { File_Lock(config->shm_thresh_by_srcport); pthread_mutex_lock(&Thresh_By_Src_Port_Mutex); threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].ipsrcport = ip_srcport_u32; strlcpy(threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].sid, rulestruct[rule_position].s_sid, sizeof(threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].sid)); selector == NULL ? threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].selector[0] = '\0' : strlcpy(threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].selector, selector, MAXSELECTOR); threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].count = 1; threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].utime = atol(timet); threshbysrcport_ipc[counters_ipc->thresh_count_by_srcport].expire = rulestruct[rule_position].threshold_seconds; counters_ipc->thresh_count_by_srcport++; pthread_mutex_unlock(&Thresh_By_Src_Port_Mutex); File_Unlock(config->shm_thresh_by_srcport); } return(false); } sagan-1.2.0/src/meta-content.h0000644000175000017500000000202413310531444015077 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif int Meta_Content_Search(char *, int, int); sagan-1.2.0/src/classifications.c0000644000175000017500000001315613310531444015662 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* classifications.c * * Loads the classifications file into memory for future use. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include "version.h" #include "sagan.h" #include "sagan-defs.h" #include "gen-msg.h" #include "classifications.h" struct _SaganCounters *counters; struct _Class_Struct *classstruct; struct _SaganDebug *debug; struct _SaganConfig *config; pthread_mutex_t CounterClassMutex=PTHREAD_MUTEX_INITIALIZER; void Load_Classifications( const char *ruleset ) { FILE *classfile; char classbuf[CLASSBUF]; char *saveptr=NULL; char *tmptoken=NULL; char *laststring=NULL; char tmpbuf2[5]; int linecount=0; pthread_mutex_lock(&CounterClassMutex); counters->classcount = 0; pthread_mutex_unlock(&CounterClassMutex); Sagan_Log(NORMAL, "Loading classifications.conf file. [%s]", ruleset); if (( classfile = fopen(ruleset, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open rule file %s. [%s]", __FILE__, __LINE__, ruleset, strerror(errno) ); } while(fgets(classbuf, sizeof(classbuf), classfile) != NULL) { linecount++; /* Skip comments and blank linkes */ if (classbuf[0] == '#' || classbuf[0] == 10 || classbuf[0] == ';' || classbuf[0] == 32) { continue; } /* Allocate memory for classifications, but not comments */ classstruct = (_Class_Struct *) realloc(classstruct, (counters->classcount+1) * sizeof(_Class_Struct)); if ( classstruct == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for classstruct. Abort!", __FILE__, __LINE__); } strtok_r(classbuf, ":", &saveptr); tmptoken = strtok_r(NULL, ":" , &saveptr); laststring = strtok_r(tmptoken, ",", &saveptr); if ( laststring == NULL ) { Sagan_Log(ERROR, "[%s, line %d] The file %s at line %d is improperly formated. Abort!", __FILE__, __LINE__, ruleset, linecount); } Remove_Spaces(laststring); strlcpy(classstruct[counters->classcount].s_shortname, laststring, sizeof(classstruct[counters->classcount].s_shortname)); laststring = strtok_r(NULL, ",", &saveptr); if ( laststring == NULL ) { Sagan_Log(ERROR, "[%s, line %d] The file %s at line %d is improperly formated. Abort!", __FILE__, __LINE__, ruleset, linecount); } strlcpy(classstruct[counters->classcount].s_desc, laststring, sizeof(classstruct[counters->classcount].s_desc)); laststring = strtok_r(NULL, ",", &saveptr); if ( laststring == NULL ) { Sagan_Log(ERROR, "[%s, line %d] The file %s at line %d is improperly formated. Abort!", __FILE__, __LINE__, ruleset, linecount); } strlcpy(tmpbuf2, laststring, sizeof(tmpbuf2)); classstruct[counters->classcount].s_priority=atoi(tmpbuf2); if ( classstruct[counters->classcount].s_priority == 0 ) { Sagan_Log(ERROR, "[%s, line %d] Classification error at line number %d in %s", __FILE__, __LINE__, linecount, ruleset); } if (debug->debugload) { Sagan_Log(DEBUG, "[D-%d] Classification: %s|%s|%d", counters->classcount, classstruct[counters->classcount].s_shortname, classstruct[counters->classcount].s_desc, classstruct[counters->classcount].s_priority); } pthread_mutex_lock(&CounterClassMutex); counters->classcount++; pthread_mutex_unlock(&CounterClassMutex); } fclose(classfile); Sagan_Log(NORMAL, "%d classifications loaded", counters->classcount); } /**************************************************************************** * Classtype_Lookup - Simple routine that looks up the classtype * (s_shortname) and returns the classtype's description ****************************************************************************/ int Classtype_Lookup( const char *classtype, char *str, size_t size ) { int i; for (i = 0; i < counters->classcount; i++) { if (!strcmp(classtype, classstruct[i].s_shortname)) { snprintf(str, size, "%s", classstruct[i].s_desc); return 0; } } snprintf(str, sizeof("UNKNOWN"), "UNKNOWN"); return -1; } sagan-1.2.0/src/usage.h0000644000175000017500000000177413310531444013620 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Usage( void ); sagan-1.2.0/src/Makefile.in0000644000175000017500000044110313310533436014405 0ustar champchamp# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ bin_PROGRAMS = sagan$(EXEEXT) subdir = src DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_ext.m4 \ $(top_srcdir)/m4/ax_gcc_x86_avx_xgetbv.m4 \ $(top_srcdir)/m4/ax_gcc_x86_cpuid.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp am_sagan_OBJECTS = sagan-sagan.$(OBJEXT) \ sagan-classifications.$(OBJEXT) sagan-config-yaml.$(OBJEXT) \ sagan-lockfile.$(OBJEXT) sagan-references.$(OBJEXT) \ sagan-rules.$(OBJEXT) sagan-signal-handler.$(OBJEXT) \ sagan-key.$(OBJEXT) sagan-stats.$(OBJEXT) \ sagan-usage.$(OBJEXT) sagan-plog.$(OBJEXT) \ sagan-output.$(OBJEXT) sagan-processor.$(OBJEXT) \ sagan-gen-msg.$(OBJEXT) sagan-liblognormalize.$(OBJEXT) \ sagan-ignore-list.$(OBJEXT) sagan-send-alert.$(OBJEXT) \ sagan-credits.$(OBJEXT) sagan-protocol-map.$(OBJEXT) \ sagan-geoip2.$(OBJEXT) sagan-meta-content.$(OBJEXT) \ sagan-redis.$(OBJEXT) sagan-xbit.$(OBJEXT) \ sagan-xbit-mmap.$(OBJEXT) sagan-xbit-redis.$(OBJEXT) \ sagan-flow.$(OBJEXT) sagan-aetas.$(OBJEXT) sagan-ipc.$(OBJEXT) \ sagan-util.$(OBJEXT) sagan-after.$(OBJEXT) \ sagan-threshold.$(OBJEXT) sagan-util-time.$(OBJEXT) \ sagan-util-strlcpy.$(OBJEXT) sagan-util-strlcat.$(OBJEXT) \ sagan-util-base64.$(OBJEXT) sagan-json-handler.$(OBJEXT) \ parsers/sagan-ip.$(OBJEXT) parsers/sagan-port.$(OBJEXT) \ parsers/sagan-proto.$(OBJEXT) parsers/sagan-hash.$(OBJEXT) \ parsers/strstr-asm/sagan-strstr-hook.$(OBJEXT) \ parsers/strstr-asm/sagan-strstr_sse2.$(OBJEXT) \ parsers/strstr-asm/sagan-strstr_sse4_2.$(OBJEXT) \ output-plugins/sagan-alert.$(OBJEXT) \ output-plugins/sagan-fast.$(OBJEXT) \ output-plugins/sagan-esmtp.$(OBJEXT) \ output-plugins/sagan-external.$(OBJEXT) \ output-plugins/sagan-unified2.$(OBJEXT) \ output-plugins/sagan-snortsam-twofish.$(OBJEXT) \ output-plugins/sagan-snortsam.$(OBJEXT) \ output-plugins/sagan-syslog-handler.$(OBJEXT) \ output-plugins/sagan-eve.$(OBJEXT) \ processors/sagan-engine.$(OBJEXT) \ processors/sagan-track-clients.$(OBJEXT) \ processors/sagan-bluedot.$(OBJEXT) \ processors/sagan-blacklist.$(OBJEXT) \ processors/sagan-perfmon.$(OBJEXT) \ processors/sagan-bro-intel.$(OBJEXT) \ processors/sagan-dynamic-rules.$(OBJEXT) sagan_OBJECTS = $(am_sagan_OBJECTS) am__DEPENDENCIES_1 = sagan_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = CPPASCOMPILE = $(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) AM_V_CPPAS = $(am__v_CPPAS_@AM_V@) am__v_CPPAS_ = $(am__v_CPPAS_@AM_DEFAULT_V@) am__v_CPPAS_0 = @echo " CPPAS " $@; am__v_CPPAS_1 = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(sagan_SOURCES) DIST_SOURCES = $(sagan_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCAS = @CCAS@ CCASDEPMODE = @CCASDEPMODE@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ ENDIAN = @ENDIAN@ EXEEXT = @EXEEXT@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LDFLAGS = @LDFLAGS@ LIBESTR_CFLAGS = @LIBESTR_CFLAGS@ LIBESTR_LIBS = @LIBESTR_LIBS@ LIBFASTJSON_CFLAGS = @LIBFASTJSON_CFLAGS@ LIBFASTJSON_LIBS = @LIBFASTJSON_LIBS@ LIBLOGNORM_CFLAGS = @LIBLOGNORM_CFLAGS@ LIBLOGNORM_LIBS = @LIBLOGNORM_LIBS@ LIBOBJS = @LIBOBJS@ LIBPCREVERSION_CFLAGS = @LIBPCREVERSION_CFLAGS@ LIBPCREVERSION_LIBS = @LIBPCREVERSION_LIBS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIMD_FLAGS = @SIMD_FLAGS@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target = @target@ target_alias = @target_alias@ target_cpu = @target_cpu@ target_os = @target_os@ target_vendor = @target_vendor@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ ACLOCAL_AMFLAGS = -I m4 AUTOMAKE_OPIONS = foreign no-dependencies subdir-objects sagan_CPPFLAGS = -I$(top_srcdir) $(LIBFASTJSON_CFLAGS) $(LIBESTR_CFLAGS) sagan_LDADD = $(LIBFASTJSON_LIBS) $(LIBLOGNORM_LIBS) $(LIBESTR_LIBS) sagan_SOURCES = sagan.c \ classifications.c \ config-yaml.c \ lockfile.c \ references.c \ rules.c \ signal-handler.c \ key.c \ stats.c \ usage.c \ plog.c \ output.c \ processor.c \ gen-msg.c \ liblognormalize.c \ ignore-list.c \ send-alert.c \ credits.c \ protocol-map.c \ geoip2.c \ meta-content.c \ redis.c \ xbit.c \ xbit-mmap.c \ xbit-redis.c \ flow.c\ aetas.c \ ipc.c \ util.c \ after.c \ threshold.c \ util-time.c \ util-strlcpy.c \ util-strlcat.c \ util-base64.c \ json-handler.c \ parsers/ip.c \ parsers/port.c \ parsers/proto.c \ parsers/hash.c \ parsers/strstr-asm/strstr-hook.c \ parsers/strstr-asm/strstr_sse2.S \ parsers/strstr-asm/strstr_sse4_2.S \ output-plugins/alert.c \ output-plugins/fast.c \ output-plugins/esmtp.c \ output-plugins/external.c \ output-plugins/unified2.c \ output-plugins/snortsam-twofish.c \ output-plugins/snortsam.c \ output-plugins/syslog-handler.c \ output-plugins/eve.c \ processors/engine.c \ processors/track-clients.c \ processors/bluedot.c \ processors/blacklist.c \ processors/perfmon.c \ processors/bro-intel.c \ processors/dynamic-rules.c all: all-am .SUFFIXES: .SUFFIXES: .S .c .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) parsers/$(am__dirstamp): @$(MKDIR_P) parsers @: > parsers/$(am__dirstamp) parsers/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) parsers/$(DEPDIR) @: > parsers/$(DEPDIR)/$(am__dirstamp) parsers/sagan-ip.$(OBJEXT): parsers/$(am__dirstamp) \ parsers/$(DEPDIR)/$(am__dirstamp) parsers/sagan-port.$(OBJEXT): parsers/$(am__dirstamp) \ parsers/$(DEPDIR)/$(am__dirstamp) parsers/sagan-proto.$(OBJEXT): parsers/$(am__dirstamp) \ parsers/$(DEPDIR)/$(am__dirstamp) parsers/sagan-hash.$(OBJEXT): parsers/$(am__dirstamp) \ parsers/$(DEPDIR)/$(am__dirstamp) parsers/strstr-asm/$(am__dirstamp): @$(MKDIR_P) parsers/strstr-asm @: > parsers/strstr-asm/$(am__dirstamp) parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) parsers/strstr-asm/$(DEPDIR) @: > parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) parsers/strstr-asm/sagan-strstr-hook.$(OBJEXT): \ parsers/strstr-asm/$(am__dirstamp) \ parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) parsers/strstr-asm/sagan-strstr_sse2.$(OBJEXT): \ parsers/strstr-asm/$(am__dirstamp) \ parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) parsers/strstr-asm/sagan-strstr_sse4_2.$(OBJEXT): \ parsers/strstr-asm/$(am__dirstamp) \ parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) output-plugins/$(am__dirstamp): @$(MKDIR_P) output-plugins @: > output-plugins/$(am__dirstamp) output-plugins/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) output-plugins/$(DEPDIR) @: > output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-alert.$(OBJEXT): output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-fast.$(OBJEXT): output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-esmtp.$(OBJEXT): output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-external.$(OBJEXT): \ output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-unified2.$(OBJEXT): \ output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-snortsam-twofish.$(OBJEXT): \ output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-snortsam.$(OBJEXT): \ output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-syslog-handler.$(OBJEXT): \ output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) output-plugins/sagan-eve.$(OBJEXT): output-plugins/$(am__dirstamp) \ output-plugins/$(DEPDIR)/$(am__dirstamp) processors/$(am__dirstamp): @$(MKDIR_P) processors @: > processors/$(am__dirstamp) processors/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) processors/$(DEPDIR) @: > processors/$(DEPDIR)/$(am__dirstamp) processors/sagan-engine.$(OBJEXT): processors/$(am__dirstamp) \ processors/$(DEPDIR)/$(am__dirstamp) processors/sagan-track-clients.$(OBJEXT): processors/$(am__dirstamp) \ processors/$(DEPDIR)/$(am__dirstamp) processors/sagan-bluedot.$(OBJEXT): processors/$(am__dirstamp) \ processors/$(DEPDIR)/$(am__dirstamp) processors/sagan-blacklist.$(OBJEXT): processors/$(am__dirstamp) \ processors/$(DEPDIR)/$(am__dirstamp) processors/sagan-perfmon.$(OBJEXT): processors/$(am__dirstamp) \ processors/$(DEPDIR)/$(am__dirstamp) processors/sagan-bro-intel.$(OBJEXT): processors/$(am__dirstamp) \ processors/$(DEPDIR)/$(am__dirstamp) processors/sagan-dynamic-rules.$(OBJEXT): processors/$(am__dirstamp) \ processors/$(DEPDIR)/$(am__dirstamp) sagan$(EXEEXT): $(sagan_OBJECTS) $(sagan_DEPENDENCIES) $(EXTRA_sagan_DEPENDENCIES) @rm -f sagan$(EXEEXT) $(AM_V_CCLD)$(LINK) $(sagan_OBJECTS) $(sagan_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) -rm -f output-plugins/*.$(OBJEXT) -rm -f parsers/*.$(OBJEXT) -rm -f parsers/strstr-asm/*.$(OBJEXT) -rm -f processors/*.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-aetas.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-after.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-classifications.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-config-yaml.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-credits.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-flow.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-gen-msg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-geoip2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-ignore-list.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-ipc.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-json-handler.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-key.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-liblognormalize.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-lockfile.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-meta-content.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-output.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-plog.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-processor.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-protocol-map.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-redis.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-references.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-rules.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-sagan.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-send-alert.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-signal-handler.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-stats.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-threshold.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-usage.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-util-base64.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-util-strlcat.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-util-strlcpy.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-util-time.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-util.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-xbit-mmap.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-xbit-redis.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sagan-xbit.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-alert.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-esmtp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-eve.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-external.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-fast.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-snortsam-twofish.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-snortsam.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-syslog-handler.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@output-plugins/$(DEPDIR)/sagan-unified2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@parsers/$(DEPDIR)/sagan-hash.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@parsers/$(DEPDIR)/sagan-ip.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@parsers/$(DEPDIR)/sagan-port.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@parsers/$(DEPDIR)/sagan-proto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@parsers/strstr-asm/$(DEPDIR)/sagan-strstr-hook.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse4_2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processors/$(DEPDIR)/sagan-blacklist.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processors/$(DEPDIR)/sagan-bluedot.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processors/$(DEPDIR)/sagan-bro-intel.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processors/$(DEPDIR)/sagan-dynamic-rules.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processors/$(DEPDIR)/sagan-engine.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processors/$(DEPDIR)/sagan-perfmon.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@processors/$(DEPDIR)/sagan-track-clients.Po@am__quote@ .S.o: @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @am__fastdepCCAS_TRUE@ $(CPPASCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ @am__fastdepCCAS_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CPPASCOMPILE) -c -o $@ $< .S.obj: @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ @am__fastdepCCAS_TRUE@ $(CPPASCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ @am__fastdepCCAS_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CPPASCOMPILE) -c -o $@ `$(CYGPATH_W) '$<'` parsers/strstr-asm/sagan-strstr_sse2.o: parsers/strstr-asm/strstr_sse2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT parsers/strstr-asm/sagan-strstr_sse2.o -MD -MP -MF parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse2.Tpo -c -o parsers/strstr-asm/sagan-strstr_sse2.o `test -f 'parsers/strstr-asm/strstr_sse2.S' || echo '$(srcdir)/'`parsers/strstr-asm/strstr_sse2.S @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse2.Tpo parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='parsers/strstr-asm/strstr_sse2.S' object='parsers/strstr-asm/sagan-strstr_sse2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o parsers/strstr-asm/sagan-strstr_sse2.o `test -f 'parsers/strstr-asm/strstr_sse2.S' || echo '$(srcdir)/'`parsers/strstr-asm/strstr_sse2.S parsers/strstr-asm/sagan-strstr_sse2.obj: parsers/strstr-asm/strstr_sse2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT parsers/strstr-asm/sagan-strstr_sse2.obj -MD -MP -MF parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse2.Tpo -c -o parsers/strstr-asm/sagan-strstr_sse2.obj `if test -f 'parsers/strstr-asm/strstr_sse2.S'; then $(CYGPATH_W) 'parsers/strstr-asm/strstr_sse2.S'; else $(CYGPATH_W) '$(srcdir)/parsers/strstr-asm/strstr_sse2.S'; fi` @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse2.Tpo parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='parsers/strstr-asm/strstr_sse2.S' object='parsers/strstr-asm/sagan-strstr_sse2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o parsers/strstr-asm/sagan-strstr_sse2.obj `if test -f 'parsers/strstr-asm/strstr_sse2.S'; then $(CYGPATH_W) 'parsers/strstr-asm/strstr_sse2.S'; else $(CYGPATH_W) '$(srcdir)/parsers/strstr-asm/strstr_sse2.S'; fi` parsers/strstr-asm/sagan-strstr_sse4_2.o: parsers/strstr-asm/strstr_sse4_2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT parsers/strstr-asm/sagan-strstr_sse4_2.o -MD -MP -MF parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse4_2.Tpo -c -o parsers/strstr-asm/sagan-strstr_sse4_2.o `test -f 'parsers/strstr-asm/strstr_sse4_2.S' || echo '$(srcdir)/'`parsers/strstr-asm/strstr_sse4_2.S @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse4_2.Tpo parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse4_2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='parsers/strstr-asm/strstr_sse4_2.S' object='parsers/strstr-asm/sagan-strstr_sse4_2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o parsers/strstr-asm/sagan-strstr_sse4_2.o `test -f 'parsers/strstr-asm/strstr_sse4_2.S' || echo '$(srcdir)/'`parsers/strstr-asm/strstr_sse4_2.S parsers/strstr-asm/sagan-strstr_sse4_2.obj: parsers/strstr-asm/strstr_sse4_2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT parsers/strstr-asm/sagan-strstr_sse4_2.obj -MD -MP -MF parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse4_2.Tpo -c -o parsers/strstr-asm/sagan-strstr_sse4_2.obj `if test -f 'parsers/strstr-asm/strstr_sse4_2.S'; then $(CYGPATH_W) 'parsers/strstr-asm/strstr_sse4_2.S'; else $(CYGPATH_W) '$(srcdir)/parsers/strstr-asm/strstr_sse4_2.S'; fi` @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse4_2.Tpo parsers/strstr-asm/$(DEPDIR)/sagan-strstr_sse4_2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='parsers/strstr-asm/strstr_sse4_2.S' object='parsers/strstr-asm/sagan-strstr_sse4_2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o parsers/strstr-asm/sagan-strstr_sse4_2.obj `if test -f 'parsers/strstr-asm/strstr_sse4_2.S'; then $(CYGPATH_W) 'parsers/strstr-asm/strstr_sse4_2.S'; else $(CYGPATH_W) '$(srcdir)/parsers/strstr-asm/strstr_sse4_2.S'; fi` .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ @am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ @am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` sagan-sagan.o: sagan.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-sagan.o -MD -MP -MF $(DEPDIR)/sagan-sagan.Tpo -c -o sagan-sagan.o `test -f 'sagan.c' || echo '$(srcdir)/'`sagan.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-sagan.Tpo $(DEPDIR)/sagan-sagan.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sagan.c' object='sagan-sagan.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-sagan.o `test -f 'sagan.c' || echo '$(srcdir)/'`sagan.c sagan-sagan.obj: sagan.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-sagan.obj -MD -MP -MF $(DEPDIR)/sagan-sagan.Tpo -c -o sagan-sagan.obj `if test -f 'sagan.c'; then $(CYGPATH_W) 'sagan.c'; else $(CYGPATH_W) '$(srcdir)/sagan.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-sagan.Tpo $(DEPDIR)/sagan-sagan.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sagan.c' object='sagan-sagan.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-sagan.obj `if test -f 'sagan.c'; then $(CYGPATH_W) 'sagan.c'; else $(CYGPATH_W) '$(srcdir)/sagan.c'; fi` sagan-classifications.o: classifications.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-classifications.o -MD -MP -MF $(DEPDIR)/sagan-classifications.Tpo -c -o sagan-classifications.o `test -f 'classifications.c' || echo '$(srcdir)/'`classifications.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-classifications.Tpo $(DEPDIR)/sagan-classifications.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='classifications.c' object='sagan-classifications.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-classifications.o `test -f 'classifications.c' || echo '$(srcdir)/'`classifications.c sagan-classifications.obj: classifications.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-classifications.obj -MD -MP -MF $(DEPDIR)/sagan-classifications.Tpo -c -o sagan-classifications.obj `if test -f 'classifications.c'; then $(CYGPATH_W) 'classifications.c'; else $(CYGPATH_W) '$(srcdir)/classifications.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-classifications.Tpo $(DEPDIR)/sagan-classifications.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='classifications.c' object='sagan-classifications.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-classifications.obj `if test -f 'classifications.c'; then $(CYGPATH_W) 'classifications.c'; else $(CYGPATH_W) '$(srcdir)/classifications.c'; fi` sagan-config-yaml.o: config-yaml.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-config-yaml.o -MD -MP -MF $(DEPDIR)/sagan-config-yaml.Tpo -c -o sagan-config-yaml.o `test -f 'config-yaml.c' || echo '$(srcdir)/'`config-yaml.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-config-yaml.Tpo $(DEPDIR)/sagan-config-yaml.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='config-yaml.c' object='sagan-config-yaml.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-config-yaml.o `test -f 'config-yaml.c' || echo '$(srcdir)/'`config-yaml.c sagan-config-yaml.obj: config-yaml.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-config-yaml.obj -MD -MP -MF $(DEPDIR)/sagan-config-yaml.Tpo -c -o sagan-config-yaml.obj `if test -f 'config-yaml.c'; then $(CYGPATH_W) 'config-yaml.c'; else $(CYGPATH_W) '$(srcdir)/config-yaml.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-config-yaml.Tpo $(DEPDIR)/sagan-config-yaml.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='config-yaml.c' object='sagan-config-yaml.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-config-yaml.obj `if test -f 'config-yaml.c'; then $(CYGPATH_W) 'config-yaml.c'; else $(CYGPATH_W) '$(srcdir)/config-yaml.c'; fi` sagan-lockfile.o: lockfile.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-lockfile.o -MD -MP -MF $(DEPDIR)/sagan-lockfile.Tpo -c -o sagan-lockfile.o `test -f 'lockfile.c' || echo '$(srcdir)/'`lockfile.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-lockfile.Tpo $(DEPDIR)/sagan-lockfile.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lockfile.c' object='sagan-lockfile.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-lockfile.o `test -f 'lockfile.c' || echo '$(srcdir)/'`lockfile.c sagan-lockfile.obj: lockfile.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-lockfile.obj -MD -MP -MF $(DEPDIR)/sagan-lockfile.Tpo -c -o sagan-lockfile.obj `if test -f 'lockfile.c'; then $(CYGPATH_W) 'lockfile.c'; else $(CYGPATH_W) '$(srcdir)/lockfile.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-lockfile.Tpo $(DEPDIR)/sagan-lockfile.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lockfile.c' object='sagan-lockfile.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-lockfile.obj `if test -f 'lockfile.c'; then $(CYGPATH_W) 'lockfile.c'; else $(CYGPATH_W) '$(srcdir)/lockfile.c'; fi` sagan-references.o: references.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-references.o -MD -MP -MF $(DEPDIR)/sagan-references.Tpo -c -o sagan-references.o `test -f 'references.c' || echo '$(srcdir)/'`references.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-references.Tpo $(DEPDIR)/sagan-references.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='references.c' object='sagan-references.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-references.o `test -f 'references.c' || echo '$(srcdir)/'`references.c sagan-references.obj: references.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-references.obj -MD -MP -MF $(DEPDIR)/sagan-references.Tpo -c -o sagan-references.obj `if test -f 'references.c'; then $(CYGPATH_W) 'references.c'; else $(CYGPATH_W) '$(srcdir)/references.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-references.Tpo $(DEPDIR)/sagan-references.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='references.c' object='sagan-references.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-references.obj `if test -f 'references.c'; then $(CYGPATH_W) 'references.c'; else $(CYGPATH_W) '$(srcdir)/references.c'; fi` sagan-rules.o: rules.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-rules.o -MD -MP -MF $(DEPDIR)/sagan-rules.Tpo -c -o sagan-rules.o `test -f 'rules.c' || echo '$(srcdir)/'`rules.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-rules.Tpo $(DEPDIR)/sagan-rules.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rules.c' object='sagan-rules.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-rules.o `test -f 'rules.c' || echo '$(srcdir)/'`rules.c sagan-rules.obj: rules.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-rules.obj -MD -MP -MF $(DEPDIR)/sagan-rules.Tpo -c -o sagan-rules.obj `if test -f 'rules.c'; then $(CYGPATH_W) 'rules.c'; else $(CYGPATH_W) '$(srcdir)/rules.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-rules.Tpo $(DEPDIR)/sagan-rules.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='rules.c' object='sagan-rules.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-rules.obj `if test -f 'rules.c'; then $(CYGPATH_W) 'rules.c'; else $(CYGPATH_W) '$(srcdir)/rules.c'; fi` sagan-signal-handler.o: signal-handler.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-signal-handler.o -MD -MP -MF $(DEPDIR)/sagan-signal-handler.Tpo -c -o sagan-signal-handler.o `test -f 'signal-handler.c' || echo '$(srcdir)/'`signal-handler.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-signal-handler.Tpo $(DEPDIR)/sagan-signal-handler.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='signal-handler.c' object='sagan-signal-handler.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-signal-handler.o `test -f 'signal-handler.c' || echo '$(srcdir)/'`signal-handler.c sagan-signal-handler.obj: signal-handler.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-signal-handler.obj -MD -MP -MF $(DEPDIR)/sagan-signal-handler.Tpo -c -o sagan-signal-handler.obj `if test -f 'signal-handler.c'; then $(CYGPATH_W) 'signal-handler.c'; else $(CYGPATH_W) '$(srcdir)/signal-handler.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-signal-handler.Tpo $(DEPDIR)/sagan-signal-handler.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='signal-handler.c' object='sagan-signal-handler.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-signal-handler.obj `if test -f 'signal-handler.c'; then $(CYGPATH_W) 'signal-handler.c'; else $(CYGPATH_W) '$(srcdir)/signal-handler.c'; fi` sagan-key.o: key.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-key.o -MD -MP -MF $(DEPDIR)/sagan-key.Tpo -c -o sagan-key.o `test -f 'key.c' || echo '$(srcdir)/'`key.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-key.Tpo $(DEPDIR)/sagan-key.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='key.c' object='sagan-key.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-key.o `test -f 'key.c' || echo '$(srcdir)/'`key.c sagan-key.obj: key.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-key.obj -MD -MP -MF $(DEPDIR)/sagan-key.Tpo -c -o sagan-key.obj `if test -f 'key.c'; then $(CYGPATH_W) 'key.c'; else $(CYGPATH_W) '$(srcdir)/key.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-key.Tpo $(DEPDIR)/sagan-key.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='key.c' object='sagan-key.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-key.obj `if test -f 'key.c'; then $(CYGPATH_W) 'key.c'; else $(CYGPATH_W) '$(srcdir)/key.c'; fi` sagan-stats.o: stats.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-stats.o -MD -MP -MF $(DEPDIR)/sagan-stats.Tpo -c -o sagan-stats.o `test -f 'stats.c' || echo '$(srcdir)/'`stats.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-stats.Tpo $(DEPDIR)/sagan-stats.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='stats.c' object='sagan-stats.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-stats.o `test -f 'stats.c' || echo '$(srcdir)/'`stats.c sagan-stats.obj: stats.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-stats.obj -MD -MP -MF $(DEPDIR)/sagan-stats.Tpo -c -o sagan-stats.obj `if test -f 'stats.c'; then $(CYGPATH_W) 'stats.c'; else $(CYGPATH_W) '$(srcdir)/stats.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-stats.Tpo $(DEPDIR)/sagan-stats.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='stats.c' object='sagan-stats.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-stats.obj `if test -f 'stats.c'; then $(CYGPATH_W) 'stats.c'; else $(CYGPATH_W) '$(srcdir)/stats.c'; fi` sagan-usage.o: usage.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-usage.o -MD -MP -MF $(DEPDIR)/sagan-usage.Tpo -c -o sagan-usage.o `test -f 'usage.c' || echo '$(srcdir)/'`usage.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-usage.Tpo $(DEPDIR)/sagan-usage.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='usage.c' object='sagan-usage.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-usage.o `test -f 'usage.c' || echo '$(srcdir)/'`usage.c sagan-usage.obj: usage.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-usage.obj -MD -MP -MF $(DEPDIR)/sagan-usage.Tpo -c -o sagan-usage.obj `if test -f 'usage.c'; then $(CYGPATH_W) 'usage.c'; else $(CYGPATH_W) '$(srcdir)/usage.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-usage.Tpo $(DEPDIR)/sagan-usage.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='usage.c' object='sagan-usage.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-usage.obj `if test -f 'usage.c'; then $(CYGPATH_W) 'usage.c'; else $(CYGPATH_W) '$(srcdir)/usage.c'; fi` sagan-plog.o: plog.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-plog.o -MD -MP -MF $(DEPDIR)/sagan-plog.Tpo -c -o sagan-plog.o `test -f 'plog.c' || echo '$(srcdir)/'`plog.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-plog.Tpo $(DEPDIR)/sagan-plog.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='plog.c' object='sagan-plog.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-plog.o `test -f 'plog.c' || echo '$(srcdir)/'`plog.c sagan-plog.obj: plog.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-plog.obj -MD -MP -MF $(DEPDIR)/sagan-plog.Tpo -c -o sagan-plog.obj `if test -f 'plog.c'; then $(CYGPATH_W) 'plog.c'; else $(CYGPATH_W) '$(srcdir)/plog.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-plog.Tpo $(DEPDIR)/sagan-plog.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='plog.c' object='sagan-plog.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-plog.obj `if test -f 'plog.c'; then $(CYGPATH_W) 'plog.c'; else $(CYGPATH_W) '$(srcdir)/plog.c'; fi` sagan-output.o: output.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-output.o -MD -MP -MF $(DEPDIR)/sagan-output.Tpo -c -o sagan-output.o `test -f 'output.c' || echo '$(srcdir)/'`output.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-output.Tpo $(DEPDIR)/sagan-output.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output.c' object='sagan-output.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-output.o `test -f 'output.c' || echo '$(srcdir)/'`output.c sagan-output.obj: output.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-output.obj -MD -MP -MF $(DEPDIR)/sagan-output.Tpo -c -o sagan-output.obj `if test -f 'output.c'; then $(CYGPATH_W) 'output.c'; else $(CYGPATH_W) '$(srcdir)/output.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-output.Tpo $(DEPDIR)/sagan-output.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output.c' object='sagan-output.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-output.obj `if test -f 'output.c'; then $(CYGPATH_W) 'output.c'; else $(CYGPATH_W) '$(srcdir)/output.c'; fi` sagan-processor.o: processor.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-processor.o -MD -MP -MF $(DEPDIR)/sagan-processor.Tpo -c -o sagan-processor.o `test -f 'processor.c' || echo '$(srcdir)/'`processor.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-processor.Tpo $(DEPDIR)/sagan-processor.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processor.c' object='sagan-processor.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-processor.o `test -f 'processor.c' || echo '$(srcdir)/'`processor.c sagan-processor.obj: processor.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-processor.obj -MD -MP -MF $(DEPDIR)/sagan-processor.Tpo -c -o sagan-processor.obj `if test -f 'processor.c'; then $(CYGPATH_W) 'processor.c'; else $(CYGPATH_W) '$(srcdir)/processor.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-processor.Tpo $(DEPDIR)/sagan-processor.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processor.c' object='sagan-processor.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-processor.obj `if test -f 'processor.c'; then $(CYGPATH_W) 'processor.c'; else $(CYGPATH_W) '$(srcdir)/processor.c'; fi` sagan-gen-msg.o: gen-msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-gen-msg.o -MD -MP -MF $(DEPDIR)/sagan-gen-msg.Tpo -c -o sagan-gen-msg.o `test -f 'gen-msg.c' || echo '$(srcdir)/'`gen-msg.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-gen-msg.Tpo $(DEPDIR)/sagan-gen-msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen-msg.c' object='sagan-gen-msg.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-gen-msg.o `test -f 'gen-msg.c' || echo '$(srcdir)/'`gen-msg.c sagan-gen-msg.obj: gen-msg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-gen-msg.obj -MD -MP -MF $(DEPDIR)/sagan-gen-msg.Tpo -c -o sagan-gen-msg.obj `if test -f 'gen-msg.c'; then $(CYGPATH_W) 'gen-msg.c'; else $(CYGPATH_W) '$(srcdir)/gen-msg.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-gen-msg.Tpo $(DEPDIR)/sagan-gen-msg.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen-msg.c' object='sagan-gen-msg.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-gen-msg.obj `if test -f 'gen-msg.c'; then $(CYGPATH_W) 'gen-msg.c'; else $(CYGPATH_W) '$(srcdir)/gen-msg.c'; fi` sagan-liblognormalize.o: liblognormalize.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-liblognormalize.o -MD -MP -MF $(DEPDIR)/sagan-liblognormalize.Tpo -c -o sagan-liblognormalize.o `test -f 'liblognormalize.c' || echo '$(srcdir)/'`liblognormalize.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-liblognormalize.Tpo $(DEPDIR)/sagan-liblognormalize.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='liblognormalize.c' object='sagan-liblognormalize.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-liblognormalize.o `test -f 'liblognormalize.c' || echo '$(srcdir)/'`liblognormalize.c sagan-liblognormalize.obj: liblognormalize.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-liblognormalize.obj -MD -MP -MF $(DEPDIR)/sagan-liblognormalize.Tpo -c -o sagan-liblognormalize.obj `if test -f 'liblognormalize.c'; then $(CYGPATH_W) 'liblognormalize.c'; else $(CYGPATH_W) '$(srcdir)/liblognormalize.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-liblognormalize.Tpo $(DEPDIR)/sagan-liblognormalize.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='liblognormalize.c' object='sagan-liblognormalize.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-liblognormalize.obj `if test -f 'liblognormalize.c'; then $(CYGPATH_W) 'liblognormalize.c'; else $(CYGPATH_W) '$(srcdir)/liblognormalize.c'; fi` sagan-ignore-list.o: ignore-list.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-ignore-list.o -MD -MP -MF $(DEPDIR)/sagan-ignore-list.Tpo -c -o sagan-ignore-list.o `test -f 'ignore-list.c' || echo '$(srcdir)/'`ignore-list.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-ignore-list.Tpo $(DEPDIR)/sagan-ignore-list.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ignore-list.c' object='sagan-ignore-list.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-ignore-list.o `test -f 'ignore-list.c' || echo '$(srcdir)/'`ignore-list.c sagan-ignore-list.obj: ignore-list.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-ignore-list.obj -MD -MP -MF $(DEPDIR)/sagan-ignore-list.Tpo -c -o sagan-ignore-list.obj `if test -f 'ignore-list.c'; then $(CYGPATH_W) 'ignore-list.c'; else $(CYGPATH_W) '$(srcdir)/ignore-list.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-ignore-list.Tpo $(DEPDIR)/sagan-ignore-list.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ignore-list.c' object='sagan-ignore-list.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-ignore-list.obj `if test -f 'ignore-list.c'; then $(CYGPATH_W) 'ignore-list.c'; else $(CYGPATH_W) '$(srcdir)/ignore-list.c'; fi` sagan-send-alert.o: send-alert.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-send-alert.o -MD -MP -MF $(DEPDIR)/sagan-send-alert.Tpo -c -o sagan-send-alert.o `test -f 'send-alert.c' || echo '$(srcdir)/'`send-alert.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-send-alert.Tpo $(DEPDIR)/sagan-send-alert.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='send-alert.c' object='sagan-send-alert.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-send-alert.o `test -f 'send-alert.c' || echo '$(srcdir)/'`send-alert.c sagan-send-alert.obj: send-alert.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-send-alert.obj -MD -MP -MF $(DEPDIR)/sagan-send-alert.Tpo -c -o sagan-send-alert.obj `if test -f 'send-alert.c'; then $(CYGPATH_W) 'send-alert.c'; else $(CYGPATH_W) '$(srcdir)/send-alert.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-send-alert.Tpo $(DEPDIR)/sagan-send-alert.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='send-alert.c' object='sagan-send-alert.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-send-alert.obj `if test -f 'send-alert.c'; then $(CYGPATH_W) 'send-alert.c'; else $(CYGPATH_W) '$(srcdir)/send-alert.c'; fi` sagan-credits.o: credits.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-credits.o -MD -MP -MF $(DEPDIR)/sagan-credits.Tpo -c -o sagan-credits.o `test -f 'credits.c' || echo '$(srcdir)/'`credits.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-credits.Tpo $(DEPDIR)/sagan-credits.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='credits.c' object='sagan-credits.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-credits.o `test -f 'credits.c' || echo '$(srcdir)/'`credits.c sagan-credits.obj: credits.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-credits.obj -MD -MP -MF $(DEPDIR)/sagan-credits.Tpo -c -o sagan-credits.obj `if test -f 'credits.c'; then $(CYGPATH_W) 'credits.c'; else $(CYGPATH_W) '$(srcdir)/credits.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-credits.Tpo $(DEPDIR)/sagan-credits.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='credits.c' object='sagan-credits.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-credits.obj `if test -f 'credits.c'; then $(CYGPATH_W) 'credits.c'; else $(CYGPATH_W) '$(srcdir)/credits.c'; fi` sagan-protocol-map.o: protocol-map.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-protocol-map.o -MD -MP -MF $(DEPDIR)/sagan-protocol-map.Tpo -c -o sagan-protocol-map.o `test -f 'protocol-map.c' || echo '$(srcdir)/'`protocol-map.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-protocol-map.Tpo $(DEPDIR)/sagan-protocol-map.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='protocol-map.c' object='sagan-protocol-map.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-protocol-map.o `test -f 'protocol-map.c' || echo '$(srcdir)/'`protocol-map.c sagan-protocol-map.obj: protocol-map.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-protocol-map.obj -MD -MP -MF $(DEPDIR)/sagan-protocol-map.Tpo -c -o sagan-protocol-map.obj `if test -f 'protocol-map.c'; then $(CYGPATH_W) 'protocol-map.c'; else $(CYGPATH_W) '$(srcdir)/protocol-map.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-protocol-map.Tpo $(DEPDIR)/sagan-protocol-map.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='protocol-map.c' object='sagan-protocol-map.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-protocol-map.obj `if test -f 'protocol-map.c'; then $(CYGPATH_W) 'protocol-map.c'; else $(CYGPATH_W) '$(srcdir)/protocol-map.c'; fi` sagan-geoip2.o: geoip2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-geoip2.o -MD -MP -MF $(DEPDIR)/sagan-geoip2.Tpo -c -o sagan-geoip2.o `test -f 'geoip2.c' || echo '$(srcdir)/'`geoip2.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-geoip2.Tpo $(DEPDIR)/sagan-geoip2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='geoip2.c' object='sagan-geoip2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-geoip2.o `test -f 'geoip2.c' || echo '$(srcdir)/'`geoip2.c sagan-geoip2.obj: geoip2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-geoip2.obj -MD -MP -MF $(DEPDIR)/sagan-geoip2.Tpo -c -o sagan-geoip2.obj `if test -f 'geoip2.c'; then $(CYGPATH_W) 'geoip2.c'; else $(CYGPATH_W) '$(srcdir)/geoip2.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-geoip2.Tpo $(DEPDIR)/sagan-geoip2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='geoip2.c' object='sagan-geoip2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-geoip2.obj `if test -f 'geoip2.c'; then $(CYGPATH_W) 'geoip2.c'; else $(CYGPATH_W) '$(srcdir)/geoip2.c'; fi` sagan-meta-content.o: meta-content.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-meta-content.o -MD -MP -MF $(DEPDIR)/sagan-meta-content.Tpo -c -o sagan-meta-content.o `test -f 'meta-content.c' || echo '$(srcdir)/'`meta-content.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-meta-content.Tpo $(DEPDIR)/sagan-meta-content.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='meta-content.c' object='sagan-meta-content.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-meta-content.o `test -f 'meta-content.c' || echo '$(srcdir)/'`meta-content.c sagan-meta-content.obj: meta-content.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-meta-content.obj -MD -MP -MF $(DEPDIR)/sagan-meta-content.Tpo -c -o sagan-meta-content.obj `if test -f 'meta-content.c'; then $(CYGPATH_W) 'meta-content.c'; else $(CYGPATH_W) '$(srcdir)/meta-content.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-meta-content.Tpo $(DEPDIR)/sagan-meta-content.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='meta-content.c' object='sagan-meta-content.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-meta-content.obj `if test -f 'meta-content.c'; then $(CYGPATH_W) 'meta-content.c'; else $(CYGPATH_W) '$(srcdir)/meta-content.c'; fi` sagan-redis.o: redis.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-redis.o -MD -MP -MF $(DEPDIR)/sagan-redis.Tpo -c -o sagan-redis.o `test -f 'redis.c' || echo '$(srcdir)/'`redis.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-redis.Tpo $(DEPDIR)/sagan-redis.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='redis.c' object='sagan-redis.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-redis.o `test -f 'redis.c' || echo '$(srcdir)/'`redis.c sagan-redis.obj: redis.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-redis.obj -MD -MP -MF $(DEPDIR)/sagan-redis.Tpo -c -o sagan-redis.obj `if test -f 'redis.c'; then $(CYGPATH_W) 'redis.c'; else $(CYGPATH_W) '$(srcdir)/redis.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-redis.Tpo $(DEPDIR)/sagan-redis.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='redis.c' object='sagan-redis.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-redis.obj `if test -f 'redis.c'; then $(CYGPATH_W) 'redis.c'; else $(CYGPATH_W) '$(srcdir)/redis.c'; fi` sagan-xbit.o: xbit.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-xbit.o -MD -MP -MF $(DEPDIR)/sagan-xbit.Tpo -c -o sagan-xbit.o `test -f 'xbit.c' || echo '$(srcdir)/'`xbit.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-xbit.Tpo $(DEPDIR)/sagan-xbit.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xbit.c' object='sagan-xbit.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-xbit.o `test -f 'xbit.c' || echo '$(srcdir)/'`xbit.c sagan-xbit.obj: xbit.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-xbit.obj -MD -MP -MF $(DEPDIR)/sagan-xbit.Tpo -c -o sagan-xbit.obj `if test -f 'xbit.c'; then $(CYGPATH_W) 'xbit.c'; else $(CYGPATH_W) '$(srcdir)/xbit.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-xbit.Tpo $(DEPDIR)/sagan-xbit.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xbit.c' object='sagan-xbit.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-xbit.obj `if test -f 'xbit.c'; then $(CYGPATH_W) 'xbit.c'; else $(CYGPATH_W) '$(srcdir)/xbit.c'; fi` sagan-xbit-mmap.o: xbit-mmap.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-xbit-mmap.o -MD -MP -MF $(DEPDIR)/sagan-xbit-mmap.Tpo -c -o sagan-xbit-mmap.o `test -f 'xbit-mmap.c' || echo '$(srcdir)/'`xbit-mmap.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-xbit-mmap.Tpo $(DEPDIR)/sagan-xbit-mmap.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xbit-mmap.c' object='sagan-xbit-mmap.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-xbit-mmap.o `test -f 'xbit-mmap.c' || echo '$(srcdir)/'`xbit-mmap.c sagan-xbit-mmap.obj: xbit-mmap.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-xbit-mmap.obj -MD -MP -MF $(DEPDIR)/sagan-xbit-mmap.Tpo -c -o sagan-xbit-mmap.obj `if test -f 'xbit-mmap.c'; then $(CYGPATH_W) 'xbit-mmap.c'; else $(CYGPATH_W) '$(srcdir)/xbit-mmap.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-xbit-mmap.Tpo $(DEPDIR)/sagan-xbit-mmap.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xbit-mmap.c' object='sagan-xbit-mmap.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-xbit-mmap.obj `if test -f 'xbit-mmap.c'; then $(CYGPATH_W) 'xbit-mmap.c'; else $(CYGPATH_W) '$(srcdir)/xbit-mmap.c'; fi` sagan-xbit-redis.o: xbit-redis.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-xbit-redis.o -MD -MP -MF $(DEPDIR)/sagan-xbit-redis.Tpo -c -o sagan-xbit-redis.o `test -f 'xbit-redis.c' || echo '$(srcdir)/'`xbit-redis.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-xbit-redis.Tpo $(DEPDIR)/sagan-xbit-redis.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xbit-redis.c' object='sagan-xbit-redis.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-xbit-redis.o `test -f 'xbit-redis.c' || echo '$(srcdir)/'`xbit-redis.c sagan-xbit-redis.obj: xbit-redis.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-xbit-redis.obj -MD -MP -MF $(DEPDIR)/sagan-xbit-redis.Tpo -c -o sagan-xbit-redis.obj `if test -f 'xbit-redis.c'; then $(CYGPATH_W) 'xbit-redis.c'; else $(CYGPATH_W) '$(srcdir)/xbit-redis.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-xbit-redis.Tpo $(DEPDIR)/sagan-xbit-redis.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='xbit-redis.c' object='sagan-xbit-redis.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-xbit-redis.obj `if test -f 'xbit-redis.c'; then $(CYGPATH_W) 'xbit-redis.c'; else $(CYGPATH_W) '$(srcdir)/xbit-redis.c'; fi` sagan-flow.o: flow.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-flow.o -MD -MP -MF $(DEPDIR)/sagan-flow.Tpo -c -o sagan-flow.o `test -f 'flow.c' || echo '$(srcdir)/'`flow.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-flow.Tpo $(DEPDIR)/sagan-flow.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='flow.c' object='sagan-flow.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-flow.o `test -f 'flow.c' || echo '$(srcdir)/'`flow.c sagan-flow.obj: flow.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-flow.obj -MD -MP -MF $(DEPDIR)/sagan-flow.Tpo -c -o sagan-flow.obj `if test -f 'flow.c'; then $(CYGPATH_W) 'flow.c'; else $(CYGPATH_W) '$(srcdir)/flow.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-flow.Tpo $(DEPDIR)/sagan-flow.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='flow.c' object='sagan-flow.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-flow.obj `if test -f 'flow.c'; then $(CYGPATH_W) 'flow.c'; else $(CYGPATH_W) '$(srcdir)/flow.c'; fi` sagan-aetas.o: aetas.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-aetas.o -MD -MP -MF $(DEPDIR)/sagan-aetas.Tpo -c -o sagan-aetas.o `test -f 'aetas.c' || echo '$(srcdir)/'`aetas.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-aetas.Tpo $(DEPDIR)/sagan-aetas.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='aetas.c' object='sagan-aetas.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-aetas.o `test -f 'aetas.c' || echo '$(srcdir)/'`aetas.c sagan-aetas.obj: aetas.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-aetas.obj -MD -MP -MF $(DEPDIR)/sagan-aetas.Tpo -c -o sagan-aetas.obj `if test -f 'aetas.c'; then $(CYGPATH_W) 'aetas.c'; else $(CYGPATH_W) '$(srcdir)/aetas.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-aetas.Tpo $(DEPDIR)/sagan-aetas.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='aetas.c' object='sagan-aetas.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-aetas.obj `if test -f 'aetas.c'; then $(CYGPATH_W) 'aetas.c'; else $(CYGPATH_W) '$(srcdir)/aetas.c'; fi` sagan-ipc.o: ipc.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-ipc.o -MD -MP -MF $(DEPDIR)/sagan-ipc.Tpo -c -o sagan-ipc.o `test -f 'ipc.c' || echo '$(srcdir)/'`ipc.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-ipc.Tpo $(DEPDIR)/sagan-ipc.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipc.c' object='sagan-ipc.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-ipc.o `test -f 'ipc.c' || echo '$(srcdir)/'`ipc.c sagan-ipc.obj: ipc.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-ipc.obj -MD -MP -MF $(DEPDIR)/sagan-ipc.Tpo -c -o sagan-ipc.obj `if test -f 'ipc.c'; then $(CYGPATH_W) 'ipc.c'; else $(CYGPATH_W) '$(srcdir)/ipc.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-ipc.Tpo $(DEPDIR)/sagan-ipc.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipc.c' object='sagan-ipc.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-ipc.obj `if test -f 'ipc.c'; then $(CYGPATH_W) 'ipc.c'; else $(CYGPATH_W) '$(srcdir)/ipc.c'; fi` sagan-util.o: util.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util.o -MD -MP -MF $(DEPDIR)/sagan-util.Tpo -c -o sagan-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util.Tpo $(DEPDIR)/sagan-util.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util.c' object='sagan-util.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c sagan-util.obj: util.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util.obj -MD -MP -MF $(DEPDIR)/sagan-util.Tpo -c -o sagan-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util.Tpo $(DEPDIR)/sagan-util.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util.c' object='sagan-util.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` sagan-after.o: after.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-after.o -MD -MP -MF $(DEPDIR)/sagan-after.Tpo -c -o sagan-after.o `test -f 'after.c' || echo '$(srcdir)/'`after.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-after.Tpo $(DEPDIR)/sagan-after.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='after.c' object='sagan-after.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-after.o `test -f 'after.c' || echo '$(srcdir)/'`after.c sagan-after.obj: after.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-after.obj -MD -MP -MF $(DEPDIR)/sagan-after.Tpo -c -o sagan-after.obj `if test -f 'after.c'; then $(CYGPATH_W) 'after.c'; else $(CYGPATH_W) '$(srcdir)/after.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-after.Tpo $(DEPDIR)/sagan-after.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='after.c' object='sagan-after.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-after.obj `if test -f 'after.c'; then $(CYGPATH_W) 'after.c'; else $(CYGPATH_W) '$(srcdir)/after.c'; fi` sagan-threshold.o: threshold.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-threshold.o -MD -MP -MF $(DEPDIR)/sagan-threshold.Tpo -c -o sagan-threshold.o `test -f 'threshold.c' || echo '$(srcdir)/'`threshold.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-threshold.Tpo $(DEPDIR)/sagan-threshold.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='threshold.c' object='sagan-threshold.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-threshold.o `test -f 'threshold.c' || echo '$(srcdir)/'`threshold.c sagan-threshold.obj: threshold.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-threshold.obj -MD -MP -MF $(DEPDIR)/sagan-threshold.Tpo -c -o sagan-threshold.obj `if test -f 'threshold.c'; then $(CYGPATH_W) 'threshold.c'; else $(CYGPATH_W) '$(srcdir)/threshold.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-threshold.Tpo $(DEPDIR)/sagan-threshold.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='threshold.c' object='sagan-threshold.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-threshold.obj `if test -f 'threshold.c'; then $(CYGPATH_W) 'threshold.c'; else $(CYGPATH_W) '$(srcdir)/threshold.c'; fi` sagan-util-time.o: util-time.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-time.o -MD -MP -MF $(DEPDIR)/sagan-util-time.Tpo -c -o sagan-util-time.o `test -f 'util-time.c' || echo '$(srcdir)/'`util-time.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-time.Tpo $(DEPDIR)/sagan-util-time.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-time.c' object='sagan-util-time.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-time.o `test -f 'util-time.c' || echo '$(srcdir)/'`util-time.c sagan-util-time.obj: util-time.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-time.obj -MD -MP -MF $(DEPDIR)/sagan-util-time.Tpo -c -o sagan-util-time.obj `if test -f 'util-time.c'; then $(CYGPATH_W) 'util-time.c'; else $(CYGPATH_W) '$(srcdir)/util-time.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-time.Tpo $(DEPDIR)/sagan-util-time.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-time.c' object='sagan-util-time.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-time.obj `if test -f 'util-time.c'; then $(CYGPATH_W) 'util-time.c'; else $(CYGPATH_W) '$(srcdir)/util-time.c'; fi` sagan-util-strlcpy.o: util-strlcpy.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-strlcpy.o -MD -MP -MF $(DEPDIR)/sagan-util-strlcpy.Tpo -c -o sagan-util-strlcpy.o `test -f 'util-strlcpy.c' || echo '$(srcdir)/'`util-strlcpy.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-strlcpy.Tpo $(DEPDIR)/sagan-util-strlcpy.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-strlcpy.c' object='sagan-util-strlcpy.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-strlcpy.o `test -f 'util-strlcpy.c' || echo '$(srcdir)/'`util-strlcpy.c sagan-util-strlcpy.obj: util-strlcpy.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-strlcpy.obj -MD -MP -MF $(DEPDIR)/sagan-util-strlcpy.Tpo -c -o sagan-util-strlcpy.obj `if test -f 'util-strlcpy.c'; then $(CYGPATH_W) 'util-strlcpy.c'; else $(CYGPATH_W) '$(srcdir)/util-strlcpy.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-strlcpy.Tpo $(DEPDIR)/sagan-util-strlcpy.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-strlcpy.c' object='sagan-util-strlcpy.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-strlcpy.obj `if test -f 'util-strlcpy.c'; then $(CYGPATH_W) 'util-strlcpy.c'; else $(CYGPATH_W) '$(srcdir)/util-strlcpy.c'; fi` sagan-util-strlcat.o: util-strlcat.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-strlcat.o -MD -MP -MF $(DEPDIR)/sagan-util-strlcat.Tpo -c -o sagan-util-strlcat.o `test -f 'util-strlcat.c' || echo '$(srcdir)/'`util-strlcat.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-strlcat.Tpo $(DEPDIR)/sagan-util-strlcat.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-strlcat.c' object='sagan-util-strlcat.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-strlcat.o `test -f 'util-strlcat.c' || echo '$(srcdir)/'`util-strlcat.c sagan-util-strlcat.obj: util-strlcat.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-strlcat.obj -MD -MP -MF $(DEPDIR)/sagan-util-strlcat.Tpo -c -o sagan-util-strlcat.obj `if test -f 'util-strlcat.c'; then $(CYGPATH_W) 'util-strlcat.c'; else $(CYGPATH_W) '$(srcdir)/util-strlcat.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-strlcat.Tpo $(DEPDIR)/sagan-util-strlcat.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-strlcat.c' object='sagan-util-strlcat.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-strlcat.obj `if test -f 'util-strlcat.c'; then $(CYGPATH_W) 'util-strlcat.c'; else $(CYGPATH_W) '$(srcdir)/util-strlcat.c'; fi` sagan-util-base64.o: util-base64.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-base64.o -MD -MP -MF $(DEPDIR)/sagan-util-base64.Tpo -c -o sagan-util-base64.o `test -f 'util-base64.c' || echo '$(srcdir)/'`util-base64.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-base64.Tpo $(DEPDIR)/sagan-util-base64.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-base64.c' object='sagan-util-base64.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-base64.o `test -f 'util-base64.c' || echo '$(srcdir)/'`util-base64.c sagan-util-base64.obj: util-base64.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-util-base64.obj -MD -MP -MF $(DEPDIR)/sagan-util-base64.Tpo -c -o sagan-util-base64.obj `if test -f 'util-base64.c'; then $(CYGPATH_W) 'util-base64.c'; else $(CYGPATH_W) '$(srcdir)/util-base64.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-util-base64.Tpo $(DEPDIR)/sagan-util-base64.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='util-base64.c' object='sagan-util-base64.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-util-base64.obj `if test -f 'util-base64.c'; then $(CYGPATH_W) 'util-base64.c'; else $(CYGPATH_W) '$(srcdir)/util-base64.c'; fi` sagan-json-handler.o: json-handler.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-json-handler.o -MD -MP -MF $(DEPDIR)/sagan-json-handler.Tpo -c -o sagan-json-handler.o `test -f 'json-handler.c' || echo '$(srcdir)/'`json-handler.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-json-handler.Tpo $(DEPDIR)/sagan-json-handler.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='json-handler.c' object='sagan-json-handler.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-json-handler.o `test -f 'json-handler.c' || echo '$(srcdir)/'`json-handler.c sagan-json-handler.obj: json-handler.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sagan-json-handler.obj -MD -MP -MF $(DEPDIR)/sagan-json-handler.Tpo -c -o sagan-json-handler.obj `if test -f 'json-handler.c'; then $(CYGPATH_W) 'json-handler.c'; else $(CYGPATH_W) '$(srcdir)/json-handler.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/sagan-json-handler.Tpo $(DEPDIR)/sagan-json-handler.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='json-handler.c' object='sagan-json-handler.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sagan-json-handler.obj `if test -f 'json-handler.c'; then $(CYGPATH_W) 'json-handler.c'; else $(CYGPATH_W) '$(srcdir)/json-handler.c'; fi` parsers/sagan-ip.o: parsers/ip.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-ip.o -MD -MP -MF parsers/$(DEPDIR)/sagan-ip.Tpo -c -o parsers/sagan-ip.o `test -f 'parsers/ip.c' || echo '$(srcdir)/'`parsers/ip.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-ip.Tpo parsers/$(DEPDIR)/sagan-ip.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/ip.c' object='parsers/sagan-ip.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-ip.o `test -f 'parsers/ip.c' || echo '$(srcdir)/'`parsers/ip.c parsers/sagan-ip.obj: parsers/ip.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-ip.obj -MD -MP -MF parsers/$(DEPDIR)/sagan-ip.Tpo -c -o parsers/sagan-ip.obj `if test -f 'parsers/ip.c'; then $(CYGPATH_W) 'parsers/ip.c'; else $(CYGPATH_W) '$(srcdir)/parsers/ip.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-ip.Tpo parsers/$(DEPDIR)/sagan-ip.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/ip.c' object='parsers/sagan-ip.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-ip.obj `if test -f 'parsers/ip.c'; then $(CYGPATH_W) 'parsers/ip.c'; else $(CYGPATH_W) '$(srcdir)/parsers/ip.c'; fi` parsers/sagan-port.o: parsers/port.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-port.o -MD -MP -MF parsers/$(DEPDIR)/sagan-port.Tpo -c -o parsers/sagan-port.o `test -f 'parsers/port.c' || echo '$(srcdir)/'`parsers/port.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-port.Tpo parsers/$(DEPDIR)/sagan-port.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/port.c' object='parsers/sagan-port.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-port.o `test -f 'parsers/port.c' || echo '$(srcdir)/'`parsers/port.c parsers/sagan-port.obj: parsers/port.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-port.obj -MD -MP -MF parsers/$(DEPDIR)/sagan-port.Tpo -c -o parsers/sagan-port.obj `if test -f 'parsers/port.c'; then $(CYGPATH_W) 'parsers/port.c'; else $(CYGPATH_W) '$(srcdir)/parsers/port.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-port.Tpo parsers/$(DEPDIR)/sagan-port.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/port.c' object='parsers/sagan-port.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-port.obj `if test -f 'parsers/port.c'; then $(CYGPATH_W) 'parsers/port.c'; else $(CYGPATH_W) '$(srcdir)/parsers/port.c'; fi` parsers/sagan-proto.o: parsers/proto.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-proto.o -MD -MP -MF parsers/$(DEPDIR)/sagan-proto.Tpo -c -o parsers/sagan-proto.o `test -f 'parsers/proto.c' || echo '$(srcdir)/'`parsers/proto.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-proto.Tpo parsers/$(DEPDIR)/sagan-proto.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/proto.c' object='parsers/sagan-proto.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-proto.o `test -f 'parsers/proto.c' || echo '$(srcdir)/'`parsers/proto.c parsers/sagan-proto.obj: parsers/proto.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-proto.obj -MD -MP -MF parsers/$(DEPDIR)/sagan-proto.Tpo -c -o parsers/sagan-proto.obj `if test -f 'parsers/proto.c'; then $(CYGPATH_W) 'parsers/proto.c'; else $(CYGPATH_W) '$(srcdir)/parsers/proto.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-proto.Tpo parsers/$(DEPDIR)/sagan-proto.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/proto.c' object='parsers/sagan-proto.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-proto.obj `if test -f 'parsers/proto.c'; then $(CYGPATH_W) 'parsers/proto.c'; else $(CYGPATH_W) '$(srcdir)/parsers/proto.c'; fi` parsers/sagan-hash.o: parsers/hash.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-hash.o -MD -MP -MF parsers/$(DEPDIR)/sagan-hash.Tpo -c -o parsers/sagan-hash.o `test -f 'parsers/hash.c' || echo '$(srcdir)/'`parsers/hash.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-hash.Tpo parsers/$(DEPDIR)/sagan-hash.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/hash.c' object='parsers/sagan-hash.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-hash.o `test -f 'parsers/hash.c' || echo '$(srcdir)/'`parsers/hash.c parsers/sagan-hash.obj: parsers/hash.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/sagan-hash.obj -MD -MP -MF parsers/$(DEPDIR)/sagan-hash.Tpo -c -o parsers/sagan-hash.obj `if test -f 'parsers/hash.c'; then $(CYGPATH_W) 'parsers/hash.c'; else $(CYGPATH_W) '$(srcdir)/parsers/hash.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/$(DEPDIR)/sagan-hash.Tpo parsers/$(DEPDIR)/sagan-hash.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/hash.c' object='parsers/sagan-hash.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/sagan-hash.obj `if test -f 'parsers/hash.c'; then $(CYGPATH_W) 'parsers/hash.c'; else $(CYGPATH_W) '$(srcdir)/parsers/hash.c'; fi` parsers/strstr-asm/sagan-strstr-hook.o: parsers/strstr-asm/strstr-hook.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/strstr-asm/sagan-strstr-hook.o -MD -MP -MF parsers/strstr-asm/$(DEPDIR)/sagan-strstr-hook.Tpo -c -o parsers/strstr-asm/sagan-strstr-hook.o `test -f 'parsers/strstr-asm/strstr-hook.c' || echo '$(srcdir)/'`parsers/strstr-asm/strstr-hook.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/strstr-asm/$(DEPDIR)/sagan-strstr-hook.Tpo parsers/strstr-asm/$(DEPDIR)/sagan-strstr-hook.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/strstr-asm/strstr-hook.c' object='parsers/strstr-asm/sagan-strstr-hook.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/strstr-asm/sagan-strstr-hook.o `test -f 'parsers/strstr-asm/strstr-hook.c' || echo '$(srcdir)/'`parsers/strstr-asm/strstr-hook.c parsers/strstr-asm/sagan-strstr-hook.obj: parsers/strstr-asm/strstr-hook.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parsers/strstr-asm/sagan-strstr-hook.obj -MD -MP -MF parsers/strstr-asm/$(DEPDIR)/sagan-strstr-hook.Tpo -c -o parsers/strstr-asm/sagan-strstr-hook.obj `if test -f 'parsers/strstr-asm/strstr-hook.c'; then $(CYGPATH_W) 'parsers/strstr-asm/strstr-hook.c'; else $(CYGPATH_W) '$(srcdir)/parsers/strstr-asm/strstr-hook.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) parsers/strstr-asm/$(DEPDIR)/sagan-strstr-hook.Tpo parsers/strstr-asm/$(DEPDIR)/sagan-strstr-hook.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='parsers/strstr-asm/strstr-hook.c' object='parsers/strstr-asm/sagan-strstr-hook.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parsers/strstr-asm/sagan-strstr-hook.obj `if test -f 'parsers/strstr-asm/strstr-hook.c'; then $(CYGPATH_W) 'parsers/strstr-asm/strstr-hook.c'; else $(CYGPATH_W) '$(srcdir)/parsers/strstr-asm/strstr-hook.c'; fi` output-plugins/sagan-alert.o: output-plugins/alert.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-alert.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-alert.Tpo -c -o output-plugins/sagan-alert.o `test -f 'output-plugins/alert.c' || echo '$(srcdir)/'`output-plugins/alert.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-alert.Tpo output-plugins/$(DEPDIR)/sagan-alert.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/alert.c' object='output-plugins/sagan-alert.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-alert.o `test -f 'output-plugins/alert.c' || echo '$(srcdir)/'`output-plugins/alert.c output-plugins/sagan-alert.obj: output-plugins/alert.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-alert.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-alert.Tpo -c -o output-plugins/sagan-alert.obj `if test -f 'output-plugins/alert.c'; then $(CYGPATH_W) 'output-plugins/alert.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/alert.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-alert.Tpo output-plugins/$(DEPDIR)/sagan-alert.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/alert.c' object='output-plugins/sagan-alert.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-alert.obj `if test -f 'output-plugins/alert.c'; then $(CYGPATH_W) 'output-plugins/alert.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/alert.c'; fi` output-plugins/sagan-fast.o: output-plugins/fast.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-fast.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-fast.Tpo -c -o output-plugins/sagan-fast.o `test -f 'output-plugins/fast.c' || echo '$(srcdir)/'`output-plugins/fast.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-fast.Tpo output-plugins/$(DEPDIR)/sagan-fast.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/fast.c' object='output-plugins/sagan-fast.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-fast.o `test -f 'output-plugins/fast.c' || echo '$(srcdir)/'`output-plugins/fast.c output-plugins/sagan-fast.obj: output-plugins/fast.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-fast.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-fast.Tpo -c -o output-plugins/sagan-fast.obj `if test -f 'output-plugins/fast.c'; then $(CYGPATH_W) 'output-plugins/fast.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/fast.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-fast.Tpo output-plugins/$(DEPDIR)/sagan-fast.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/fast.c' object='output-plugins/sagan-fast.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-fast.obj `if test -f 'output-plugins/fast.c'; then $(CYGPATH_W) 'output-plugins/fast.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/fast.c'; fi` output-plugins/sagan-esmtp.o: output-plugins/esmtp.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-esmtp.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-esmtp.Tpo -c -o output-plugins/sagan-esmtp.o `test -f 'output-plugins/esmtp.c' || echo '$(srcdir)/'`output-plugins/esmtp.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-esmtp.Tpo output-plugins/$(DEPDIR)/sagan-esmtp.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/esmtp.c' object='output-plugins/sagan-esmtp.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-esmtp.o `test -f 'output-plugins/esmtp.c' || echo '$(srcdir)/'`output-plugins/esmtp.c output-plugins/sagan-esmtp.obj: output-plugins/esmtp.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-esmtp.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-esmtp.Tpo -c -o output-plugins/sagan-esmtp.obj `if test -f 'output-plugins/esmtp.c'; then $(CYGPATH_W) 'output-plugins/esmtp.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/esmtp.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-esmtp.Tpo output-plugins/$(DEPDIR)/sagan-esmtp.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/esmtp.c' object='output-plugins/sagan-esmtp.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-esmtp.obj `if test -f 'output-plugins/esmtp.c'; then $(CYGPATH_W) 'output-plugins/esmtp.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/esmtp.c'; fi` output-plugins/sagan-external.o: output-plugins/external.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-external.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-external.Tpo -c -o output-plugins/sagan-external.o `test -f 'output-plugins/external.c' || echo '$(srcdir)/'`output-plugins/external.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-external.Tpo output-plugins/$(DEPDIR)/sagan-external.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/external.c' object='output-plugins/sagan-external.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-external.o `test -f 'output-plugins/external.c' || echo '$(srcdir)/'`output-plugins/external.c output-plugins/sagan-external.obj: output-plugins/external.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-external.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-external.Tpo -c -o output-plugins/sagan-external.obj `if test -f 'output-plugins/external.c'; then $(CYGPATH_W) 'output-plugins/external.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/external.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-external.Tpo output-plugins/$(DEPDIR)/sagan-external.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/external.c' object='output-plugins/sagan-external.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-external.obj `if test -f 'output-plugins/external.c'; then $(CYGPATH_W) 'output-plugins/external.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/external.c'; fi` output-plugins/sagan-unified2.o: output-plugins/unified2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-unified2.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-unified2.Tpo -c -o output-plugins/sagan-unified2.o `test -f 'output-plugins/unified2.c' || echo '$(srcdir)/'`output-plugins/unified2.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-unified2.Tpo output-plugins/$(DEPDIR)/sagan-unified2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/unified2.c' object='output-plugins/sagan-unified2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-unified2.o `test -f 'output-plugins/unified2.c' || echo '$(srcdir)/'`output-plugins/unified2.c output-plugins/sagan-unified2.obj: output-plugins/unified2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-unified2.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-unified2.Tpo -c -o output-plugins/sagan-unified2.obj `if test -f 'output-plugins/unified2.c'; then $(CYGPATH_W) 'output-plugins/unified2.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/unified2.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-unified2.Tpo output-plugins/$(DEPDIR)/sagan-unified2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/unified2.c' object='output-plugins/sagan-unified2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-unified2.obj `if test -f 'output-plugins/unified2.c'; then $(CYGPATH_W) 'output-plugins/unified2.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/unified2.c'; fi` output-plugins/sagan-snortsam-twofish.o: output-plugins/snortsam-twofish.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-snortsam-twofish.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-snortsam-twofish.Tpo -c -o output-plugins/sagan-snortsam-twofish.o `test -f 'output-plugins/snortsam-twofish.c' || echo '$(srcdir)/'`output-plugins/snortsam-twofish.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-snortsam-twofish.Tpo output-plugins/$(DEPDIR)/sagan-snortsam-twofish.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/snortsam-twofish.c' object='output-plugins/sagan-snortsam-twofish.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-snortsam-twofish.o `test -f 'output-plugins/snortsam-twofish.c' || echo '$(srcdir)/'`output-plugins/snortsam-twofish.c output-plugins/sagan-snortsam-twofish.obj: output-plugins/snortsam-twofish.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-snortsam-twofish.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-snortsam-twofish.Tpo -c -o output-plugins/sagan-snortsam-twofish.obj `if test -f 'output-plugins/snortsam-twofish.c'; then $(CYGPATH_W) 'output-plugins/snortsam-twofish.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/snortsam-twofish.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-snortsam-twofish.Tpo output-plugins/$(DEPDIR)/sagan-snortsam-twofish.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/snortsam-twofish.c' object='output-plugins/sagan-snortsam-twofish.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-snortsam-twofish.obj `if test -f 'output-plugins/snortsam-twofish.c'; then $(CYGPATH_W) 'output-plugins/snortsam-twofish.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/snortsam-twofish.c'; fi` output-plugins/sagan-snortsam.o: output-plugins/snortsam.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-snortsam.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-snortsam.Tpo -c -o output-plugins/sagan-snortsam.o `test -f 'output-plugins/snortsam.c' || echo '$(srcdir)/'`output-plugins/snortsam.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-snortsam.Tpo output-plugins/$(DEPDIR)/sagan-snortsam.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/snortsam.c' object='output-plugins/sagan-snortsam.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-snortsam.o `test -f 'output-plugins/snortsam.c' || echo '$(srcdir)/'`output-plugins/snortsam.c output-plugins/sagan-snortsam.obj: output-plugins/snortsam.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-snortsam.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-snortsam.Tpo -c -o output-plugins/sagan-snortsam.obj `if test -f 'output-plugins/snortsam.c'; then $(CYGPATH_W) 'output-plugins/snortsam.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/snortsam.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-snortsam.Tpo output-plugins/$(DEPDIR)/sagan-snortsam.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/snortsam.c' object='output-plugins/sagan-snortsam.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-snortsam.obj `if test -f 'output-plugins/snortsam.c'; then $(CYGPATH_W) 'output-plugins/snortsam.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/snortsam.c'; fi` output-plugins/sagan-syslog-handler.o: output-plugins/syslog-handler.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-syslog-handler.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-syslog-handler.Tpo -c -o output-plugins/sagan-syslog-handler.o `test -f 'output-plugins/syslog-handler.c' || echo '$(srcdir)/'`output-plugins/syslog-handler.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-syslog-handler.Tpo output-plugins/$(DEPDIR)/sagan-syslog-handler.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/syslog-handler.c' object='output-plugins/sagan-syslog-handler.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-syslog-handler.o `test -f 'output-plugins/syslog-handler.c' || echo '$(srcdir)/'`output-plugins/syslog-handler.c output-plugins/sagan-syslog-handler.obj: output-plugins/syslog-handler.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-syslog-handler.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-syslog-handler.Tpo -c -o output-plugins/sagan-syslog-handler.obj `if test -f 'output-plugins/syslog-handler.c'; then $(CYGPATH_W) 'output-plugins/syslog-handler.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/syslog-handler.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-syslog-handler.Tpo output-plugins/$(DEPDIR)/sagan-syslog-handler.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/syslog-handler.c' object='output-plugins/sagan-syslog-handler.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-syslog-handler.obj `if test -f 'output-plugins/syslog-handler.c'; then $(CYGPATH_W) 'output-plugins/syslog-handler.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/syslog-handler.c'; fi` output-plugins/sagan-eve.o: output-plugins/eve.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-eve.o -MD -MP -MF output-plugins/$(DEPDIR)/sagan-eve.Tpo -c -o output-plugins/sagan-eve.o `test -f 'output-plugins/eve.c' || echo '$(srcdir)/'`output-plugins/eve.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-eve.Tpo output-plugins/$(DEPDIR)/sagan-eve.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/eve.c' object='output-plugins/sagan-eve.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-eve.o `test -f 'output-plugins/eve.c' || echo '$(srcdir)/'`output-plugins/eve.c output-plugins/sagan-eve.obj: output-plugins/eve.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT output-plugins/sagan-eve.obj -MD -MP -MF output-plugins/$(DEPDIR)/sagan-eve.Tpo -c -o output-plugins/sagan-eve.obj `if test -f 'output-plugins/eve.c'; then $(CYGPATH_W) 'output-plugins/eve.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/eve.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) output-plugins/$(DEPDIR)/sagan-eve.Tpo output-plugins/$(DEPDIR)/sagan-eve.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='output-plugins/eve.c' object='output-plugins/sagan-eve.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o output-plugins/sagan-eve.obj `if test -f 'output-plugins/eve.c'; then $(CYGPATH_W) 'output-plugins/eve.c'; else $(CYGPATH_W) '$(srcdir)/output-plugins/eve.c'; fi` processors/sagan-engine.o: processors/engine.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-engine.o -MD -MP -MF processors/$(DEPDIR)/sagan-engine.Tpo -c -o processors/sagan-engine.o `test -f 'processors/engine.c' || echo '$(srcdir)/'`processors/engine.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-engine.Tpo processors/$(DEPDIR)/sagan-engine.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/engine.c' object='processors/sagan-engine.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-engine.o `test -f 'processors/engine.c' || echo '$(srcdir)/'`processors/engine.c processors/sagan-engine.obj: processors/engine.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-engine.obj -MD -MP -MF processors/$(DEPDIR)/sagan-engine.Tpo -c -o processors/sagan-engine.obj `if test -f 'processors/engine.c'; then $(CYGPATH_W) 'processors/engine.c'; else $(CYGPATH_W) '$(srcdir)/processors/engine.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-engine.Tpo processors/$(DEPDIR)/sagan-engine.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/engine.c' object='processors/sagan-engine.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-engine.obj `if test -f 'processors/engine.c'; then $(CYGPATH_W) 'processors/engine.c'; else $(CYGPATH_W) '$(srcdir)/processors/engine.c'; fi` processors/sagan-track-clients.o: processors/track-clients.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-track-clients.o -MD -MP -MF processors/$(DEPDIR)/sagan-track-clients.Tpo -c -o processors/sagan-track-clients.o `test -f 'processors/track-clients.c' || echo '$(srcdir)/'`processors/track-clients.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-track-clients.Tpo processors/$(DEPDIR)/sagan-track-clients.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/track-clients.c' object='processors/sagan-track-clients.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-track-clients.o `test -f 'processors/track-clients.c' || echo '$(srcdir)/'`processors/track-clients.c processors/sagan-track-clients.obj: processors/track-clients.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-track-clients.obj -MD -MP -MF processors/$(DEPDIR)/sagan-track-clients.Tpo -c -o processors/sagan-track-clients.obj `if test -f 'processors/track-clients.c'; then $(CYGPATH_W) 'processors/track-clients.c'; else $(CYGPATH_W) '$(srcdir)/processors/track-clients.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-track-clients.Tpo processors/$(DEPDIR)/sagan-track-clients.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/track-clients.c' object='processors/sagan-track-clients.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-track-clients.obj `if test -f 'processors/track-clients.c'; then $(CYGPATH_W) 'processors/track-clients.c'; else $(CYGPATH_W) '$(srcdir)/processors/track-clients.c'; fi` processors/sagan-bluedot.o: processors/bluedot.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-bluedot.o -MD -MP -MF processors/$(DEPDIR)/sagan-bluedot.Tpo -c -o processors/sagan-bluedot.o `test -f 'processors/bluedot.c' || echo '$(srcdir)/'`processors/bluedot.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-bluedot.Tpo processors/$(DEPDIR)/sagan-bluedot.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/bluedot.c' object='processors/sagan-bluedot.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-bluedot.o `test -f 'processors/bluedot.c' || echo '$(srcdir)/'`processors/bluedot.c processors/sagan-bluedot.obj: processors/bluedot.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-bluedot.obj -MD -MP -MF processors/$(DEPDIR)/sagan-bluedot.Tpo -c -o processors/sagan-bluedot.obj `if test -f 'processors/bluedot.c'; then $(CYGPATH_W) 'processors/bluedot.c'; else $(CYGPATH_W) '$(srcdir)/processors/bluedot.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-bluedot.Tpo processors/$(DEPDIR)/sagan-bluedot.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/bluedot.c' object='processors/sagan-bluedot.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-bluedot.obj `if test -f 'processors/bluedot.c'; then $(CYGPATH_W) 'processors/bluedot.c'; else $(CYGPATH_W) '$(srcdir)/processors/bluedot.c'; fi` processors/sagan-blacklist.o: processors/blacklist.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-blacklist.o -MD -MP -MF processors/$(DEPDIR)/sagan-blacklist.Tpo -c -o processors/sagan-blacklist.o `test -f 'processors/blacklist.c' || echo '$(srcdir)/'`processors/blacklist.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-blacklist.Tpo processors/$(DEPDIR)/sagan-blacklist.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/blacklist.c' object='processors/sagan-blacklist.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-blacklist.o `test -f 'processors/blacklist.c' || echo '$(srcdir)/'`processors/blacklist.c processors/sagan-blacklist.obj: processors/blacklist.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-blacklist.obj -MD -MP -MF processors/$(DEPDIR)/sagan-blacklist.Tpo -c -o processors/sagan-blacklist.obj `if test -f 'processors/blacklist.c'; then $(CYGPATH_W) 'processors/blacklist.c'; else $(CYGPATH_W) '$(srcdir)/processors/blacklist.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-blacklist.Tpo processors/$(DEPDIR)/sagan-blacklist.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/blacklist.c' object='processors/sagan-blacklist.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-blacklist.obj `if test -f 'processors/blacklist.c'; then $(CYGPATH_W) 'processors/blacklist.c'; else $(CYGPATH_W) '$(srcdir)/processors/blacklist.c'; fi` processors/sagan-perfmon.o: processors/perfmon.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-perfmon.o -MD -MP -MF processors/$(DEPDIR)/sagan-perfmon.Tpo -c -o processors/sagan-perfmon.o `test -f 'processors/perfmon.c' || echo '$(srcdir)/'`processors/perfmon.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-perfmon.Tpo processors/$(DEPDIR)/sagan-perfmon.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/perfmon.c' object='processors/sagan-perfmon.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-perfmon.o `test -f 'processors/perfmon.c' || echo '$(srcdir)/'`processors/perfmon.c processors/sagan-perfmon.obj: processors/perfmon.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-perfmon.obj -MD -MP -MF processors/$(DEPDIR)/sagan-perfmon.Tpo -c -o processors/sagan-perfmon.obj `if test -f 'processors/perfmon.c'; then $(CYGPATH_W) 'processors/perfmon.c'; else $(CYGPATH_W) '$(srcdir)/processors/perfmon.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-perfmon.Tpo processors/$(DEPDIR)/sagan-perfmon.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/perfmon.c' object='processors/sagan-perfmon.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-perfmon.obj `if test -f 'processors/perfmon.c'; then $(CYGPATH_W) 'processors/perfmon.c'; else $(CYGPATH_W) '$(srcdir)/processors/perfmon.c'; fi` processors/sagan-bro-intel.o: processors/bro-intel.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-bro-intel.o -MD -MP -MF processors/$(DEPDIR)/sagan-bro-intel.Tpo -c -o processors/sagan-bro-intel.o `test -f 'processors/bro-intel.c' || echo '$(srcdir)/'`processors/bro-intel.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-bro-intel.Tpo processors/$(DEPDIR)/sagan-bro-intel.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/bro-intel.c' object='processors/sagan-bro-intel.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-bro-intel.o `test -f 'processors/bro-intel.c' || echo '$(srcdir)/'`processors/bro-intel.c processors/sagan-bro-intel.obj: processors/bro-intel.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-bro-intel.obj -MD -MP -MF processors/$(DEPDIR)/sagan-bro-intel.Tpo -c -o processors/sagan-bro-intel.obj `if test -f 'processors/bro-intel.c'; then $(CYGPATH_W) 'processors/bro-intel.c'; else $(CYGPATH_W) '$(srcdir)/processors/bro-intel.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-bro-intel.Tpo processors/$(DEPDIR)/sagan-bro-intel.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/bro-intel.c' object='processors/sagan-bro-intel.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-bro-intel.obj `if test -f 'processors/bro-intel.c'; then $(CYGPATH_W) 'processors/bro-intel.c'; else $(CYGPATH_W) '$(srcdir)/processors/bro-intel.c'; fi` processors/sagan-dynamic-rules.o: processors/dynamic-rules.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-dynamic-rules.o -MD -MP -MF processors/$(DEPDIR)/sagan-dynamic-rules.Tpo -c -o processors/sagan-dynamic-rules.o `test -f 'processors/dynamic-rules.c' || echo '$(srcdir)/'`processors/dynamic-rules.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-dynamic-rules.Tpo processors/$(DEPDIR)/sagan-dynamic-rules.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/dynamic-rules.c' object='processors/sagan-dynamic-rules.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-dynamic-rules.o `test -f 'processors/dynamic-rules.c' || echo '$(srcdir)/'`processors/dynamic-rules.c processors/sagan-dynamic-rules.obj: processors/dynamic-rules.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processors/sagan-dynamic-rules.obj -MD -MP -MF processors/$(DEPDIR)/sagan-dynamic-rules.Tpo -c -o processors/sagan-dynamic-rules.obj `if test -f 'processors/dynamic-rules.c'; then $(CYGPATH_W) 'processors/dynamic-rules.c'; else $(CYGPATH_W) '$(srcdir)/processors/dynamic-rules.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) processors/$(DEPDIR)/sagan-dynamic-rules.Tpo processors/$(DEPDIR)/sagan-dynamic-rules.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='processors/dynamic-rules.c' object='processors/sagan-dynamic-rules.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sagan_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processors/sagan-dynamic-rules.obj `if test -f 'processors/dynamic-rules.c'; then $(CYGPATH_W) 'processors/dynamic-rules.c'; else $(CYGPATH_W) '$(srcdir)/processors/dynamic-rules.c'; fi` ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(bindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) -rm -f output-plugins/$(DEPDIR)/$(am__dirstamp) -rm -f output-plugins/$(am__dirstamp) -rm -f parsers/$(DEPDIR)/$(am__dirstamp) -rm -f parsers/$(am__dirstamp) -rm -f parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) -rm -f parsers/strstr-asm/$(am__dirstamp) -rm -f processors/$(DEPDIR)/$(am__dirstamp) -rm -f processors/$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) output-plugins/$(DEPDIR) parsers/$(DEPDIR) parsers/strstr-asm/$(DEPDIR) processors/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) output-plugins/$(DEPDIR) parsers/$(DEPDIR) parsers/strstr-asm/$(DEPDIR) processors/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic distclean-tags \ distdir dvi dvi-am html html-am info info-am install \ install-am install-binPROGRAMS install-data install-data-am \ install-dvi install-dvi-am install-exec install-exec-am \ install-html install-html-am install-info install-info-am \ install-man install-pdf install-pdf-am install-ps \ install-ps-am install-strip installcheck installcheck-am \ installdirs maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-compile mostlyclean-generic pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am \ uninstall-binPROGRAMS install-data-local: # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: sagan-1.2.0/src/util-base64.h0000644000175000017500000000176313310531444014551 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ int Base64Encode(const unsigned char *, unsigned long, unsigned char *, unsigned long *); sagan-1.2.0/src/after.c0000644000175000017500000005241513310531444013606 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* after.c - Logic for "after" in Sagan rule */ /* TODO: Need to test IPC limits for threshold/after/client tracking */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "rules.h" #include "after.h" #include "ipc.h" pthread_mutex_t After_By_Src_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t After_By_Dst_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t After_By_Src_Port_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t After_By_Dst_Port_Mutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t After_By_Username_Mutex=PTHREAD_MUTEX_INITIALIZER; struct after_by_src_ipc *afterbysrc_ipc; struct after_by_dst_ipc *afterbydst_ipc; struct after_by_srcport_ipc *afterbysrcport_ipc; struct after_by_dstport_ipc *afterbydstport_ipc; struct after_by_username_ipc *afterbyusername_ipc; struct _SaganCounters *counters; struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganConfig *config; struct _Sagan_IPC_Counters *counters_ipc; /*******************/ /* After by source */ /*******************/ sbool After_By_Src ( int rule_position, char *ip_src, unsigned char *ip_src_bits, char *selector, char *syslog_message ) { sbool after_log_flag = true; time_t t; struct tm *now; char timet[20]; int i; uint64_t after_oldtime; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); for (i = 0; i < counters_ipc->after_count_by_src; i++ ) { if ( !memcmp(afterbysrc_ipc[i].ipsrc, ip_src_bits, sizeof(afterbysrc_ipc[i].ipsrc)) && !strcmp(afterbysrc_ipc[i].sid, rulestruct[rule_position].s_sid) && ( selector == NULL || !strcmp(selector, afterbysrc_ipc[i].selector)) ) { File_Lock(config->shm_after_by_src); pthread_mutex_lock(&After_By_Src_Mutex); afterbysrc_ipc[i].count++; afterbysrc_ipc[i].total_count++; after_oldtime = atol(timet) - afterbysrc_ipc[i].utime; strlcpy(afterbysrc_ipc[i].syslog_message, syslog_message, sizeof(afterbysrc_ipc[i].syslog_message)); strlcpy(afterbysrc_ipc[i].signature_msg, rulestruct[rule_position].s_msg, sizeof(afterbysrc_ipc[i].signature_msg)); /* Reset counter if it's expired */ if ( after_oldtime > rulestruct[rule_position].after_seconds || afterbysrc_ipc[i].count == 0 ) { afterbysrc_ipc[i].count=1; afterbysrc_ipc[i].utime = atol(timet); after_log_flag = true; } if ( rulestruct[rule_position].after_count < afterbysrc_ipc[i].count ) { after_log_flag = false; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "After SID %s by source IP address. [%s]", afterbysrc_ipc[i].sid, ip_src); } counters->after_total++; } pthread_mutex_unlock(&After_By_Src_Mutex); File_Unlock(config->shm_after_by_src); return(after_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(AFTER_BY_SRC) == 0 ) { File_Lock(config->shm_after_by_src); pthread_mutex_lock(&After_By_Src_Mutex); memcpy(afterbysrc_ipc[counters_ipc->after_count_by_src].ipsrc, ip_src_bits, sizeof(afterbysrc_ipc[counters_ipc->after_count_by_src].ipsrc)); strlcpy(afterbysrc_ipc[counters_ipc->after_count_by_src].sid, rulestruct[rule_position].s_sid, sizeof(afterbysrc_ipc[counters_ipc->after_count_by_src].sid)); selector == NULL ? afterbysrc_ipc[counters_ipc->after_count_by_src].selector[0] = '\0' : strlcpy(afterbysrc_ipc[counters_ipc->after_count_by_src].selector, selector, MAXSELECTOR); afterbysrc_ipc[counters_ipc->after_count_by_src].count = 1; afterbysrc_ipc[counters_ipc->after_count_by_src].utime = atol(timet); afterbysrc_ipc[counters_ipc->after_count_by_src].expire = rulestruct[rule_position].after_seconds; strlcpy(afterbysrc_ipc[counters_ipc->after_count_by_src].syslog_message, syslog_message, sizeof(afterbysrc_ipc[counters_ipc->after_count_by_src].syslog_message)); strlcpy(afterbysrc_ipc[counters_ipc->after_count_by_src].signature_msg, rulestruct[rule_position].s_msg, sizeof(afterbysrc_ipc[counters_ipc->after_count_by_src].signature_msg)); counters_ipc->after_count_by_src++; pthread_mutex_unlock(&After_By_Src_Mutex); File_Unlock(config->shm_after_by_src); } return(true); } /************************/ /* After by Destination */ /************************/ sbool After_By_Dst ( int rule_position, char *ip_dst, unsigned char *ip_dst_bits, char *selector, char *syslog_message ) { sbool after_log_flag = true; time_t t; struct tm *now; char timet[20]; int i; uint64_t after_oldtime; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); for (i = 0; i < counters_ipc->after_count_by_dst; i++ ) { if ( !memcmp(afterbydst_ipc[i].ipdst, ip_dst, sizeof(afterbydst_ipc[i].ipdst)) && !strcmp(afterbydst_ipc[i].sid, rulestruct[rule_position].s_sid ) && ( selector == NULL || !strcmp(selector, afterbydst_ipc[i].selector)) ) { File_Lock(config->shm_after_by_dst); pthread_mutex_lock(&After_By_Dst_Mutex); afterbydst_ipc[i].count++; afterbydst_ipc[i].total_count++; after_oldtime = atol(timet) - afterbydst_ipc[i].utime; strlcpy(afterbydst_ipc[i].syslog_message, syslog_message, sizeof(afterbydst_ipc[i].syslog_message)); strlcpy(afterbydst_ipc[i].signature_msg, rulestruct[rule_position].s_msg, sizeof(afterbydst_ipc[i].signature_msg)); if ( after_oldtime > rulestruct[rule_position].after_seconds || afterbydst_ipc[i].count == 0 ) { afterbydst_ipc[i].count=1; afterbydst_ipc[i].utime = atol(timet); after_log_flag = true; } if ( rulestruct[rule_position].after_count < afterbydst_ipc[i].count ) { after_log_flag = false; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "After SID %s by destination IP address. [%s]", afterbydst_ipc[i].sid, ip_dst); } counters->after_total++; } pthread_mutex_unlock(&After_By_Dst_Mutex); File_Unlock(config->shm_after_by_dst); return(after_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(AFTER_BY_DST) == 0 ) { File_Lock(config->shm_after_by_dst); pthread_mutex_lock(&After_By_Dst_Mutex); memcpy(afterbydst_ipc[counters_ipc->after_count_by_dst].ipdst, ip_dst_bits, sizeof(afterbydst_ipc[counters_ipc->after_count_by_dst].ipdst)); strlcpy(afterbydst_ipc[counters_ipc->after_count_by_dst].sid, rulestruct[rule_position].s_sid, sizeof(afterbydst_ipc[counters_ipc->after_count_by_dst].sid)); selector == NULL ? afterbydst_ipc[counters_ipc->after_count_by_dst].selector[0] = '\0' : strlcpy(afterbydst_ipc[counters_ipc->after_count_by_dst].selector, selector, MAXSELECTOR); afterbydst_ipc[counters_ipc->after_count_by_dst].count = 1; afterbydst_ipc[counters_ipc->after_count_by_dst].utime = atol(timet); afterbydst_ipc[counters_ipc->after_count_by_dst].expire = rulestruct[rule_position].after_seconds; strlcpy(afterbydst_ipc[counters_ipc->after_count_by_dst].syslog_message, syslog_message, sizeof(afterbydst_ipc[counters_ipc->after_count_by_dst].syslog_message)); strlcpy(afterbydst_ipc[counters_ipc->after_count_by_dst].signature_msg, rulestruct[rule_position].s_msg, sizeof(afterbydst_ipc[counters_ipc->after_count_by_dst].signature_msg)); counters_ipc->after_count_by_dst++; pthread_mutex_unlock(&After_By_Dst_Mutex); File_Unlock(config->shm_after_by_dst); } return(true); } /*********************/ /* After by username */ /*********************/ sbool After_By_Username( int rule_position, char *normalize_username, char *selector, char *syslog_message ) { sbool after_log_flag = true; time_t t; struct tm *now; char timet[20]; int i; uint64_t after_oldtime; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); /* Check array for matching username / sid */ for (i = 0; i < counters_ipc->after_count_by_username; i++ ) { /* Short circuit if no selector match */ if ( ( selector == NULL && afterbyusername_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, afterbyusername_ipc[i].selector)) ) { continue; } if ( !strcmp(afterbyusername_ipc[i].username, normalize_username) && !strcmp(afterbyusername_ipc[i].sid, rulestruct[rule_position].s_sid)) { File_Lock(config->shm_after_by_username); pthread_mutex_lock(&After_By_Username_Mutex); afterbyusername_ipc[i].count++; afterbyusername_ipc[i].total_count++; after_oldtime = atol(timet) - afterbyusername_ipc[i].utime; strlcpy(afterbyusername_ipc[i].syslog_message, syslog_message, sizeof(afterbyusername_ipc[i].syslog_message)); strlcpy(afterbyusername_ipc[i].signature_msg, rulestruct[rule_position].s_msg, sizeof(afterbyusername_ipc[i].signature_msg)); if ( after_oldtime > rulestruct[rule_position].after_seconds || afterbysrc_ipc[i].count == 0 ) { afterbyusername_ipc[i].count=1; afterbyusername_ipc[i].utime = atol(timet); after_log_flag = true; } if ( rulestruct[rule_position].after_count < afterbyusername_ipc[i].count ) { after_log_flag = false; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "After SID %s by_username. [%s]", afterbyusername_ipc[i].sid, normalize_username); } counters->after_total++; } pthread_mutex_unlock(&After_By_Username_Mutex); File_Unlock(config->shm_after_by_username); return(after_log_flag); } } /* If not found, add to the username array */ if ( Clean_IPC_Object(AFTER_BY_DST) == 0 ) { File_Lock(config->shm_after_by_username); pthread_mutex_lock(&After_By_Username_Mutex); strlcpy(afterbyusername_ipc[counters_ipc->after_count_by_username].username, normalize_username, sizeof(afterbyusername_ipc[counters_ipc->after_count_by_username].username)); strlcpy(afterbyusername_ipc[counters_ipc->after_count_by_username].sid, rulestruct[rule_position].s_sid, sizeof(afterbyusername_ipc[counters_ipc->after_count_by_username].sid)); selector == NULL ? afterbyusername_ipc[counters_ipc->after_count_by_username].selector[0] = '\0' : strlcpy(afterbyusername_ipc[counters_ipc->after_count_by_username].selector, selector, MAXSELECTOR); afterbyusername_ipc[counters_ipc->after_count_by_username].count = 1; afterbyusername_ipc[counters_ipc->after_count_by_username].utime = atol(timet); afterbyusername_ipc[counters_ipc->after_count_by_username].expire = rulestruct[rule_position].after_seconds; strlcpy(afterbyusername_ipc[counters_ipc->after_count_by_username].syslog_message, syslog_message, sizeof(afterbyusername_ipc[counters_ipc->after_count_by_username].syslog_message)); strlcpy(afterbyusername_ipc[counters_ipc->after_count_by_username].signature_msg, rulestruct[rule_position].s_msg, sizeof(afterbyusername_ipc[counters_ipc->after_count_by_username].signature_msg)); counters_ipc->after_count_by_username++; pthread_mutex_unlock(&After_By_Username_Mutex); File_Unlock(config->shm_after_by_username); } return(true); } /* End of After */ /***************************/ /* After by source IP port */ /***************************/ sbool After_By_SrcPort( int rule_position, uint32_t ip_srcport_u32, char *selector ) { sbool after_log_flag = true; time_t t; struct tm *now; char timet[20]; int i; uint64_t after_oldtime; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); for (i = 0; i < counters_ipc->after_count_by_srcport; i++ ) { /* Short circuit if no selector match */ if ( ( selector == NULL && afterbysrcport_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, afterbysrcport_ipc[i].selector)) ) { continue; } if ( afterbysrcport_ipc[i].ipsrcport == ip_srcport_u32 && !strcmp(afterbysrcport_ipc[i].sid, rulestruct[rule_position].s_sid )) { File_Lock(config->shm_after_by_srcport); pthread_mutex_lock(&After_By_Src_Port_Mutex); afterbysrcport_ipc[i].count++; afterbysrcport_ipc[i].total_count++; after_oldtime = atol(timet) - afterbysrcport_ipc[i].utime; if ( after_oldtime > rulestruct[rule_position].after_seconds || afterbysrc_ipc[i].count == 0 ) { afterbysrcport_ipc[i].count=1; afterbysrcport_ipc[i].utime = atol(timet); after_log_flag = true; } if ( rulestruct[rule_position].after_count < afterbysrcport_ipc[i].count ) { after_log_flag = false; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "After SID %s by source IP port. [%d]", afterbysrcport_ipc[i].sid, ip_srcport_u32); } counters->after_total++; } pthread_mutex_unlock(&After_By_Src_Port_Mutex); File_Unlock(config->shm_after_by_srcport); return(after_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(AFTER_BY_SRCPORT) == 0 ) { File_Lock(config->shm_after_by_srcport); pthread_mutex_lock(&After_By_Src_Port_Mutex); afterbysrcport_ipc[counters_ipc->after_count_by_srcport].ipsrcport = ip_srcport_u32; strlcpy(afterbysrcport_ipc[counters_ipc->after_count_by_srcport].sid, rulestruct[rule_position].s_sid, sizeof(afterbysrcport_ipc[counters_ipc->after_count_by_srcport].sid)); selector == NULL ? afterbysrcport_ipc[counters_ipc->after_count_by_srcport].selector[0] = '\0' : strlcpy(afterbysrcport_ipc[counters_ipc->after_count_by_srcport].selector, selector, MAXSELECTOR); afterbysrcport_ipc[counters_ipc->after_count_by_srcport].count = 1; afterbysrcport_ipc[counters_ipc->after_count_by_srcport].utime = atol(timet); afterbysrcport_ipc[counters_ipc->after_count_by_srcport].expire = rulestruct[rule_position].after_seconds; counters_ipc->after_count_by_srcport++; pthread_mutex_unlock(&After_By_Src_Port_Mutex); File_Unlock(config->shm_after_by_srcport); } return(true); } /********************************/ /* After by destination IP port */ /********************************/ sbool After_By_DstPort( int rule_position, uint32_t ip_dstport_u32, char *selector ) { sbool after_log_flag = true; time_t t; struct tm *now; char timet[20]; int i; uint64_t after_oldtime; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); for (i = 0; i < counters_ipc->after_count_by_dstport; i++ ) { /* Short circuit if no selector match */ if ( ( selector == NULL && afterbydstport_ipc[i].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, afterbydstport_ipc[i].selector)) ) { continue; } if ( afterbydstport_ipc[i].ipdstport == ip_dstport_u32 && !strcmp(afterbydstport_ipc[i].sid, rulestruct[rule_position].s_sid )) { File_Lock(config->shm_after_by_dstport); pthread_mutex_lock(&After_By_Dst_Port_Mutex); afterbydstport_ipc[i].count++; afterbydstport_ipc[i].total_count++; after_oldtime = atol(timet) - afterbydstport_ipc[i].utime; if ( after_oldtime > rulestruct[rule_position].after_seconds || afterbysrc_ipc[i].count == 0 ) { afterbydstport_ipc[i].count=1; afterbydstport_ipc[i].utime = atol(timet); after_log_flag = true; } if ( rulestruct[rule_position].after_count < afterbydstport_ipc[i].count ) { after_log_flag = false; if ( debug->debuglimits ) { Sagan_Log(NORMAL, "After SID %s by destination IP port. [%d]", afterbydstport_ipc[i].sid, ip_dstport_u32); } counters->after_total++; } pthread_mutex_unlock(&After_By_Dst_Port_Mutex); File_Unlock(config->shm_after_by_dstport); return(after_log_flag); } } /* If not found, add it to the array */ if ( Clean_IPC_Object(AFTER_BY_DSTPORT) == 0 ) { File_Lock(config->shm_after_by_dstport); pthread_mutex_lock(&After_By_Dst_Port_Mutex); afterbydstport_ipc[counters_ipc->after_count_by_dstport].ipdstport = ip_dstport_u32; strlcpy(afterbydstport_ipc[counters_ipc->after_count_by_dstport].sid, rulestruct[rule_position].s_sid, sizeof(afterbydstport_ipc[counters_ipc->after_count_by_dstport].sid)); selector == NULL ? afterbydstport_ipc[counters_ipc->after_count_by_dstport].selector[0] = '\0' : strlcpy(afterbydstport_ipc[counters_ipc->after_count_by_dstport].selector, selector, MAXSELECTOR); afterbydstport_ipc[counters_ipc->after_count_by_dstport].count = 1; afterbydstport_ipc[counters_ipc->after_count_by_dstport].utime = atol(timet); afterbydstport_ipc[counters_ipc->after_count_by_dstport].expire = rulestruct[rule_position].after_seconds; counters_ipc->after_count_by_dstport++; pthread_mutex_unlock(&After_By_Dst_Port_Mutex); File_Unlock(config->shm_after_by_dstport); } return(true); } sagan-1.2.0/src/references.h0000644000175000017500000000232613310531444014627 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif /* Reference structure */ typedef struct _Ref_Struct _Ref_Struct; struct _Ref_Struct { char s_refid[512]; char s_refurl[2048]; }; void Load_Reference ( const char * ); void Reference_Lookup( int, int, char *str, size_t size ); sagan-1.2.0/src/redis.h0000644000175000017500000000216513310531444013615 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_LIBHIREDIS #include void Redis_Reader_Connect ( void ); void Redis_Writer (void); void Redis_Writer_Init (void); void Redis_Reader ( char *redis_command, char *str, size_t size ); #endif sagan-1.2.0/src/sagan-defs.h0000644000175000017500000001474113310531444014522 0ustar champchamp/* $Id$ */ /* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan.h * * Sagan prototypes and definitions. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #if defined HAVE_LIBLOGNORM || defined WITH_BLUEDOT #include #else typedef void json_object; #define json_object_to_json_string_ext(x, y) "{}" #endif #define PCRE_OVECCOUNT 30 /* Various buffers used during configurations loading */ #define SENSOR_NAME "default_sensor_name" #define CLASSBUF 1024 #define RULEBUF 5128 #define CONFBUF 4096 #define MAXPATH 255 /* Max path for files/directories */ #define MAXHOST 255 /* Max host length */ #define MAXPROGRAM 32 /* Max syslog 'program' length */ #define MAXDATE 25 /* Max syslog 'date' length */ #define MAXTIME 10 /* Max syslog 'time length */ #define MAXFACILITY 25 /* Max syslog 'facility' length */ #define MAXPRIORITY 20 /* Max syslog 'priority' length */ #define MAXTAG 32 /* Max syslog 'tag' length */ #define MAXLEVEL 15 /* Max syslog 'level' length */ #define MAX_SAGAN_MSG 256 /* Max "msg" option size */ #define MAX_PCRE_SIZE 1024 /* Max pcre length in a rule */ #define MAX_FIFO_SIZE 1048576 /* Max pipe/FIFO size in bytes/pages */ #define MAX_THREADS 4096 /* Max system threads */ #define MAX_SYSLOGMSG 10240 /* Max length of a syslog message */ #define MAX_VAR_NAME_SIZE 64 /* Max "var" name size */ #define MAX_VAR_VALUE_SIZE 4096 /* Max "var" value size */ #define MAX_PCRE 10 /* Max PCRE within a rule */ #define MAX_CONTENT 30 /* Max 'content' within a rule */ #define MAX_META_CONTENT 10 /* Max 'meta_content' within a rule */ #define MAX_META_CONTENT_ITEMS 128 /* Max strings to look for in meta_content */ #define MAX_META_ITEM_SIZE 256 /* Max string size per meta_content type */ #define MAX_XBITS 20 /* Max 'xbits' within a rule */ #define MAX_CHECK_FLOWS 100 /* Max amount of IP addresses to be checked in a flow */ #define MAX_REFERENCE 10 /* Max references within a rule */ #define MAX_PARSE_IP 10 /* Max IP to collect form log line via parse.c */ /* TODO: These need to be labeled better! These directly affect functions like is_notroutable(). Think before you alter */ #define MAXIP 64 /* Max IP length */ #define MAXIPBIT 16 /* Max IP length in bytes */ #define MAXSELECTOR 64 /* Max tracking selector length */ #define LOCKFILE "/var/run/sagan/sagan.pid" #define SAGANLOG "/var/log/sagan/sagan.log" #define SAGANLOGPATH "/var/log/sagan" #define FIFO "/var/run/sagan.fifo" #define RULE_PATH "/usr/local/etc/sagan-rules" #define HOME_NET "any" #define EXTERNAL_NET "any" #define RUNAS "sagan" #define PLOG_INTERFACE "eth0" #define PLOG_FILTER "port 514" #define PLOG_LOGDEV "/dev/log" #define TRACK_TIME 1440 #define NORMAL 0 #define ERROR 1 #define WARN 2 #define DEBUG 3 #define DEFAULT_SYSLOG_FACILITY LOG_AUTH #define DEFAULT_SYSLOG_PRIORITY LOG_ALERT #define PARSEIP_RETURN_STRING 0 #define DEFAULT_SMTP_SUBJECT "[Sagan]" /* defaults if the user doesn't define */ #define MAX_PROCESSOR_THREADS 100 #define SUNDAY 1 #define MONDAY 2 #define TUESDAY 4 #define WEDNESDAY 8 #define THURSDAY 16 #define FRIDAY 32 #define SATURDAY 64 /* This is for loading/reloading Sagan log files */ #define OPEN 0 #define REOPEN 1 #define SAGAN_LOG 0 #define ALERT_LOG 1 #define ALL_LOGS 100 #define MD5_HASH_SIZE 32 #define SHA1_HASH_SIZE 40 #define SHA256_HASH_SIZE 64 #define MAX_FILENAME_SIZE 256 #define MAX_URL_SIZE 8192 #define MAX_USERNAME_SIZE 512 #define MAX_HOSTNAME_SIZE 255 /* Locations of IPC/Share memory "files" */ #define IPC_DIRECTORY "/var/sagan/ipc" #define COUNTERS_IPC_FILE "sagan-counters.shared" #define XBIT_IPC_FILE "sagan-xbits.shared" #define THRESH_BY_SRC_IPC_FILE "sagan-thresh-by-source.shared" #define THRESH_BY_DST_IPC_FILE "sagan-thresh-by-destination.shared" #define THRESH_BY_DSTPORT_IPC_FILE "sagan-thresh-by-destination-port.shared" #define THRESH_BY_SRCPORT_IPC_FILE "sagan-thresh-by-source-port.shared" #define THRESH_BY_USERNAME_IPC_FILE "sagan-thresh-by-username.shared" #define AFTER_BY_SRC_IPC_FILE "sagan-after-by-source.shared" #define AFTER_BY_DST_IPC_FILE "sagan-after-by-destination.shared" #define AFTER_BY_SRCPORT_IPC_FILE "sagan-after-by-source-port.shared" #define AFTER_BY_DSTPORT_IPC_FILE "sagan-after-by-destination-port.shared" #define AFTER_BY_USERNAME_IPC_FILE "sagan-after-by-username.shared" #define CLIENT_TRACK_IPC_FILE "sagan-track-clients.shared" /* Default IPC/mmap sizes */ #define DEFAULT_IPC_CLIENT_TRACK_IPC 10000 #define DEFAULT_IPC_AFTER_BY_SRC 1000000 #define DEFAULT_IPC_AFTER_BY_DST 1000000 #define DEFAULT_IPC_AFTER_BY_SRC_PORT 1000000 #define DEFAULT_IPC_AFTER_BY_DST_PORT 1000000 #define DEFAULT_IPC_AFTER_BY_USERNAME 10000 #define DEFAULT_IPC_THRESH_BY_SRC 1000000 #define DEFAULT_IPC_THRESH_BY_DST 1000000 #define DEFAULT_IPC_THRESH_BY_SRC_PORT 1000000 #define DEFAULT_IPC_THRESH_BY_DST_PORT 1000000 #define DEFAULT_IPC_THRESH_BY_USERNAME 10000 #define DEFAULT_IPC_XBITS 10000 #define AFTER_BY_SRC 1 #define AFTER_BY_DST 2 #define AFTER_BY_DSTPORT 3 #define AFTER_BY_USERNAME 4 #define AFTER_BY_SRCPORT 5 #define THRESH_BY_SRC 6 #define THRESH_BY_DST 7 #define THRESH_BY_DSTPORT 8 #define THRESH_BY_USERNAME 9 #define THRESH_BY_SRCPORT 10 #define XBIT 11 #define PARSE_HASH_MD5 1 #define PARSE_HASH_SHA1 2 #define PARSE_HASH_SHA256 3 #define PARSE_HASH_ALL 4 #define NORMAL_RULE 0 #define DYNAMIC_RULE 1 #define XBIT_STORAGE_MMAP 0 #define XBIT_STORAGE_REDIS 1 #define THREAD_NAME_LEN 16 sagan-1.2.0/src/xbit-mmap.h0000644000175000017500000000362013310531444014402 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include "sagan-defs.h" void Xbit_Set_MMAP( int, char *, char *, int, int, char *, char * ); sbool Xbit_Condition_MMAP ( int, char *, char *, int, int, char * ); void Xbit_Cleanup_MMAP( void ); sbool Xbit_Count_MMAP( int, char *, char *, char * ); typedef struct _Sagan_Xbit_Track _Sagan_Xbit_Track; struct _Sagan_Xbit_Track { char xbit_name[64]; int xbit_timeout; int xbit_srcport; int xbit_dstport; }; typedef struct _Sagan_IPC_Xbit _Sagan_IPC_Xbit; struct _Sagan_IPC_Xbit { char xbit_name[64]; sbool xbit_state; unsigned char ip_src[MAXIPBIT]; unsigned char ip_dst[MAXIPBIT]; int src_port; int dst_port; char username[64]; uint64_t xbit_date; uint64_t xbit_expire; int expire; char selector[MAXSELECTOR]; // No need to clean this, as we always set it when tracking char syslog_message[MAX_SYSLOGMSG]; char sid[20]; char signature_msg[MAX_SAGAN_MSG]; }; sagan-1.2.0/src/processor.c0000644000175000017500000001473013310531444014522 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* processor.c * * This becomes a threaded operation. This handles all CPU intensive processes. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #ifdef HAVE_SYS_PRCTL_H #include #endif #include "sagan.h" #include "sagan-defs.h" #include "ignore-list.h" #include "sagan-config.h" #include "parsers/parsers.h" #include "processors/engine.h" #include "processors/track-clients.h" #include "processors/blacklist.h" #include "processors/dynamic-rules.h" struct _Sagan_Ignorelist *SaganIgnorelist; struct _SaganCounters *counters; struct _Sagan_Proc_Syslog *SaganProcSyslog; struct _SaganConfig *config; struct _Rule_Struct *rulestruct; int proc_msgslot; /* Comes from sagan.c */ int proc_running; /* Comes from sagan.c */ unsigned char dynamic_rule_flag; /* Comes from sagan.c */ pthread_cond_t SaganProcDoWork; pthread_mutex_t SaganProcWorkMutex; pthread_cond_t SaganReloadCond; pthread_mutex_t SaganReloadMutex; pthread_mutex_t SaganDynamicFlag; pthread_mutex_t SaganIgnoreCounter=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganClientTracker=PTHREAD_MUTEX_INITIALIZER; void Processor ( void ) { (void)SetThreadName("SaganWorker"); struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL = NULL; SaganProcSyslog_LOCAL = malloc(sizeof(struct _Sagan_Proc_Syslog)); if ( SaganProcSyslog_LOCAL == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for SaganProcSyslog_LOCAL. Abort!", __FILE__, __LINE__); } memset(SaganProcSyslog_LOCAL, 0, sizeof(struct _Sagan_Proc_Syslog)); sbool ignore_flag = false; int i; for (;;) { pthread_mutex_lock(&SaganProcWorkMutex); while ( proc_msgslot == 0 ) pthread_cond_wait(&SaganProcDoWork, &SaganProcWorkMutex); if ( config->sagan_reload ) { pthread_cond_wait(&SaganReloadCond, &SaganReloadMutex); } proc_running++; proc_msgslot--; /* This was ++ before coming over, so we now -- it to get to * original value */ strlcpy(SaganProcSyslog_LOCAL->syslog_host, SaganProcSyslog[proc_msgslot].syslog_host, sizeof(SaganProcSyslog_LOCAL->syslog_host)); strlcpy(SaganProcSyslog_LOCAL->syslog_facility, SaganProcSyslog[proc_msgslot].syslog_facility, sizeof(SaganProcSyslog_LOCAL->syslog_facility)); strlcpy(SaganProcSyslog_LOCAL->syslog_priority, SaganProcSyslog[proc_msgslot].syslog_priority, sizeof(SaganProcSyslog_LOCAL->syslog_priority)); strlcpy(SaganProcSyslog_LOCAL->syslog_level, SaganProcSyslog[proc_msgslot].syslog_level, sizeof(SaganProcSyslog_LOCAL->syslog_level)); strlcpy(SaganProcSyslog_LOCAL->syslog_tag, SaganProcSyslog[proc_msgslot].syslog_tag, sizeof(SaganProcSyslog_LOCAL->syslog_tag)); strlcpy(SaganProcSyslog_LOCAL->syslog_date, SaganProcSyslog[proc_msgslot].syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date)); strlcpy(SaganProcSyslog_LOCAL->syslog_time, SaganProcSyslog[proc_msgslot].syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time)); strlcpy(SaganProcSyslog_LOCAL->syslog_program, SaganProcSyslog[proc_msgslot].syslog_program, sizeof(SaganProcSyslog_LOCAL->syslog_program)); strlcpy(SaganProcSyslog_LOCAL->syslog_message, SaganProcSyslog[proc_msgslot].syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message)); pthread_mutex_unlock(&SaganProcWorkMutex); /* Check for general "drop" items. We do this first so we can save CPU later */ if ( config->sagan_droplist_flag ) { ignore_flag = false; for (i = 0; i < counters->droplist_count; i++) { if (Sagan_strstr(SaganProcSyslog_LOCAL->syslog_message, SaganIgnorelist[i].ignore_string)) { pthread_mutex_lock(&SaganIgnoreCounter); counters->ignore_count++; pthread_mutex_unlock(&SaganIgnoreCounter); ignore_flag = true; goto outside_loop; /* Stop processing from ignore list */ } } } outside_loop: /* If we're in a ignore state, then we can bypass the processors */ if ( ignore_flag == false ) { Sagan_Engine(SaganProcSyslog_LOCAL, dynamic_rule_flag ); /* If this is a dynamic run, reset back to normal */ if ( dynamic_rule_flag == DYNAMIC_RULE ) { pthread_mutex_lock(&SaganDynamicFlag); dynamic_rule_flag = 0; pthread_mutex_unlock(&SaganDynamicFlag); } if ( config->sagan_track_clients_flag ) { Track_Clients( SaganProcSyslog_LOCAL->syslog_host ); } } // End if if (ignore_Flag) pthread_mutex_lock(&SaganProcWorkMutex); proc_running--; pthread_mutex_unlock(&SaganProcWorkMutex); } // for (;;) Sagan_Log(WARN, "[%s, line %d] Holy cow! You should never see this message!", __FILE__, __LINE__); free(SaganProcSyslog_LOCAL); /* Should never make it here */ } sagan-1.2.0/src/util.c0000644000175000017500000012761613310531444013470 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* util.c * * Various re-usable functions. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "lockfile.h" #include "parsers/strstr-asm/strstr-hook.h" #include "version.h" struct _SaganConfig *config; struct _SaganCounters *counters; struct _SaganVar *var; struct _Sagan_Processor_Generator *generator; sbool daemonize; sbool quiet; /***************************************************************************** * This force Sagan to chroot. * * Note: printf/fprints are used, because we actually chroot before the log * it initalized *****************************************************************************/ void Chroot(const char *chrootdir ) { printf("[*] Chroot to %s\n", chrootdir); if (chroot(chrootdir) != 0 || chdir ("/") != 0) { fprintf(stderr, "[E] Could not chroot to '%s'.\n", chrootdir); exit(1); /* sagan.log isn't open yet */ } } /************************************************ * Drop priv's so we aren't running as "root". ************************************************/ void Droppriv(void) { struct stat fifocheck; struct passwd *pw = NULL; int ret; pw = getpwnam(config->sagan_runas); if (!pw) { Sagan_Log(ERROR, "Couldn't locate user '%s'. Aborting...", config->sagan_runas); } if ( getuid() == 0 ) { Sagan_Log(NORMAL, "Setting permissions and dropping privileges! [UID: %lu GID: %lu]", (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid); /* * We chown certain log files to our Sagan user. This is done so no files are "owned" * by "root". This prevents problems in the future when doing things like handling * SIGHUP's and what not. * * Champ Clark (04/14/2015) */ if ( config->sagan_is_file == false ) /* Don't change ownsership/etc if we're processing a file */ { ret = chown(config->sagan_fifo, (unsigned long)pw->pw_uid,(unsigned long)pw->pw_gid); if ( ret < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot change ownership of %s to username \"%s\" - %s", __FILE__, __LINE__, config->sagan_fifo, config->sagan_runas, strerror(errno)); } if (stat(config->sagan_fifo, &fifocheck) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open %s FIFO - %s!", __FILE__, __LINE__, config->sagan_fifo, strerror(errno)); } } if (initgroups(pw->pw_name, pw->pw_gid) != 0 || setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) { Sagan_Log(ERROR, "[%s, line %d] Could not drop privileges to uid: %lu gid: %lu - %s!", __FILE__, __LINE__, (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid, strerror(errno)); } } else { Sagan_Log(NORMAL, "Not dropping privileges. Already running as a non-privileged user"); } } /******************** * Remove new-lines ********************/ void Remove_Return(char *s) { char *s1, *s2; for(s1 = s2 = s; *s1; *s1++ = *s2++ ) while( *s2 == '\n' )s2++; } /*********************************************** * Removes spaces from certain rule fields, etc ***********************************************/ void Remove_Spaces(char *s) { char *s1, *s2; for(s1 = s2 = s; *s1; *s1++ = *s2++ ) while( *s2 == ' ')s2++; } /********************************** * Shift a string to all uppercase **********************************/ void To_UpperC(char *const s) { char* cur = s; while (*cur) { *cur = toupper(*cur); ++cur; } } /********************************** * Shift a string to all lowercase **********************************/ void To_LowerC(char *const s) { char* cur = s; while (*cur) { *cur = tolower(*cur); ++cur; } } /****************************************************** * Generic "sagan.log" style logging and screen output. *******************************************************/ void Sagan_Log (int type, const char *format,... ) { char buf[5128] = { 0 }; va_list ap; va_start(ap, format); char *chr="*"; char curtime[64]; time_t t; struct tm *now; t = time(NULL); now=localtime(&t); strftime(curtime, sizeof(curtime), "%m/%d/%Y %H:%M:%S", now); if ( type == ERROR ) { chr="E"; } if ( type == WARN ) { chr="W"; } if ( type == DEBUG ) { chr="D"; } vsnprintf(buf, sizeof(buf), format, ap); fprintf(config->sagan_log_stream, "[%s] [%s] - %s\n", chr, curtime, buf); fflush(config->sagan_log_stream); if ( config->daemonize == 0 && config->quiet == 0 ) { printf("[%s] %s\n", chr, buf); } if ( type == ERROR ) { exit(1); } } /****************************************** * Check if system is big || little endian ******************************************/ sbool Check_Endian() { int i = 1; char *p = (char *) &i; if (p[0] == 1) /* Lowest address contains the least significant byte */ return 0; /* Little endian */ else return 1; /* Big endian */ } sbool Mask2Bit(int mask, unsigned char *out) { int i; bool ret = false; if (mask < 1 || mask > 128) { return false; } ret = true; for (i=0; iai_addr)->ss_family) { case AF_INET: ret = true; if (out != NULL) { memcpy(out, &((struct sockaddr_in *)result->ai_addr)->sin_addr, sizeof(((struct sockaddr_in *)0)->sin_addr)); } break; case AF_INET6: ret = true; if (out != NULL) { memcpy(out, &((struct sockaddr_in6 *)result->ai_addr)->sin6_addr, sizeof(((struct sockaddr_in6 *)0)->sin6_addr)); } break; default: Sagan_Log(WARN, "[%lu] Warning: Got a getaddrinfo() received a non IPv4/IPv6 address for \"%s\" but continuing...", pthread_self(), ipaddr); } } if (result != NULL) { freeaddrinfo(result); } return ret; } /**************************************** * Check if string contains only numbers ****************************************/ sbool Is_Numeric (char *str) { if(strlen(str) == strspn(str, "0123456789")) { return(true); } else { return(false); } } /*************************************************************************** * Grab's information between "quotes" and returns it. Use for things like * parsing msg: and pcre ***************************************************************************/ void Between_Quotes(char *instr, char *str, size_t size) { sbool flag=0; int i; char tmp1[2]; char tmp2[512] = { 0 }; for ( i=0; isagan_host); return(0); } memset(&hints, 0, sizeof hints); hints.ai_family = AF_UNSPEC; /* AF_INET or AF_INET6 to force version */ hints.ai_socktype = SOCK_STREAM; if ((status = getaddrinfo(host, NULL, &hints, &res)) != 0) { Sagan_Log(WARN, "%s: %s", gai_strerror(status), host); return -1; } if (res->ai_family == AF_INET) /* IPv4 */ { struct sockaddr_in *ipv4 = (struct sockaddr_in *)res->ai_addr; addr = &(ipv4->sin_addr); } else /* IPv6 */ { struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)res->ai_addr; addr = &(ipv6->sin6_addr); } inet_ntop(res->ai_family, addr, ipstr, sizeof ipstr); freeaddrinfo(res); snprintf(str, size, "%s", ipstr); return 0; } /**************************************************************** * String replacement function. Used for things like $RULE_PATH ****************************************************************/ void Replace_String(char *in_str, char *orig, char *rep, char *str, size_t size) { char buffer[4096] = { 0 }; char *p = NULL; if(!(p = strstr(in_str, orig))) { snprintf(str, size, "%s", in_str); return; } strlcpy(buffer, in_str, p-in_str); buffer[p-in_str] = '\0'; sprintf(buffer+(p-in_str), "%s%s", rep, p+strlen(orig)); snprintf(str, size, "%s", buffer); } sbool is_inrange ( unsigned char *ip, unsigned char *tests, int count) { int i,j,k; sbool inrange = false; for (i=0; ivar_count; i++) { ptmp = strtok_r(tmp, " ", &tok); while (ptmp != NULL ) { Replace_String(ptmp, var[i].var_name, var[i].var_value, tmp2, sizeof(tmp2)); snprintf(tmp3, sizeof(tmp3), "%s ", tmp2); strlcat(tmp_result, tmp3, sizeof(tmp_result)); ptmp = strtok_r(NULL, " ", &tok); } strlcpy(tmp, tmp_result, sizeof(tmp)); memset(tmp_result, 0, sizeof(tmp_result)); } tmp[strlen(tmp)-1] = 0; /* Remove trailing space */ snprintf(str, size, "%s", tmp); } /**************************************************************************** * Validate_HEX - Makes sure a string is valid hex. ****************************************************************************/ sbool Validate_HEX (const char *string) { const char *curr = string; while (*curr != 0) { if (('A' <= *curr && *curr <= 'F') || ('a' <= *curr && *curr <= 'f') || ('0' <= *curr && *curr <= '9')) { ++curr; } else { return(false); } } return(true); } /**************************************************************************** * Check_Var - Checks to make sure a "var" is present in memory ****************************************************************************/ int Check_Var(const char *string) { int i; int flag = 0; for (i=0; ivar_count; i++) { if (!strcmp(string, var[i].var_name)) { flag = 1; break; } } return(flag); } /************************************************************************************************ * This is for |HEX| support (like in Snort). From example: content: "User |3a 3c 53| and such"; * If the content has no pipes, we leave it unaltered. If it has pipes, we insert the ASCII * values of the Hex within the content (keeping formating correct - Champ Clark - 12/04/2013 * Move to this function 05/05/2014 - Champ Clark *************************************************************************************************/ void Content_Pipe(char *in_string, int linecount, const char *ruleset, char *str, size_t size ) { int pipe_flag = 0; /* Set to RULEBUF. Some meta_content strings can be rather large! */ static char final_content[RULEBUF] = { 0 }; memset(final_content,0,sizeof(final_content)); char final_content_tmp[RULEBUF] = { 0 }; char tmp2[RULEBUF]; int i; int x; char tmp[2]; strlcpy(tmp2, in_string, sizeof(tmp2)); pipe_flag = 0; for ( i=0; i= 0) { close(*fd); *fd = -1; } } /**************************************************************************** * OpenStream - Used to open streams. This function does NOT use Sagan_Log() * since it is used before Sagan_Log() is initalized ***************************************************************************/ FILE *OpenStream( char *path, int *fd, unsigned long pw_uid, unsigned long pw_gid ) { FILE *ret = NULL; char *_path = NULL; struct sockaddr_un name = {0}; if ( fd == NULL || path == NULL ) { fprintf(stderr, "[E] [%s, line %d] Invalid (null) argument(s) passed to OpenStream!\n", __FILE__, __LINE__); exit(-1); } _path = strstr(path, "://"); if ( _path == NULL ) { _path = path; } else { _path += 3; } /* TODO: Add cases here for UDP and TCP */ if (Starts_With(path, "unix://")) { /* Create socket from which to write. Currently only stream mode is supported */ *fd = socket(AF_UNIX, SOCK_STREAM, 0); if (*fd < 0) { fprintf(stderr, "[E] [%s, line %d] Could not init unix socket. Failed to open socket at %s - %s!\n", __FILE__, __LINE__ , _path, strerror(errno)); exit(-1); } /* Create name. */ name.sun_family = AF_UNIX; strncpy(name.sun_path, _path, sizeof(name.sun_path)-1); /* Bind the UNIX domain address to the created socket */ if (connect(*fd, (struct sockaddr *) &name, sizeof(struct sockaddr_un))) { fprintf(stderr, "[E] [%s, line %d] Could not init unix socket. Failed to connect to socket %s - %s!\n", __FILE__, __LINE__, _path, strerror(errno)); exit(-1); } else { //Sagan_Log(NORMAL, "[%s, line %d] Connected to unix socket: %s: %d", __FILE__, __LINE__, name.sun_path, *fd); ret = fdopen(*fd, "a"); } } else { *fd = -1; ret = fopen(_path, "a"); } /* Chown the log files in case we get a SIGHUP or whatnot later (due to Sagan_Chroot()) */ if ( chown(_path, pw_uid,pw_gid) < 0 ) { fprintf(stderr, "[%s, line %d] Cannot change ownership of %s to username \"%s\" - %s\n", __FILE__, __LINE__, _path, config->sagan_runas, strerror(errno)); exit(-1); } if ( ret == NULL && *fd >= 0 ) { close(*fd); *fd = -1; } return ret; } /**************************************************************************** * Open_Log_File - This controls the opening and/or re-opening of log * files. This is useful for situation like SIGHUP, where we want to * close a file handle and start a new one. Think of 'logrotate'. ****************************************************************************/ void Open_Log_File( sbool state, int type ) { struct passwd *pw = NULL; pw = getpwnam(config->sagan_runas); if( pw == NULL) { fprintf(stderr, "[E] [%s, line %d] Invalid user %s (use -u option to set a user)\n", __FILE__, __LINE__, config->sagan_runas); exit(-1); } if ( type == SAGAN_LOG || type == ALL_LOGS ) { /* For SIGHUP */ if ( state == REOPEN ) { CloseStream(config->sagan_log_stream, &config->sagan_log_fd); } if ((config->sagan_log_stream = OpenStream(config->sagan_log_filepath, &config->sagan_log_fd,(unsigned long)pw->pw_uid,(unsigned long)pw->pw_gid)) == NULL) { fprintf(stderr, "[E] [%s, line %d] Cannot open %s - %s!\n", __FILE__, __LINE__, config->sagan_log_filepath, strerror(errno)); exit(-1); } } if ( type == ALERT_LOG || type == ALL_LOGS ) { /* For SIGHUP */ if ( state == REOPEN && config->eve_flag == true ) { CloseStream(config->eve_stream, &config->eve_fd); } if ( state == REOPEN && config->alert_flag == true ) { CloseStream(config->sagan_alert_stream, &config->sagan_alert_fd); } if ( state == REOPEN && config->fast_flag == true ) { CloseStream(config->sagan_fast_stream, &config->sagan_fast_fd); } if ( config->eve_flag ) { if (( config->eve_stream = OpenStream(config->eve_filename, &config->eve_fd, (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid )) == NULL ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Can't open \"%s\" - %s!", __FILE__, __LINE__, config->eve_filename, strerror(errno)); } } if ( config->fast_flag ) { if (( config->sagan_fast_stream = OpenStream(config->fast_filename, &config->sagan_fast_fd, (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid )) == NULL ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Can't open %s - %s!", __FILE__, __LINE__, config->fast_filename, strerror(errno)); } } if ( config->alert_flag ) { if (( config->sagan_alert_stream = OpenStream(config->sagan_alert_filepath, &config->sagan_alert_fd, (unsigned long)pw->pw_uid, (unsigned long)pw->pw_gid )) == NULL ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Can't open %s - %s!", __FILE__, __LINE__, config->sagan_alert_filepath, strerror(errno)); } } } } /**************************************************************************** * Set_Pipe_Size - Changes the capacity of the pipe/FIFO. ****************************************************************************/ #if defined(HAVE_GETPIPE_SZ) && defined(HAVE_SETPIPE_SZ) void Set_Pipe_Size ( FILE *fd ) { int fd_int; int current_fifo_size; int fd_results; if ( config->sagan_fifo_size != 0 ) { fd_int = fileno(fd); current_fifo_size = fcntl(fd_int, F_GETPIPE_SZ); if ( current_fifo_size == config->sagan_fifo_size ) { Sagan_Log(NORMAL, "FIFO capacity already set to %d bytes.", config->sagan_fifo_size); } else { Sagan_Log(NORMAL, "FIFO capacity is %d bytes. Changing to %d bytes.", current_fifo_size, config->sagan_fifo_size); fd_results = fcntl(fd_int, F_SETPIPE_SZ, config->sagan_fifo_size ); if ( fd_results == -1 ) { Sagan_Log(WARN, "FIFO capacity could not be changed. Continuing anyways..."); } if ( fd_results > config->sagan_fifo_size ) { Sagan_Log(WARN, "FIFO capacity was rounded up to the next page size of %d bytes.", fd_results); } } } } #endif /**************************************************************************** * File_Lock - Takes in a file descriptor and "locks" the file. Used * with IPC/memory mapped files. ****************************************************************************/ sbool File_Lock ( int fd ) { struct flock fl; fl.l_type = F_WRLCK; fl.l_whence = SEEK_SET; fl.l_start = 0; fl.l_len = 0; fl.l_pid = getpid(); if (fcntl(fd, F_SETLKW, &fl) == -1) { Sagan_Log(WARN, "[%s, line %d] Unable to get LOCK on file. (%s)", __FILE__, __LINE__, strerror(errno)); } return(0); } /**************************************************************************** * File_Unlock - Takes in a file descriptor and "unlocks" the file. * Used with IPC/memory mapped files. ****************************************************************************/ sbool File_Unlock( int fd ) { struct flock fl; fl.l_type = F_UNLCK; fl.l_whence = SEEK_SET; fl.l_start = 0; fl.l_len = 0; fl.l_pid = getpid(); if (fcntl(fd, F_SETLK, &fl) == -1) { Sagan_Log(WARN, "[%s, line %d] Unable to get UNLOCK on file. (%s)", __FILE__, __LINE__, strerror(errno)); } return(0); } /**************************************************************************** * Bit2IP - Takes a 16 byte char IP address and returns a string ****************************************************************************/ const char *Bit2IP(unsigned char *ipbits, char *str, size_t size) { int i; int ss_family = AF_INET; static __thread char retbuf[MAXIP]; memset(retbuf,0,sizeof(retbuf)); const char *ret = NULL; for (i=4; i<16; i++) { if (ipbits[i] != 0x00) { ss_family = AF_INET6; break; } } ret = inet_ntop(ss_family, ipbits, str == NULL ? retbuf : str, str == NULL ? sizeof(retbuf) : size); return ret; } /************************************************************************/ /* Convert an IP or IP/CIDR into 128bit IP and 128bit mask. */ /* Return if masked. Assume that out is at least 32 bytes */ /************************************************************************/ int Netaddr_To_Range( char *ipstr, unsigned char *out ) { int mask; char *t = NULL; char _t = '\0'; int maxmask = NULL != strchr(ipstr, ':') ? 128 : 32; if ( ( t = strchr(ipstr, '/') ) ) { mask = atoi(t+1); } else { mask = maxmask; } if (t != NULL) { _t = t[0]; t[0] = '\0'; } IP2Bit(ipstr, out); if (t != NULL) { t[0] = _t; } Mask2Bit(mask, out+16); return mask != maxmask; } /* netaddr_to_range() */ sbool Starts_With(const char *str, const char *prefix) { size_t lenpre = strlen(prefix), lenstr = strlen(str); return lenstr < lenpre ? false : strncmp(prefix, str, lenpre) == 0; } /**********************************/ /* Strip characters from a string */ /**********************************/ void Strip_Chars(const char *string, const char *chars, char *str) { int i = 0; for ( i = 0; i 128 ) { return(false); } } return(true); } else { return(false); } } /*************************************************************************** * PageSupportsRWX - Checks the OS to see if it allows RMX pages. This * function is from Suricata and is by Shawn Webb from HardenedBSD. GRSec * will cause things like PCRE JIT to fail. ***************************************************************************/ #ifndef HAVE_SYS_MMAN_H #ifndef PageSupportsRWX #define PageSupportsRWX 1 #endif #else #include int PageSupportsRWX(void) { int retval = 1; void *ptr; ptr = mmap(0, getpagesize(), PROT_READ|PROT_WRITE, MAP_ANON|MAP_SHARED, -1, 0); if (ptr != MAP_FAILED) { if (mprotect(ptr, getpagesize(), PROT_READ|PROT_WRITE|PROT_EXEC) == -1) { retval = 0; } munmap(ptr, getpagesize()); } return retval; } #endif /* HAVE_SYS_MMAN_H */ /*************************************************************************** * FlowGetId - Generates a Suricata "FLow ID". We don't really support * "FLow ID" idea like Suricata. This is for compatibility with Suricata * EVE ***************************************************************************/ int64_t FlowGetId( _Sagan_Event *Event) { return (int64_t)(Event->event_time.tv_sec & 0x0000FFFF) << 16 | (int64_t)(Event->event_time.tv_usec & 0x0000FFFF); } /*************************************************************************** * Check_Content_Not - Simply returns true/false if a "not" (!) is present * in a string. For example, content!"something"; ***************************************************************************/ sbool Check_Content_Not( char *s ) { char rule_tmp[RULEBUF] = { 0 }; int i; strlcpy(rule_tmp, s, sizeof(rule_tmp)); for (i=0; i= str) { test = accept; while (test[0] != '\0') { if ((test++)[0] == pstr[0]) { return (char *)pstr; } } pstr--; } return NULL; } /*************************************************************************** * Escape_Chars - Escapes characters. For example, " becomes \". This * might be expanded on ***************************************************************************/ void Escape_Chars( char *str_in, char *str, size_t size) { int i; char log_orig[size]; char alter_log[size*2]; char tmp[2] = { 0 }; strlcpy(log_orig, str_in, sizeof(log_orig)); for ( i = 0; i < strlen(log_orig); i++ ) { if ( log_orig[i] == '\"' ) { strlcat(alter_log, "\\\"", sizeof(alter_log)); } else { snprintf(tmp, sizeof(tmp), "%c", log_orig[i]); strlcat(alter_log, tmp, sizeof(alter_log)); } } snprintf(str, size, "%s", alter_log); } sagan-1.2.0/src/ignore-list.h0000644000175000017500000000217313310531444014742 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif typedef struct _Sagan_Ignorelist _Sagan_Ignorelist; struct _Sagan_Ignorelist { char ignore_string[256]; }; void Load_Ignore_List ( void ); sagan-1.2.0/src/geoip2.h0000644000175000017500000000224213310531444013670 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-geoip.h * * Sagan GeoIP prototypes */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBMAXMINDDB void Open_GeoIP2_Database( void ); int GeoIP2_Lookup_Country( char *, unsigned char *ip_bits, int ); #endif sagan-1.2.0/src/ignore-list.c0000644000175000017500000000652513310531444014742 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* ignore-list.c * * Loads the "ignore list" into memory * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "ignore-list.h" #include "sagan-config.h" struct _Sagan_Ignorelist *SaganIgnorelist; struct _SaganCounters *counters; struct _SaganConfig *config; pthread_mutex_t CountDropListMutex=PTHREAD_MUTEX_INITIALIZER; /**************************************************************************** * "ignore" list. ****************************************************************************/ void Load_Ignore_List ( void ) { FILE *droplist; char droplistbuf[1024] = { 0 }; if ( config->sagan_droplist_flag ) { if (( droplist = fopen(config->sagan_droplistfile, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] No drop list/ignore list to load (%s)", __FILE__, __LINE__, config->sagan_droplistfile); config->sagan_droplist_flag=0; } while(fgets(droplistbuf, 1024, droplist) != NULL) { /* Skip comments and blank linkes */ if (droplistbuf[0] == '#' || droplistbuf[0] == 10 || droplistbuf[0] == ';' || droplistbuf[0] == 32) { continue; } else { /* Allocate memory for references, not comments */ SaganIgnorelist = (_Sagan_Ignorelist *) realloc(SaganIgnorelist, (counters->droplist_count+1) * sizeof(_Sagan_Ignorelist)); if ( SaganIgnorelist == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganIgnorelist. Abort!", __FILE__, __LINE__); } Remove_Return(droplistbuf); strlcpy(SaganIgnorelist[counters->droplist_count].ignore_string, droplistbuf, sizeof(SaganIgnorelist[counters->droplist_count].ignore_string)); pthread_mutex_lock(&CountDropListMutex); counters->droplist_count++; pthread_mutex_unlock(&CountDropListMutex); } } } } sagan-1.2.0/src/ipc.h0000644000175000017500000000234413310531444013261 0ustar champchamp /* $Id$ */ /* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-ipc.c * * This allows Sagan to share data with other Sagan processes. This is for * Inter-process communications (IPC). * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void IPC_Init(void); sbool Clean_IPC_Object( int ); void IPC_Check_Object(char *, sbool, char *); sagan-1.2.0/src/stats.c0000644000175000017500000003245213310531444013642 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* stats.c * * Simply dumps statistics of Sagan to the user or via sagan.log * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "stats.h" #include "sagan-config.h" struct _SaganCounters *counters; struct _Sagan_IPC_Counters *counters_ipc; struct _SaganConfig *config; void Statistics( void ) { char timet[20]; time_t t; struct tm *now; int seconds = 0; unsigned long total=0; int uptime_days; int uptime_abovedays; int uptime_hours; int uptime_abovehours; int uptime_minutes; int uptime_seconds; #ifdef WITH_BLUEDOT unsigned long bluedot_ip_total=0; unsigned long bluedot_hash_total=0; unsigned long bluedot_url_total=0; unsigned long bluedot_filename_total=0; #endif /* This is used to calulate the events per/second */ /* Champ Clark III - 11/17/2011 */ t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); seconds = atol(timet) - atol(config->sagan_startutime); /* if statement prevents floating point exception */ if ( seconds != 0 ) { total = counters->sagantotal / seconds; #ifdef WITH_BLUEDOT bluedot_ip_total = counters->bluedot_ip_total / seconds; bluedot_hash_total = counters->bluedot_hash_total / seconds; bluedot_url_total = counters->bluedot_url_total / seconds; bluedot_filename_total = counters->bluedot_filename_total / seconds; #endif } if ((isatty(1))) { Sagan_Log(NORMAL, " ,-._,-. -[ Sagan Version %s - Engine Statistics ]-", VERSION); Sagan_Log(NORMAL, " \\/)\"(\\/"); Sagan_Log(NORMAL, " (_o_) Events processed : %" PRIu64 "", counters->sagantotal); Sagan_Log(NORMAL, " / \\/) Signatures matched : %" PRIu64 " (%.3f%%)", counters->saganfound, CalcPct(counters->saganfound, counters->sagantotal ) ); Sagan_Log(NORMAL, " (|| ||) Alerts : %" PRIu64 " (%.3f%%)", counters->alert_total, CalcPct( counters->alert_total, counters->sagantotal) ); Sagan_Log(NORMAL, " oo-oo After : %" PRIu64 " (%.3f%%)", counters->after_total, CalcPct( counters->after_total, counters->sagantotal) ); Sagan_Log(NORMAL, " Threshold : %" PRIu64 " (%.3f%%)", counters->threshold_total, CalcPct( counters->threshold_total, counters->sagantotal) ); Sagan_Log(NORMAL, " Dropped : %" PRIu64 " (%.3f%%)", counters->sagan_processor_drop + counters->sagan_output_drop + counters->sagan_log_drop, CalcPct(counters->sagan_processor_drop + counters->sagan_output_drop + counters->sagan_log_drop, counters->sagantotal) ); // Sagan_Log(NORMAL, " Malformed : h:%" PRIu64 "|f:%" PRIu64 "|p:%" PRIu64 "|l:%" PRIu64 "|T:%" PRIu64 "|d:%" PRIu64 "|T:%" PRIu64 "|P:%" PRIu64 "|M:%" PRIu64 "", counters->malformed_host, counters->malformed_facility, counters->malformed_priority, counters->malformed_level, counters->malformed_tag, counters->malformed_date, counters->malformed_time, counters->malformed_program, counters->malformed_message); Sagan_Log(NORMAL, " Thread Exhaustion : %" PRIu64 " (%.3f%%)", counters->worker_thread_exhaustion, CalcPct( counters->worker_thread_exhaustion, counters->sagantotal) ); if (config->sagan_droplist_flag) { Sagan_Log(NORMAL, " Ignored Input : %" PRIu64 " (%.3f%%)", counters->ignore_count, CalcPct(counters->ignore_count, counters->sagantotal) ); } #ifdef HAVE_LIBMAXMINDDB Sagan_Log(NORMAL, " GeoIP2 Hits: : %" PRIu64 " (%.3f%%)", counters->geoip2_hit, CalcPct( counters->geoip2_hit, counters->sagantotal) ); Sagan_Log(NORMAL, " GeoIP2 Lookups: : %" PRIu64 "", counters->geoip2_lookup); Sagan_Log(NORMAL, " GeoIP2 Misses : %" PRIu64 "", counters->geoip2_miss); #endif uptime_days = seconds / 86400; uptime_abovedays = seconds % 86400; uptime_hours = uptime_abovedays / 3600; uptime_abovehours = uptime_abovedays % 3600; uptime_minutes = uptime_abovehours / 60; uptime_seconds = uptime_abovehours % 60; Sagan_Log(NORMAL, " Uptime : %d days, %d hours, %d minutes, %d seconds.", uptime_days, uptime_hours, uptime_minutes, uptime_seconds); /* If processing from a file, don't display events per/second */ if ( config->sagan_is_file == 0 ) { if ( seconds < 60 || seconds == 0 ) { Sagan_Log(NORMAL, " Avg. events per/second : %lu [%lu of 60 seconds. Calculating...]", total, seconds); } else { Sagan_Log(NORMAL, " Avg. events per/second : %lu", total); } } else { Sagan_Log(NORMAL, " Avg. events per/second : %lu", total); } Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " -[ Sagan Processor Statistics ]-"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " Dropped : %" PRIu64 " (%.3f%%)", counters->sagan_processor_drop, CalcPct(counters->sagan_processor_drop, counters->sagantotal) ); if (config->blacklist_flag) { Sagan_Log(NORMAL, " Blacklist Lookups : %" PRIu64 " (%.3f%%)", counters->blacklist_lookup_count, CalcPct(counters->blacklist_lookup_count, counters->sagantotal) ); Sagan_Log(NORMAL, " Blacklist Hits : %" PRIu64 " (%.3f%%)", counters->blacklist_hit_count, CalcPct(counters->blacklist_hit_count, counters->sagantotal) ); } if (config->sagan_track_clients_flag) { Sagan_Log(NORMAL, " Tracking/Down : %" PRIu64 " / %"PRIu64 " [%d minutes]" , counters_ipc->track_clients_client_count, counters_ipc->track_clients_down, config->pp_sagan_track_clients); } if (config->output_thread_flag) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " -[ Sagan Output Plugin Statistics ]-"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL," Dropped : %" PRIu64 " (%.3f%%)", counters->sagan_output_drop, CalcPct(counters->sagan_output_drop, counters->sagantotal) ); } #ifdef HAVE_LIBESMTP if ( config->sagan_esmtp_flag ) { Sagan_Log(NORMAL, " Email Success/Failed : %" PRIu64 " / %" PRIu64 "" , counters->esmtp_count_success, counters->esmtp_count_failed); } #endif if (config->syslog_src_lookup) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " -[ Sagan DNS Cache Statistics ]-"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " Cached : %" PRIu64 "", counters->dns_cache_count); Sagan_Log(NORMAL, " Missed : %" PRIu64 " (%.3f%%)", counters->dns_miss_count, CalcPct(counters->dns_miss_count, counters->dns_cache_count)); } Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " -[ Sagan follow_flow Statistics ]-"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " Total : %" PRIu64 "", counters->follow_flow_total); Sagan_Log(NORMAL, " Dropped : %" PRIu64 " (%.3f%%)", counters->follow_flow_drop, CalcPct(counters->follow_flow_drop, counters->follow_flow_total)); #ifdef WITH_BLUEDOT if (config->bluedot_flag) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " -[ Sagan Bluedot Processor ]-"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " * IP Reputation *"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " IP addresses in cache : %" PRIu64 "", counters->bluedot_ip_cache_count); Sagan_Log(NORMAL, " IP hits from cache : %" PRIu64 " (%.3f%%)", counters->bluedot_ip_cache_hit, CalcPct(counters->bluedot_ip_cache_hit, counters->bluedot_ip_cache_count)); Sagan_Log(NORMAL, " IP/Bluedot hits in logs : %" PRIu64 "", counters->bluedot_ip_positive_hit); Sagan_Log(NORMAL, " IP with date > mdate : %" PRIu64 "", counters->bluedot_mdate); Sagan_Log(NORMAL, " IP with date > cdate : %" PRIu64 "", counters->bluedot_cdate); Sagan_Log(NORMAL, " IP with date > mdate [cache] : %" PRIu64 "", counters->bluedot_mdate_cache); Sagan_Log(NORMAL, " IP with date > cdate [cache] : %" PRIu64 "", counters->bluedot_cdate_cache); Sagan_Log(NORMAL, " IP queries per/second : %lu", bluedot_ip_total); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " * File Hash *"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " Hashes in cache : %" PRIu64 "", counters->bluedot_hash_cache_count); Sagan_Log(NORMAL, " Hash hits from cache : %" PRIu64 " (%.3f%%)", counters->bluedot_hash_cache_hit, CalcPct(counters->bluedot_hash_cache_hit, counters->bluedot_hash_cache_count)); Sagan_Log(NORMAL, " Hash/Bluedot hits in logs : %" PRIu64 "", counters->bluedot_hash_positive_hit); Sagan_Log(NORMAL, " Hash queries per/second : %lu", bluedot_hash_total); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " * URL Reputation *"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " URLs in cache : %" PRIu64 "", counters->bluedot_url_cache_count); Sagan_Log(NORMAL, " URL hits from cache : %" PRIu64 " (%.3f%%)", counters->bluedot_url_cache_hit, CalcPct(counters->bluedot_url_cache_hit, counters->bluedot_url_cache_count)); Sagan_Log(NORMAL, " URL/Bluedot hits in logs : %" PRIu64 "", counters->bluedot_url_positive_hit); Sagan_Log(NORMAL, " URL queries per/second : %lu", bluedot_url_total); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " * Filename Reputation *"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " Filenames in cache : %" PRIu64 "", counters->bluedot_filename_cache_count); Sagan_Log(NORMAL, " Filename hits from cache : %" PRIu64 " (%.3f%%)", counters->bluedot_filename_cache_hit, CalcPct(counters->bluedot_filename_cache_hit, counters->bluedot_filename_cache_count)); Sagan_Log(NORMAL, " Filename/Bluedot hits in logs : %" PRIu64 "", counters->bluedot_filename_positive_hit); Sagan_Log(NORMAL, " URL queries per/second : %lu", bluedot_filename_total); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " * Bluedot Combined Statistics *"); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " Lookup error count : %" PRIu64 "", counters->bluedot_error_count); Sagan_Log(NORMAL, " Total query rate/per second : %lu", bluedot_ip_total + bluedot_hash_total + bluedot_url_total + bluedot_filename_total); } #endif Sagan_Log(NORMAL, "-------------------------------------------------------------------------------"); } } sagan-1.2.0/src/rules.c0000644000175000017500000044322313310531444013640 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* rules.c * * Loads and parses the rule files into memory * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "version.h" #include "sagan.h" #include "sagan-defs.h" #include "xbit.h" #include "xbit-mmap.h" #include "lockfile.h" #include "classifications.h" #include "rules.h" #include "sagan-config.h" #include "parsers/parsers.h" #ifdef WITH_BLUEDOT #include "processors/bluedot.h" #endif struct _SaganCounters *counters; struct _SaganDebug *debug; struct _SaganConfig *config; #ifdef WITH_BLUEDOT struct _Sagan_Bluedot_Cat_List *SaganBluedotCatList; char *bluedot_time = NULL; char *bluedot_type = NULL; uint64_t bluedot_time_u32 = 0; #endif #ifdef HAVE_LIBLOGNORM #include "liblognormalize.h" struct liblognorm_struct *liblognormstruct; struct liblognorm_toload_struct *liblognormtoloadstruct; int liblognorm_count; #endif /* For pre-8.20 PCRE compatibility */ #ifndef PCRE_STUDY_JIT_COMPILE #define PCRE_STUDY_JIT_COMPILE 0 #endif struct _Rule_Struct *rulestruct = NULL; struct _Class_Struct *classstruct = NULL; void Load_Rules( const char *ruleset ) { struct stat filecheck; sbool found = 0; sbool bad_rule = 0; const char *error; int erroffset; FILE *rulesfile; char ruleset_fullname[MAXPATH]; char *rulestring; char *netstring; char nettmp[64]; char tolower_tmp[512]; char *tokenrule; char *tokennet; char *rulesplit; char *arg; char *saveptrnet; char *saveptrrule1; char *saveptrrule2; char *saveptrrule3=NULL; char *saveptrflow; char *saveptrport; char *saveptrportrange; char *tmptoken; char *tok_tmp; char *tmptok_tmp; char *ptmp=NULL; char *tok = NULL; char tmp_help[CONFBUF]; char tok_help[64]; char tok_help2[64]; uint64_t fwsam_time_tmp; char netstr[RULEBUF]; char rulestr[RULEBUF]; char rulebuf[RULEBUF]; char pcrerule[MAX_PCRE_SIZE]; char tmp4[MAX_CHECK_FLOWS * 10]; char tmp3[MAX_CHECK_FLOWS * 21]; char tmp2[RULEBUF]; char tmp[2]; char tmp1[CONFBUF]; char rule_tmp[RULEBUF]; char final_content[512]; char flow_a[1024]; char flow_b[1024]; char alert_time_tmp[10]; char alert_tmp_minute[3]; char alert_tmp_hour[3]; char alert_time_all[5]; int linecount=0; int netcount=0; int ref_count=0; int content_count=0; int meta_content_count=0; int meta_content_converted_count=0; int pcre_count=0; int xbit_count; int flow_1_count=0; int flow_2_count=0; int port_1_count=0; int port_2_count=0; sbool pcreflag=0; int pcreoptions=0; int i=0; int d; int rc=0; int forward=0; int reverse=0; int is_masked = 0; /* Store rule set names/path in memory for later usage dynamic loading, etc */ strlcpy(ruleset_fullname, ruleset, sizeof(ruleset_fullname)); if (( rulesfile = fopen(ruleset_fullname, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open rule file (%s - %s)", __FILE__, __LINE__, ruleset_fullname, strerror(errno)); } Sagan_Log(NORMAL, "Loading %s rule file.", ruleset_fullname); while ( fgets(rulebuf, sizeof(rulebuf), rulesfile) != NULL ) { /* Reset for next rule */ bad_rule = 0; pcre_count=0; content_count=0; meta_content_count=0; meta_content_converted_count=0; xbit_count=0; netcount=0; ref_count=0; flow_1_count=0; flow_2_count=0; port_1_count=0; port_2_count=0; memset(netstr, 0, sizeof(netstr)); memset(rulestr, 0, sizeof(rulestr)); int f1=0; /* Need for flow_direction, must reset every rule, not every group */ int f2=0; /* Need for flow_direction, must reset every rule, not every group */ int g1=0; /* Need for port_direction, must reset every rule, not every group */ int g2=0; /* Need for port_direction, must reset every rule, not every group */ linecount++; if (rulebuf[0] == '#' || rulebuf[0] == 10 || rulebuf[0] == ';' || rulebuf[0] == 32) { continue; } else { /* Allocate memory for rules, but not comments */ // realloc of same size is a noop, cleaner to not worry about skipped rules rulestruct = (_Rule_Struct *) realloc(rulestruct, (counters->rulecount+1) * sizeof(_Rule_Struct)); if ( rulestruct == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for rulestruct. Abort!", __FILE__, __LINE__); } memset(&rulestruct[counters->rulecount], 0, sizeof(struct _Rule_Struct)); } Remove_Return(rulebuf); /****************************************/ /* Some really basic rule sanity checks */ /****************************************/ if (!strchr(rulebuf, ';') || !strchr(rulebuf, ':') || !strchr(rulebuf, '(') || !strchr(rulebuf, ')')) { Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to be incorrect, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } if (!Sagan_strstr(rulebuf, "sid:")) { Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to not have a 'sid', skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } if (!Sagan_strstr(rulebuf, "rev:")) { Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to not have a 'rev', skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } if (!Sagan_strstr(rulebuf, "msg:")) { Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to not have a 'msg', skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } rc=0; if (!Sagan_strstr(rulebuf, "alert")) { rc++; } if (!Sagan_strstr(rulebuf, "drop")) { rc++; } if ( rc == 2 ) { Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to not have a 'alert' or 'drop', skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } rc=0; if (!Sagan_strstr(rulebuf, "alert any ") && !Sagan_strstr(rulebuf, "drop any ")) { rc++; } if (!Sagan_strstr(rulebuf, "alert ip ") && !Sagan_strstr(rulebuf, "drop ip ")) { rc++; } if (!Sagan_strstr(rulebuf, "alert tcp ") && !Sagan_strstr(rulebuf, "drop tcp ")) { rc++; } if (!Sagan_strstr(rulebuf, "alert udp ") && !Sagan_strstr(rulebuf, "drop udp ")) { rc++; } if (!Sagan_strstr(rulebuf, "alert icmp ") && !Sagan_strstr(rulebuf, "drop icmp ")) { rc++; } if (!Sagan_strstr(rulebuf, "alert syslog ") && !Sagan_strstr(rulebuf, "drop syslog ")) { rc++; } if ( rc >= 6 ) { Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to not have a protocol type (any/tcp/udp/icmp/syslog), skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } /* Parse forward for the first '(' */ for (i=0; i0; i--) { if ( rulebuf[i] == ')' ) { reverse=i; break; } } /* Get rule structure, minus the ( ) */ for (i=forward+1; irulecount].drop = true; } else { rulestruct[counters->rulecount].drop = false; } } /* Protocol */ if ( netcount == 1 ) { if (!strcmp(tokennet, "any" )) { rulestruct[counters->rulecount].ip_proto = 0; } else if (!strcmp(tokennet, "ip" )) { rulestruct[counters->rulecount].ip_proto = 0; } else if (!strcmp(tokennet, "icmp" )) { rulestruct[counters->rulecount].ip_proto = 1; } else if (!strcmp(tokennet, "tcp" )) { rulestruct[counters->rulecount].ip_proto = 6; } else if (!strcmp(tokennet, "udp" )) { rulestruct[counters->rulecount].ip_proto = 17; } else if (!strcmp(tokennet, "syslog" )) { rulestruct[counters->rulecount].ip_proto = config->sagan_proto; } } /* First flow */ if ( netcount == 2 ) { Var_To_Value(tokennet, flow_a, sizeof(flow_a)); Remove_Spaces(flow_a); /* Quick sanity check for [] (if used) */ if ( ( flow_a[0] == '[' && flow_a[strlen(flow_a)-1] != ']') || ( ( flow_a[strlen(flow_a)-1] == ']' && flow_a[0] != '[' )) ) { Sagan_Log(WARN, "[%s, line %d] Unbalanced flow_a set in '%s' line %d", __FILE__, __LINE__, ruleset_fullname, linecount); } /* Nuke [] */ if ( flow_a[0] == '[' ) { for (i=1; irulecount].flow_1_var = 0; /* 0 = any */ } else { strlcpy(tmp3, flow_a, sizeof(tmp3)); for(tmptoken = strtok_r(tmp3, ",", &saveptrflow); tmptoken; tmptoken = strtok_r(NULL, ",", &saveptrflow)) { Strip_Chars(tmptoken, "not!", tok_help); if ( !Is_IP(tok_help) && !Is_IPv6(tok_help) ) { Sagan_Log(WARN,"[%s, line %d] Value is not a valid IPv4/IPv6 '%s'", __FILE__, __LINE__, tok_help); } f1++; is_masked = Netaddr_To_Range(tmptoken, (unsigned char *)&rulestruct[counters->rulecount].flow_1[flow_1_count].range); if(strchr(tmptoken, '/')) { if( !strncmp(tmptoken, "!", 1) || !strncmp("not", tmptoken, 3)) { rulestruct[counters->rulecount].flow_1_type[f1] = is_masked ? 0 : 2; /* 0 = not in group, 2 == IP not range */ } else { rulestruct[counters->rulecount].flow_1_type[f1] = is_masked ? 1 : 3; /* 1 = in group, 3 == IP not range */ } } else if( !strncmp(tmptoken, "!", 1) || !strncmp("not", tmptoken, 3)) { rulestruct[counters->rulecount].flow_1_type[f1] = 2; /* 2 = not match ip */ } else { rulestruct[counters->rulecount].flow_1_type[f1] = 3; /* 3 = match ip */ } flow_1_count++; if( flow_1_count > MAX_CHECK_FLOWS ) { bad_rule = true; Sagan_Log(WARN,"[%s, line %d] You have exceeded the amount of IP's for flow_1 '50', skipping rule.", __FILE__, __LINE__); continue; } printf("%d\n", flow_1_count); } rulestruct[counters->rulecount].flow_1_var = 1; /* 1 = var */ rulestruct[counters->rulecount].flow_1_counter = flow_1_count; } } /* Source Port */ if ( netcount == 3 ) { if (!strcmp(nettmp, "any")) { rulestruct[counters->rulecount].port_1_var = 0; /* 0 = any */ } else { rulestruct[counters->rulecount].port_1_var = 1; /* 1 = var */ strlcpy(tmp4, nettmp, sizeof(tmp4)); for (tmptoken = strtok_r(tmp4, ",", &saveptrport); tmptoken; tmptoken = strtok_r(NULL, ",", &saveptrport)) { Strip_Chars(tmptoken, "not!", tok_help2); g1++; if (Is_Numeric(nettmp)) { rulestruct[counters->rulecount].port_1[port_1_count].lo = atoi(nettmp); /* If it's a number (see Var_To_Value), then set to that */ } if (!strncmp(tmptoken,"!", 1) || !strncmp("not", tmptoken, 3)) { if(strchr(tok_help2,':')) { rulestruct[counters->rulecount].port_1[port_1_count].lo = atoi(strtok_r(tok_help2, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_1[port_1_count].hi = atoi(strtok_r(NULL, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_1_type[g1] = 0; /* 0 = not in group */ } else { rulestruct[counters->rulecount].port_1[port_1_count].lo = atoi(tok_help2); rulestruct[counters->rulecount].port_1_type[g1] = 2; /* This was a single port, not a range */ } } else { if(strchr(tok_help2, ':')) { rulestruct[counters->rulecount].port_1[port_1_count].lo = atoi(strtok_r(tok_help2, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_1[port_1_count].hi = atoi(strtok_r(NULL, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_1_type[g1] = 1; /* 1 = in group */ } else { rulestruct[counters->rulecount].port_1[port_1_count].lo = atoi(tok_help2); rulestruct[counters->rulecount].port_1_type[g1] = 3; /* This was a single port, not a range */ } } port_1_count++; if( port_1_count > MAX_CHECK_FLOWS ) { Sagan_Log(WARN,"[%s, line %d] You have exceeded the amount of Ports for port_1 '%d', skipping rule.", __FILE__, __LINE__, MAX_CHECK_FLOWS); bad_rule = true; continue; } } rulestruct[counters->rulecount].port_1_counter = port_1_count; } } /* Direction */ if ( netcount == 4 ) { if ( !strcmp(tokennet, "->") ) { d = 1; /* 1 = right */ } else if( !strcmp(tokennet, "<>") || !strcmp(tokennet, "any") || !strcmp(tokennet, "<->") ) { d = 0; /* 0 = any */ } else if( !strcmp(tokennet, "<-") ) { d = 2; /* 2 = left */ } else { d = 0; /* 0 = any */ } rulestruct[counters->rulecount].direction = d; } /* Second flow */ if ( netcount == 5 ) { Var_To_Value(tokennet, flow_b, sizeof(flow_b)); Remove_Spaces(flow_b); if ( ( flow_b[0] == '[' && flow_b[strlen(flow_b)-1] != ']') || ( ( flow_b[strlen(flow_b)-1] == ']' && flow_b[0] != '[' )) ) { Sagan_Log(WARN, "[%s, line %d] Unbalanced flow_b set in '%s' line %d", __FILE__, __LINE__, ruleset_fullname, linecount); } /* Nuke [] */ if ( flow_b[0] == '[' ) { for (i=1; irulecount].flow_2_var = 0; /* 0 = any */ } else { strlcpy(tmp3, flow_b, sizeof(tmp3)); for(tmptoken = strtok_r(tmp3, ",", &saveptrflow); tmptoken; tmptoken = strtok_r(NULL, ",", &saveptrflow)) { Strip_Chars(tmptoken, "not!", tok_help); if( !Is_IP(tok_help) && !Is_IPv6(tok_help) ) { Sagan_Log(WARN,"[%s, line %d] Value is not a valid IPv4/IPv6 '%s'", __FILE__, __LINE__, tok_help); } f2++; is_masked = Netaddr_To_Range(tmptoken, (unsigned char *)&rulestruct[counters->rulecount].flow_2[flow_2_count].range); if(strchr(tmptoken, '/')) { if( !strncmp(tmptoken, "!", 1) || !strncmp("not", tmptoken, 3)) { rulestruct[counters->rulecount].flow_2_type[f2] = is_masked ? 0 : 2; /* 0 = not in group, 2 == IP not range */ } else { rulestruct[counters->rulecount].flow_2_type[f2] = is_masked ? 1 : 3; /* 1 = in group, 3 == IP not range */ } } else if( !strncmp(tmptoken, "!", 1) || !strncmp("not", tmptoken, 3)) { rulestruct[counters->rulecount].flow_2_type[f2] = 2; /* 2 = not match ip */ } else { rulestruct[counters->rulecount].flow_2_type[f2] = 3; /* 3 = match ip */ } if( flow_2_count > MAX_CHECK_FLOWS ) { bad_rule = true; Sagan_Log(WARN,"[%s, line %d] You have exceeded the amount of entries for follow_flow_2 '50', skipping.", __FILE__, __LINE__); continue; } } rulestruct[counters->rulecount].flow_2_var = 1; /* 1 = var */ rulestruct[counters->rulecount].flow_2_counter = flow_2_count; } } /* Destination Port */ if ( netcount == 6 ) { if (!strcmp(nettmp, "any")) { rulestruct[counters->rulecount].port_2_var = 0; /* 0 = any */ } else { rulestruct[counters->rulecount].port_2_var = 1; /* 1 = var */ strlcpy(tmp4, nettmp, sizeof(tmp4)); for (tmptoken = strtok_r(tmp4, ",", &saveptrport); tmptoken; tmptoken = strtok_r(NULL, ",", &saveptrport)) { Strip_Chars(tmptoken, "not!", tok_help2); g2++; if (Is_Numeric(nettmp)) { rulestruct[counters->rulecount].port_2[port_2_count].lo = atoi(nettmp); /* If it's a number (see Var_To_Value), then set to that */ } if (!strncmp(tmptoken,"!", 1) || !strncmp("not", tmptoken, 3)) { if(strchr(tok_help2,':')) { rulestruct[counters->rulecount].port_2[port_2_count].lo = atoi(strtok_r(tok_help2, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_2[port_2_count].hi = atoi(strtok_r(NULL, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_2_type[g2] = 0; /* 0 = not in group */ } else { rulestruct[counters->rulecount].port_2[port_2_count].lo = atoi(tok_help2); rulestruct[counters->rulecount].port_2_type[g2] = 2; /* This was a single port, not a range */ } } else { if(strchr(tok_help2, ':')) { rulestruct[counters->rulecount].port_2[port_2_count].lo = atoi(strtok_r(tok_help2, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_2[port_2_count].hi = atoi(strtok_r(NULL, ":", &saveptrportrange)); rulestruct[counters->rulecount].port_2_type[g2] = 1; /* 1 = in group */ } else { rulestruct[counters->rulecount].port_2[port_2_count].lo = atoi(tok_help2); rulestruct[counters->rulecount].port_2_type[g2] = 3; /* This was a single port, not a range */ } } port_2_count++; if( port_2_count > MAX_CHECK_FLOWS ) { bad_rule = true; Sagan_Log(WARN,"[%s, line %d] You have exceeded the amount of Ports for port_2 '%d', skipping.", __FILE__, __LINE__, MAX_CHECK_FLOWS); continue; } } rulestruct[counters->rulecount].port_2_counter = port_2_count; } } /* Used later for a single check to determine if a rule has a flow or not - Champ Clark III (06/12/2016) */ if ( rulestruct[counters->rulecount].ip_proto != 0 || rulestruct[counters->rulecount].flow_1_var != 0 || rulestruct[counters->rulecount].port_1_var != 0 || rulestruct[counters->rulecount].flow_2_var != 0 || rulestruct[counters->rulecount].port_2_var != 0 ) { rulestruct[counters->rulecount].has_flow = 1; } tokennet = strtok_r(NULL, " ", &saveptrnet); Var_To_Value(tokennet, nettmp, sizeof(nettmp)); Remove_Spaces(nettmp); netcount++; } if (bad_rule) { continue; } /*****************************************************************************/ /* Parse the rule set! */ /*****************************************************************************/ /* Set some defaults outside the option parsing */ rulestruct[counters->rulecount].default_proto = config->sagan_proto; rulestruct[counters->rulecount].default_src_port = config->sagan_port; rulestruct[counters->rulecount].default_dst_port = config->sagan_port; tokenrule = strtok_r(rulestring, ";", &saveptrrule1); while ( tokenrule != NULL && !bad_rule ) { rulesplit = strtok_r(tokenrule, ":", &saveptrrule2); Remove_Spaces(rulesplit); /* single flag options. (nocase, parse_port, etc) */ if (!strcmp(rulesplit, "parse_port")) { strtok_r(NULL, ":", &saveptrrule2); rulestruct[counters->rulecount].s_find_port = true; } if (!strcmp(rulesplit, "parse_proto")) { strtok_r(NULL, ":", &saveptrrule2); rulestruct[counters->rulecount].s_find_proto = true; } if (!strcmp(rulesplit, "parse_proto_program")) { strtok_r(NULL, ":", &saveptrrule2); rulestruct[counters->rulecount].s_find_proto_program = true; } if (!strcmp(rulesplit, "default_proto")) { arg = strtok_r(NULL, ":", &saveptrrule2); if ( arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"default_proto\" option appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Var_To_Value(arg, tmp1, sizeof(tmp1)); Remove_Spaces(tmp1); if (!strcmp(tmp1, "icmp") || !strcmp(tmp1, "1")) { rulestruct[counters->rulecount].default_proto = 1; } else if (!strcmp(tmp1, "tcp" ) || !strcmp(tmp1, "6" )) { rulestruct[counters->rulecount].default_proto = 6; } else if (!strcmp(tmp1, "udp" ) || !strcmp(tmp1, "17" )) { rulestruct[counters->rulecount].default_proto = 17; } } if (!strcmp(rulesplit, "default_src_port")) { arg = strtok_r(NULL, ":", &saveptrrule2); if ( arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"default_src_port\" option appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Var_To_Value(arg, tmp1, sizeof(tmp1)); Remove_Spaces(tmp1); rulestruct[counters->rulecount].default_src_port = atoi(tmp1); } if (!strcmp(rulesplit, "default_dst_port")) { arg = strtok_r(NULL, ":", &saveptrrule2); if ( arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"default_dst_port\" option appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Var_To_Value(arg, tmp1, sizeof(tmp1)); Remove_Spaces(tmp1); rulestruct[counters->rulecount].default_dst_port = atoi(tmp1); } if (!strcmp(rulesplit, "parse_src_ip")) { arg = strtok_r(NULL, ":", &saveptrrule2); rulestruct[counters->rulecount].s_find_src_ip = true; if ( arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"parse_src_ip\" option appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].s_find_src_pos = atoi(arg); } if (!strcmp(rulesplit, "parse_dst_ip")) { arg = strtok_r(NULL, ":", &saveptrrule2); rulestruct[counters->rulecount].s_find_dst_ip = 1; if ( arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"parse_dst_ip\" option appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].s_find_dst_pos = atoi(arg); } if (!strcmp(rulesplit, "parse_hash")) { arg = strtok_r(NULL, ":", &saveptrrule2); if ( arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"parse_hash\" option appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); if (!strcmp(arg, "md5")) { rulestruct[counters->rulecount].s_find_hash_type = PARSE_HASH_MD5; } else if (!strcmp(arg, "sha1")) { rulestruct[counters->rulecount].s_find_hash_type = PARSE_HASH_SHA1; } else if (!strcmp(arg, "sha256")) { rulestruct[counters->rulecount].s_find_hash_type = PARSE_HASH_SHA256; } /* else if (!strcmp(arg, "all")) { rulestruct[counters->rulecount].s_find_hash_type = PARSE_HASH_ALL; } */ if ( rulestruct[counters->rulecount].s_find_hash_type == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"parse_hash\" option appears to be invalid at line %d in %s. Valid values are 'md5', 'sha1' and 'sha256', skipping rule.", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } } /* Non-quoted information (sid, reference, etc) */ if (!strcmp(rulesplit, "flowbits") || !strcmp(rulesplit, "xbits")) { arg = strtok_r(NULL, ":", &saveptrrule2); tmptoken = strtok_r(arg, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Incomplete 'xbit' option at %d in '%s', skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); if ( strcmp(tmptoken, "nounified2") && strcmp(tmptoken, "noalert") && strcmp(tmptoken, "set") && strcmp(tmptoken, "unset") && strcmp(tmptoken, "isset") && strcmp(tmptoken, "isnotset") && strcmp(tmptoken, "set_srcport") && strcmp(tmptoken, "set_dstport") && strcmp(tmptoken, "set_ports") && strcmp(tmptoken, "count") && strcmp(tmptoken, "noeve" ) ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected 'nounified2', 'noalert', 'set', 'unset', 'isnotset', 'isset', 'noeve' or 'count' but got '%s' at line %d in %s, skipping rule", __FILE__, __LINE__, tmptoken, linecount, ruleset); continue; } if (!strcmp(tmptoken, "noalert")) { rulestruct[counters->rulecount].xbit_noalert=true; } if (!strcmp(tmptoken, "nounified2")) { rulestruct[counters->rulecount].xbit_nounified2=true; } if (!strcmp(tmptoken, "noeve")) { rulestruct[counters->rulecount].xbit_noeve=true; } /* SET */ if (!strcmp(tmptoken, "set")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_flag = 1; /* We have xbit in the rule! */ rulestruct[counters->rulecount].xbit_set_count++; rulestruct[counters->rulecount].xbit_type[xbit_count] = 1; /* set */ strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); rulestruct[counters->rulecount].xbit_timeout[xbit_count] = atoi(strtok_r(NULL, ",", &saveptrrule2)); if ( rulestruct[counters->rulecount].xbit_timeout[xbit_count] == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit valid expire time for \"set\" at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } xbit_count++; counters->xbit_total_counter++; } /* UNSET */ else if (!strcmp(tmptoken, "unset")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected \"direction\" at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_direction[xbit_count] = Xbit_Type(tmptoken, linecount, ruleset_fullname); rulestruct[counters->rulecount].xbit_flag = 1; /* We have xbit in the rule! */ rulestruct[counters->rulecount].xbit_set_count++; rulestruct[counters->rulecount].xbit_type[xbit_count] = 2; /* unset */ tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); xbit_count++; } /* ISSET */ else if (!strcmp(tmptoken, "isset")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_direction[xbit_count] = Xbit_Type(tmptoken, linecount, ruleset_fullname); rulestruct[counters->rulecount].xbit_flag = 1; /* We have xbit in the rule! */ rulestruct[counters->rulecount].xbit_type[xbit_count] = 3; /* isset */ tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); rulestruct[counters->rulecount].xbit_condition_count++; xbit_count++; } /* ISNOTSET */ else if (!strcmp(tmptoken, "isnotset")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_direction[xbit_count] = Xbit_Type(tmptoken, linecount, ruleset_fullname); rulestruct[counters->rulecount].xbit_flag = 1; /* We have xbit in the rule! */ rulestruct[counters->rulecount].xbit_type[xbit_count] = 4; /* isnotset */ tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Return(tmptoken); strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); rulestruct[counters->rulecount].xbit_condition_count++; xbit_count++; } /* SET_SRCPORT */ else if (!strcmp(tmptoken, "set_srcport")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_flag = 1; /* We have xbit in the rule! */ rulestruct[counters->rulecount].xbit_set_count++; rulestruct[counters->rulecount].xbit_type[xbit_count] = 5; /* set_srcport */ strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); rulestruct[counters->rulecount].xbit_timeout[xbit_count] = atoi(strtok_r(NULL, ",", &saveptrrule2)); if ( rulestruct[counters->rulecount].xbit_timeout[xbit_count] == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit valid expire time for \"set\" at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } xbit_count++; counters->xbit_total_counter++; } /* SET_DSTPORT */ else if (!strcmp(tmptoken, "set_dstport")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_flag = 1; /* We have xbit in the rule! */ rulestruct[counters->rulecount].xbit_set_count++; rulestruct[counters->rulecount].xbit_type[xbit_count] = 6; /* set_dstport */ strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); rulestruct[counters->rulecount].xbit_timeout[xbit_count] = atoi(strtok_r(NULL, ",", &saveptrrule2)); if ( rulestruct[counters->rulecount].xbit_timeout[xbit_count] == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit valid expire time for \"set\" at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } xbit_count++; counters->xbit_total_counter++; } /* SET_PORTS */ else if (!strcmp(tmptoken, "set_ports")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_flag = 1; /* We have xbit in the rule! */ rulestruct[counters->rulecount].xbit_set_count++; rulestruct[counters->rulecount].xbit_type[xbit_count] = 7; /* set_ports */ strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); rulestruct[counters->rulecount].xbit_timeout[xbit_count] = atoi(strtok_r(NULL, ",", &saveptrrule2)); if ( rulestruct[counters->rulecount].xbit_timeout[xbit_count] == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit valid expire time for \"set\" at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } xbit_count++; counters->xbit_total_counter++; } /* COUNTER */ else if (!strcmp(tmptoken, "count")) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } Remove_Spaces(tmptoken); if ( strcmp(tmptoken, "by_src") && strcmp(tmptoken, "by_dst") ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected count 'by_src' or 'by_dst'. Got '%s' instead at line %d in %s, skipping rule", __FILE__, __LINE__, tmptoken, linecount, ruleset); continue; } if ( !strcmp(tmptoken, "by_src") ) { rulestruct[counters->rulecount].xbit_direction[xbit_count] = 2; } else { rulestruct[counters->rulecount].xbit_direction[xbit_count] = 3; } rulestruct[counters->rulecount].xbit_flag = 1; rulestruct[counters->rulecount].xbit_set_count++; rulestruct[counters->rulecount].xbit_type[xbit_count] = 8; /* count */ tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit name to count at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } Remove_Spaces(tmptoken); strlcpy(rulestruct[counters->rulecount].xbit_name[xbit_count], tmptoken, sizeof(rulestruct[counters->rulecount].xbit_name[xbit_count])); tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected xbit value to count at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } strlcpy(tmp1, tmptoken, sizeof(tmp1)); Remove_Spaces(tmp1); if ( tmp1[0] != '>' && tmp1[0] != '<' && tmp1[0] != '=' ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected '>', '<' or '=' operator in xbit count at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } /* Determine the xbit counter operator */ if ( tmp1[0] == '>' ) { rulestruct[counters->rulecount].xbit_count_gt_lt[xbit_count] = 0; tmptoken = strtok_r(tmp1, ">", &saveptrrule3); } else if ( tmp1[0] == '<' ) { rulestruct[counters->rulecount].xbit_count_gt_lt[xbit_count] = 1; tmptoken = strtok_r(tmp1, "<", &saveptrrule3); } else if ( tmp1[0] == '=' ) { rulestruct[counters->rulecount].xbit_count_gt_lt[xbit_count] = 2; tmptoken = strtok_r(tmp1, "=", &saveptrrule3); } if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected value to look for in xbit count at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset); continue; } Remove_Spaces(tmptoken); rulestruct[counters->rulecount].xbit_count_counter[xbit_count] = atoi(tmptoken); rulestruct[counters->rulecount].xbit_count_flag = true; xbit_count++; counters->xbit_total_counter++; rulestruct[counters->rulecount].xbit_count_count++; } rulestruct[counters->rulecount].xbit_count = xbit_count; } /* "Dynamic" rule loading. This allows Sagan to load rules when it "detects" new types */ if (!strcmp(rulesplit, "dynamic_load")) { if ( config->dynamic_load_sample_rate == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Attempting to load a dynamic rule but the 'dynamic_load' processor hasn't been configured, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } arg = strtok_r(NULL, ":", &saveptrrule2); if ( arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] 'dynamic_load' specified but not complete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Var_To_Value(arg, tmp1, sizeof(tmp1)); Remove_Spaces(tmp1); strlcpy(rulestruct[counters->rulecount].dynamic_ruleset, tmp1, sizeof(rulestruct[counters->rulecount].dynamic_ruleset)); rulestruct[counters->rulecount].type = DYNAMIC_RULE; counters->dynamic_rule_count++; } #ifdef HAVE_LIBMAXMINDDB if (!strcmp(rulesplit, "country_code")) { /* Have the requirements for GeoIP2 been loaded (Maxmind DB, etc) */ if (!config->have_geoip2) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Rule %s at line %d has GeoIP2 option, but Sagan configuration lacks GeoIP2 - skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } arg = strtok_r(NULL, ":", &saveptrrule2); tmptoken = strtok_r(arg, " ", &saveptrrule2); if (strcmp(tmptoken, "track")) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected 'track' in 'country_code' option at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Incomplete country_code option at %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); if (strcmp(tmptoken, "by_src") && strcmp(tmptoken, "by_dst")) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected 'by_src' or 'by_dst' in 'country_code' option at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } if (!strcmp(tmptoken, "by_src")) { rulestruct[counters->rulecount].geoip2_src_or_dst = 1; } if (!strcmp(tmptoken, "by_dst")) { rulestruct[counters->rulecount].geoip2_src_or_dst = 2; } tmptoken = strtok_r(NULL, " ", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Incomplete country_code option at %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(tmptoken); if (strcmp(tmptoken, "is") && strcmp(tmptoken, "isnot")) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected 'is' or 'isnot' in 'country_code' option at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } if (!strcmp(tmptoken, "isnot")) { rulestruct[counters->rulecount].geoip2_type = 1; } if (!strcmp(tmptoken, "is" )) { rulestruct[counters->rulecount].geoip2_type = 2; } tmptoken = strtok_r(NULL, ";", &saveptrrule2); /* Grab country codes */ Var_To_Value(tmptoken, tmp1, sizeof(tmp1)); Remove_Spaces(tmp1); strlcpy(rulestruct[counters->rulecount].geoip2_country_codes, tmp1, sizeof(rulestruct[counters->rulecount].geoip2_country_codes)); rulestruct[counters->rulecount].geoip2_flag = 1; } #endif #ifndef HAVE_LIBMAXMINDDB if (!strcmp(rulesplit, "country_code")) { Sagan_Log(WARN, "** WARNING: Rule %d of %s has \"country_code:\" tracking but Sagan lacks GeoIP2 support!", linecount, ruleset_fullname); Sagan_Log(WARN, "** WARNING: Rebuild Sagan with \"--enable-geoip2\" or disable this rule!"); } #endif if (!strcmp(rulesplit, "meta_content")) { if ( meta_content_count > MAX_META_CONTENT ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] There is to many \"meta_content\" types in the rule at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } arg = strtok_r(NULL, ":", &saveptrrule2); if ( Check_Content_Not(arg) == true ) { rulestruct[counters->rulecount].meta_content_not[meta_content_count] = true; } tmptoken = strtok_r(arg, ",", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected a meta_content 'helper', but none was found at line %d in %s - skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Between_Quotes(tmptoken, tmp2, sizeof(tmp2)); Content_Pipe(tmp2, linecount, ruleset_fullname, rule_tmp, sizeof(rule_tmp)); strlcpy(rulestruct[counters->rulecount].meta_content_help[meta_content_count], rule_tmp, sizeof(rulestruct[counters->rulecount].meta_content_help[meta_content_count])); tmptoken = strtok_r(NULL, ";", &saveptrrule2); /* Grab Search data */ if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Expected some sort of meta_content, but none was found at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Var_To_Value(tmptoken, tmp1, sizeof(tmp1)); Content_Pipe(tmp1, linecount, ruleset_fullname, rule_tmp, sizeof(rule_tmp)); Remove_Spaces(rule_tmp); strlcpy(tmp2, rule_tmp, sizeof(tmp2)); ptmp = strtok_r(tmp2, ",", &tok); meta_content_converted_count = 0; while (ptmp != NULL) { Replace_Sagan(rulestruct[counters->rulecount].meta_content_help[meta_content_count], ptmp, tmp_help, sizeof(tmp_help)); strlcpy(rulestruct[counters->rulecount].meta_content_containers[meta_content_count].meta_content_converted[meta_content_converted_count], tmp_help, sizeof(rulestruct[counters->rulecount].meta_content_containers[meta_content_count].meta_content_converted[meta_content_converted_count])); meta_content_converted_count++; if ( meta_content_converted_count > MAX_META_ITEM_SIZE ) { Sagan_Log(ERROR, "[%s, line %d] To many meta_content string values at %d in %s. Max is %d", __FILE__, __LINE__, linecount, ruleset_fullname, MAX_META_ITEM_SIZE); } ptmp = strtok_r(NULL, ",", &tok); } rulestruct[counters->rulecount].meta_content_containers[meta_content_count].meta_counter = meta_content_converted_count; rulestruct[counters->rulecount].meta_content_flag = true; tmptoken = strtok_r(NULL, ",", &saveptrrule2); meta_content_count++; rulestruct[counters->rulecount].meta_content_count=meta_content_count; } /* Like "nocase" for content, but for "meta_nocase". This is a "single option" but works better here */ if (!strcmp(rulesplit, "meta_nocase")) { strtok_r(NULL, ":", &saveptrrule2); rulestruct[counters->rulecount].meta_content_case[meta_content_count-1] = 1; To_LowerC(rulestruct[counters->rulecount].meta_content[meta_content_count-1]); strlcpy(tolower_tmp, rulestruct[counters->rulecount].meta_content[meta_content_count-1], sizeof(tolower_tmp)); strlcpy(rulestruct[counters->rulecount].meta_content[meta_content_count-1], tolower_tmp, sizeof(rulestruct[counters->rulecount].meta_content[meta_content_count-1])); } if (!strcmp(rulesplit, "rev" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"rev\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].s_rev, arg, sizeof(rulestruct[counters->rulecount].s_rev)); } if (!strcmp(rulesplit, "classtype" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"classtype\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].s_classtype, arg, sizeof(rulestruct[counters->rulecount].s_classtype)); found = 0; for(i=0; i < counters->classcount; i++) { if (!strcmp(classstruct[i].s_shortname, rulestruct[counters->rulecount].s_classtype)) { rulestruct[counters->rulecount].s_pri = classstruct[i].s_priority; found = 1; } } if ( found == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The classtype \"%s\" was not found on line %d in %s! " "Are you attempting loading a rule set before loading the classification.config? - skipping rule", __FILE__, __LINE__, rulestruct[counters->rulecount].s_classtype, linecount, ruleset_fullname); continue; } } if (!strcmp(rulesplit, "program" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"program\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Var_To_Value(arg, tmp1, sizeof(tmp1)); Remove_Spaces(tmp1); strlcpy(rulestruct[counters->rulecount].s_program, tmp1, sizeof(rulestruct[counters->rulecount].s_program)); } if (!strcmp(rulesplit, "reference" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"reference\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].s_reference[ref_count], arg, sizeof(rulestruct[counters->rulecount].s_reference[ref_count])); rulestruct[counters->rulecount].ref_count=ref_count; ref_count++; } if (!strcmp(rulesplit, "sid" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"sid\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].s_sid, arg, sizeof(rulestruct[counters->rulecount].s_sid)); } if (!strcmp(rulesplit, "tag" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"tag\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].s_tag, arg, sizeof(rulestruct[counters->rulecount].s_tag)); } if (!strcmp(rulesplit, "facility" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"facility\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].s_facility, arg, sizeof(rulestruct[counters->rulecount].s_facility)); } if (!strcmp(rulesplit, "level" )) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"level\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].s_level, arg, sizeof(rulestruct[counters->rulecount].s_level)); } if ( !strcmp(rulesplit, "pri" ) || !strcmp(rulesplit, "priority" ) ) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"priority\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } Remove_Spaces(arg); rulestruct[counters->rulecount].s_pri = atoi(arg); } #ifdef HAVE_LIBESMTP if (!strcmp(rulesplit, "email" )) { arg = strtok_r(NULL, " ", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"email\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } if (!strcmp(config->sagan_esmtp_server, "" )) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Line %d of %s has the \"email:\" option, but no SMTP server is specified in the %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname, config->sagan_config); continue; } Remove_Spaces(arg); strlcpy(rulestruct[counters->rulecount].email, arg, sizeof(rulestruct[counters->rulecount].email)); rulestruct[counters->rulecount].email_flag=1; config->sagan_esmtp_flag=1; } #endif #ifdef HAVE_LIBLOGNORM /* Our Liblognorm friends changed the way it works! We use to load normalization rule base files as they were needed. ln_loadSample no longer accepts multiple calls. This means that _all_ liblognorm rules need to be loaded from one file at one time. This depreciates "normalize: type;" in favor of a simple "normalize"; */ if (!strcmp(rulesplit, "normalize" )) { rulestruct[counters->rulecount].normalize = 1; /* Test for old liblognorm/Sagan usage. If old method is found, produce a warning */ arg = strtok_r(NULL, ":", &saveptrrule2); if (arg != NULL ) { Sagan_Log(WARN, "Detected a rule that uses the older \'normalize\' method. Please consider updating \'%s\' at line %d", ruleset_fullname, linecount); } } #endif /* Quoted information (content, pcre, msg) */ if (!strcmp(rulesplit, "msg" )) { arg = strtok_r(NULL, ";", &saveptrrule2); Between_Quotes(arg, tmp2, sizeof(tmp2)); if (tmp2[0] == '\0' ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"msg\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } strlcpy(rulestruct[counters->rulecount].s_msg, tmp2, sizeof(rulestruct[counters->rulecount].s_msg)); } /* Good ole "content" style search */ if (!strcmp(rulesplit, "content" )) { if ( content_count > MAX_CONTENT ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] There is to many \"content\" types in the rule at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } arg = strtok_r(NULL, ";", &saveptrrule2); /* For content: ! "something" */ if ( Check_Content_Not(arg) == true ) { rulestruct[counters->rulecount].content_not[content_count] = true; } Between_Quotes(arg, tmp2, sizeof(tmp2)); if (tmp2[0] == '\0' ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"content\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } /* Convert HEX encoded data */ Content_Pipe(tmp2, linecount, ruleset_fullname, rule_tmp, sizeof(rule_tmp)); strlcpy(final_content, rule_tmp, sizeof(final_content)); strlcpy(rulestruct[counters->rulecount].s_content[content_count], final_content, sizeof(rulestruct[counters->rulecount].s_content[content_count])); final_content[0] = '\0'; content_count++; rulestruct[counters->rulecount].content_count=content_count; } /* Single option, but "nocase" works better here */ if (!strcmp(rulesplit, "nocase")) { strtok_r(NULL, ":", &saveptrrule2); rulestruct[counters->rulecount].s_nocase[content_count - 1] = 1; To_LowerC(rulestruct[counters->rulecount].s_content[content_count - 1]); strlcpy(tolower_tmp, rulestruct[counters->rulecount].s_content[content_count - 1], sizeof(tolower_tmp)); strlcpy(rulestruct[counters->rulecount].s_content[content_count-1], tolower_tmp, sizeof(rulestruct[counters->rulecount].s_content[content_count-1])); } if (!strcmp(rulesplit, "offset")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"offset\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].s_offset[content_count - 1] = atoi(arg); } if (!strcmp(rulesplit, "meta_offset")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"meta_offset\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].meta_offset[meta_content_count - 1] = atoi(arg); } if (!strcmp(rulesplit, "depth")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"depth\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].s_depth[content_count - 1] = atoi(arg); } if (!strcmp(rulesplit, "meta_depth")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"meta_depth\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].meta_depth[meta_content_count - 1] = atoi(arg); } if (!strcmp(rulesplit, "distance")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"distance\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].s_distance[content_count - 1] = atoi(arg); } if (!strcmp(rulesplit, "meta_distance")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"meta_distance\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].meta_distance[meta_content_count - 1] = atoi(arg); } if (!strcmp(rulesplit, "within")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"within\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].s_within[content_count - 1] = atoi(arg); } if (!strcmp(rulesplit, "meta_within")) { arg = strtok_r(NULL, ":", &saveptrrule2); if (arg == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] The \"meta_within\" appears to be missing at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } rulestruct[counters->rulecount].meta_within[meta_content_count - 1] = atoi(arg); } /* PCRE needs a little extra "work" */ if (!strcmp(rulesplit, "pcre" )) { if ( pcre_count > MAX_PCRE ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] There is to many \"pcre\" types in the rule at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); continue; } arg = strtok_r(NULL, ";", &saveptrrule2); Between_Quotes(arg, tmp2, sizeof(tmp2)); if (tmp2[0] == '\0' ) { Sagan_Log(WARN, "The \"pcre\" appears to be incomplete at line %d in %s, skipping rule", __FILE__, __LINE__, linecount, ruleset_fullname); } pcreflag=0; memset(pcrerule, 0, sizeof(pcrerule)); for ( i = 1; i < strlen(tmp2); i++) { if ( tmp2[i] == '/' && tmp2[i-1] != '\\' ) { pcreflag++; } if ( pcreflag == 0 ) { snprintf(tmp, sizeof(tmp), "%c", tmp2[i]); strlcat(pcrerule, tmp, sizeof(pcrerule)); } /* are we /past/ and at the args? */ if ( pcreflag == 1 ) { switch(tmp2[i]) { case 'i': if ( pcreflag == 1 ) pcreoptions |= PCRE_CASELESS; break; case 's': if ( pcreflag == 1 ) pcreoptions |= PCRE_DOTALL; break; case 'm': if ( pcreflag == 1 ) pcreoptions |= PCRE_MULTILINE; break; case 'x': if ( pcreflag == 1 ) pcreoptions |= PCRE_EXTENDED; break; case 'A': if ( pcreflag == 1 ) pcreoptions |= PCRE_ANCHORED; break; case 'E': if ( pcreflag == 1 ) pcreoptions |= PCRE_DOLLAR_ENDONLY; break; case 'G': if ( pcreflag == 1 ) pcreoptions |= PCRE_UNGREEDY; break; /* PCRE options that aren't really used? */ /* case 'f': if ( pcreflag == 1 ) pcreoptions |= PCRE_FIRSTLINE; break; case 'C': if ( pcreflag == 1 ) pcreoptions |= PCRE_AUTO_CALLOUT; break; case 'J': if ( pcreflag == 1 ) pcreoptions |= PCRE_DUPNAMES; break; case 'N': if ( pcreflag == 1 ) pcreoptions |= PCRE_NO_AUTO_CAPTURE; break; case 'X': if ( pcreflag == 1 ) pcreoptions |= PCRE_EXTRA; break; case '8': if ( pcreflag == 1 ) pcreoptions |= PCRE_UTF8; break; case '?': if ( pcreflag == 1 ) pcreoptions |= PCRE_NO_UTF8_CHECK; break; */ } } } if ( pcreflag == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Missing last '/' in pcre: %s at line %d, skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } /* We store the compiled/study results. This saves us some CPU time during searching - Champ Clark III - 02/01/2011 */ rulestruct[counters->rulecount].re_pcre[pcre_count] = pcre_compile( pcrerule, pcreoptions, &error, &erroffset, NULL ); #ifdef PCRE_HAVE_JIT if ( config->pcre_jit == 1 ) { pcreoptions |= PCRE_STUDY_JIT_COMPILE; } #endif rulestruct[counters->rulecount].pcre_extra[pcre_count] = pcre_study( rulestruct[counters->rulecount].re_pcre[pcre_count], pcreoptions, &error); #ifdef PCRE_HAVE_JIT if ( config->pcre_jit == 1 ) { int jit = 0; rc = 0; rc = pcre_fullinfo(rulestruct[counters->rulecount].re_pcre[pcre_count], rulestruct[counters->rulecount].pcre_extra[pcre_count], PCRE_INFO_JIT, &jit); if (rc != 0 || jit != 1) { Sagan_Log(WARN, "[%s, line %d] PCRE JIT does not support regexp in %s at line %d (pcre: \"%s\"). Continuing without PCRE JIT enabled for this rule.", __FILE__, __LINE__, ruleset_fullname, linecount, pcrerule); } } #endif if ( rulestruct[counters->rulecount].re_pcre[pcre_count] == NULL ) { bad_rule = true; Remove_Lock_File(); Sagan_Log(WARN, "[%s, line %d] PCRE failure at %d: %s, skipping rule", __FILE__, __LINE__, erroffset, error); continue; } pcre_count++; rulestruct[counters->rulecount].pcre_count=pcre_count; } /* Snortsam */ /* fwsam: src, 24 hours; */ if (!strcmp(rulesplit, "fwsam" )) { /* Set some defaults - needs better error checking! */ rulestruct[counters->rulecount].fwsam_src_or_dst=1; /* by src */ rulestruct[counters->rulecount].fwsam_seconds = 86400; /* 1 day */ tok_tmp = strtok_r(NULL, ":", &saveptrrule2); tmptoken = strtok_r(tok_tmp, ",", &saveptrrule2); if (Sagan_strstr(tmptoken, "src")) { rulestruct[counters->rulecount].fwsam_src_or_dst=1; } if (Sagan_strstr(tmptoken, "dst")) { rulestruct[counters->rulecount].fwsam_src_or_dst=2; } /* Error checking?!!? */ tmptoken = strtok_r(NULL, ",", &saveptrrule2); tmptok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); fwsam_time_tmp=atol(tmptok_tmp); /* Digit/time */ tmptok_tmp = strtok_r(NULL, " ", &saveptrrule3); /* Type - hour/minute */ rulestruct[counters->rulecount].fwsam_seconds = Value_To_Seconds(tmptok_tmp, fwsam_time_tmp); } /* Time based alerting */ if (!strcmp(rulesplit, "alert_time")) { rulestruct[counters->rulecount].alert_time_flag = 1; tok_tmp = strtok_r(NULL, ":", &saveptrrule2); Var_To_Value(tok_tmp, tmp1, sizeof(tmp1)); tmptoken = strtok_r(tmp1, ",", &saveptrrule2); while( tmptoken != NULL ) { if (Sagan_strstr(tmptoken, "days")) { tmptok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); tmptok_tmp = strtok_r(NULL, " ", &saveptrrule3); Remove_Spaces(tmptok_tmp); if (strlen(tmptok_tmp) > 7 ) { Sagan_Log(WARN, "[%s, line %d] To many days (%s) in 'alert_time' in %s at line %d, skipping rule.", __FILE__, __LINE__, tmptok_tmp, ruleset_fullname, linecount); bad_rule = true; continue; } strlcpy(alert_time_tmp, tmptok_tmp, sizeof(alert_time_tmp)); for (i=0; irulecount].alert_days ^= SUNDAY; if ( atoi(tmp) == 1 ) rulestruct[counters->rulecount].alert_days ^= MONDAY; if ( atoi(tmp) == 2 ) rulestruct[counters->rulecount].alert_days ^= TUESDAY; if ( atoi(tmp) == 3 ) rulestruct[counters->rulecount].alert_days ^= WEDNESDAY; if ( atoi(tmp) == 4 ) rulestruct[counters->rulecount].alert_days ^= THURSDAY; if ( atoi(tmp) == 5 ) rulestruct[counters->rulecount].alert_days ^= FRIDAY; if ( atoi(tmp) == 6 ) rulestruct[counters->rulecount].alert_days ^= SATURDAY; } } if (Sagan_strstr(tmptoken, "hours")) { tmptok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); tmptok_tmp = strtok_r(NULL, " ", &saveptrrule3); Remove_Spaces(tmptok_tmp); if ( strlen(tmptok_tmp) > 9 || strlen(tmptok_tmp) < 9 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Improper 'alert_time' format in %s at line %d, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } snprintf(alert_time_tmp, sizeof(alert_time_tmp), "%s", tmptok_tmp); /* Start hour */ snprintf(alert_tmp_hour, sizeof(alert_tmp_hour), "%c%c", alert_time_tmp[0], alert_time_tmp[1]); if ( atoi(alert_tmp_hour) > 23 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Starting 'alert_time' hour cannot be over 23 in %s at line %d, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } snprintf(alert_tmp_minute, sizeof(alert_tmp_minute), "%c%c", alert_time_tmp[2], alert_time_tmp[3]); if ( atoi(alert_tmp_minute) > 59 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Starting 'alert_time' minute cannot be over 59 in %s at line %d, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } snprintf(alert_time_all, sizeof(alert_time_all), "%s%s", alert_tmp_hour, alert_tmp_minute); rulestruct[counters->rulecount].aetas_start = atoi(alert_time_all); /* End hour */ snprintf(alert_tmp_hour, sizeof(alert_tmp_hour), "%c%c", alert_time_tmp[5], alert_time_tmp[6]); if ( atoi(alert_tmp_hour) > 23 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Ending 'alert_time' hour cannot be over 23 in %s at line %d, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } snprintf(alert_tmp_minute, sizeof(alert_tmp_minute), "%c%c", alert_time_tmp[7], alert_time_tmp[8]); if ( atoi(alert_tmp_minute) > 59 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] Ending 'alert_time' minute cannot be over 59 in %s at line %d, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } snprintf(alert_time_all, sizeof(alert_time_all), "%s%s", alert_tmp_hour, alert_tmp_minute); rulestruct[counters->rulecount].aetas_end = atoi(alert_time_all); } tmptoken = strtok_r(NULL, ",", &saveptrrule2); } } /* Thresholding */ if (!strcmp(rulesplit, "threshold" )) { tok_tmp = strtok_r(NULL, ":", &saveptrrule2); tmptoken = strtok_r(tok_tmp, ",", &saveptrrule2); while( tmptoken != NULL ) { if (Sagan_strstr(tmptoken, "type")) { if (Sagan_strstr(tmptoken, "limit")) { rulestruct[counters->rulecount].threshold_type = 1; } if (Sagan_strstr(tmptoken, "threshold")) { rulestruct[counters->rulecount].threshold_type = 2; } } if (Sagan_strstr(tmptoken, "track")) { if (Sagan_strstr(tmptoken, "by_src")) { rulestruct[counters->rulecount].threshold_method = THRESH_BY_SRC; } if (Sagan_strstr(tmptoken, "by_dst")) { rulestruct[counters->rulecount].threshold_method = THRESH_BY_DST; } if (Sagan_strstr(tmptoken, "by_username") || Sagan_strstr(tmptoken, "by_string")) { rulestruct[counters->rulecount].threshold_method = THRESH_BY_USERNAME; } if (Sagan_strstr(tmptoken, "by_srcport")) { rulestruct[counters->rulecount].threshold_method = THRESH_BY_SRCPORT; } if (Sagan_strstr(tmptoken, "by_dstport")) { rulestruct[counters->rulecount].threshold_method = THRESH_BY_DSTPORT; } } if (Sagan_strstr(tmptoken, "count")) { tmptok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); tmptok_tmp = strtok_r(NULL, " ", &saveptrrule3); rulestruct[counters->rulecount].threshold_count = atoi(tmptok_tmp); } if (Sagan_strstr(tmptoken, "seconds")) { tmptok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); tmptok_tmp = strtok_r(NULL, " ", &saveptrrule3 ); rulestruct[counters->rulecount].threshold_seconds = atoi(tmptok_tmp); } tmptoken = strtok_r(NULL, ",", &saveptrrule2); } } /* "after"; similar to thresholding, but the opposite direction */ if (!strcmp(rulesplit, "after" )) { tok_tmp = strtok_r(NULL, ":", &saveptrrule2); tmptoken = strtok_r(tok_tmp, ",", &saveptrrule2); while( tmptoken != NULL ) { if (Sagan_strstr(tmptoken, "track")) { if (Sagan_strstr(tmptoken, "by_src")) { rulestruct[counters->rulecount].after_method = AFTER_BY_SRC; } if (Sagan_strstr(tmptoken, "by_dst")) { rulestruct[counters->rulecount].after_method = AFTER_BY_DST; } if (Sagan_strstr(tmptoken, "by_username") || Sagan_strstr(tmptoken, "by_string")) { rulestruct[counters->rulecount].after_method = AFTER_BY_USERNAME; } if (Sagan_strstr(tmptoken, "by_srcport")) { rulestruct[counters->rulecount].after_method = AFTER_BY_SRCPORT; } if (Sagan_strstr(tmptoken, "by_dstport")) { rulestruct[counters->rulecount].after_method = AFTER_BY_DSTPORT; } } if (Sagan_strstr(tmptoken, "count")) { tmptok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); tmptok_tmp = strtok_r(NULL, " ", &saveptrrule3); rulestruct[counters->rulecount].after_count = atoi(tmptok_tmp); } if (Sagan_strstr(tmptoken, "seconds")) { tmptok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); tmptok_tmp = strtok_r(NULL, " ", &saveptrrule3 ); rulestruct[counters->rulecount].after_seconds = atoi(tmptok_tmp); } tmptoken = strtok_r(NULL, ",", &saveptrrule2); } } /* Blacklist */ if (!strcmp(rulesplit, "blacklist")) { tok_tmp = strtok_r(NULL, ":", &saveptrrule2); if ( tok_tmp == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to be incorrect. \"blacklist:\" options appear incomplete, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } Remove_Spaces(tok_tmp); tmptoken = strtok_r(tok_tmp, "," , &saveptrrule3); while( tmptoken != NULL ) { found = 0; if (!strcmp(tmptoken, "by_src")) { rulestruct[counters->rulecount].blacklist_ipaddr_src = 1; rulestruct[counters->rulecount].blacklist_flag = 1; found = 1; } if (!strcmp(tmptoken, "by_dst")) { rulestruct[counters->rulecount].blacklist_ipaddr_dst = 1; rulestruct[counters->rulecount].blacklist_flag = 1; found = 1; } if (!strcmp(tmptoken, "both")) { rulestruct[counters->rulecount].blacklist_ipaddr_both = 1; rulestruct[counters->rulecount].blacklist_flag = 1; found = 1; } if (!strcmp(tmptoken, "all")) { rulestruct[counters->rulecount].blacklist_ipaddr_all = 1; rulestruct[counters->rulecount].blacklist_flag = 1; found = 1; } tmptoken = strtok_r(NULL, ",", &saveptrrule3); } } /* Bro Intel */ if (!strcmp(rulesplit, "bro-intel")) { tok_tmp = strtok_r(NULL, ":", &saveptrrule2); if ( tok_tmp == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s on line %d appears to be incorrect. \"bro-intel:\" options appear incomplete, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } Remove_Spaces(tok_tmp); tmptoken = strtok_r(tok_tmp, "," , &saveptrrule3); while( tmptoken != NULL ) { found = 0; if (!strcmp(tmptoken, "by_src")) { rulestruct[counters->rulecount].brointel_ipaddr_src = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "by_dst")) { rulestruct[counters->rulecount].brointel_ipaddr_dst = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "both")) { rulestruct[counters->rulecount].brointel_ipaddr_both = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "all")) { rulestruct[counters->rulecount].brointel_ipaddr_all = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "domain")) { rulestruct[counters->rulecount].brointel_domain = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "file_hash")) { rulestruct[counters->rulecount].brointel_file_hash = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "url")) { rulestruct[counters->rulecount].brointel_url = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "software")) { rulestruct[counters->rulecount].brointel_software = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "email")) { rulestruct[counters->rulecount].brointel_email = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "user_name")) { rulestruct[counters->rulecount].brointel_user_name = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "file_name")) { rulestruct[counters->rulecount].brointel_file_name = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if (!strcmp(tmptoken, "cert_hash")) { rulestruct[counters->rulecount].brointel_cert_hash = 1; rulestruct[counters->rulecount].brointel_flag = 1; found = 1; } if ( found == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s on line %d has an unknown \"brointel\" option \"%s\", skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount, tmptoken); continue; } tmptoken = strtok_r(NULL, ",", &saveptrrule3); } } if (!strcmp(rulesplit, "external")) { tok_tmp = strtok_r(NULL, ":", &saveptrrule2); if ( tok_tmp == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has 'external' option but not external 'program' is specified, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } Remove_Spaces(tok_tmp); if (stat(tok_tmp, &filecheck) != 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has 'external' option but external program '%s' does not exist, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount, tok_tmp); continue; } if (access(tok_tmp, X_OK) == -1) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has 'external' option but external program '%s' is not executable, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount, tok_tmp); continue; } rulestruct[counters->rulecount].external_flag = 1; strlcpy(rulestruct[counters->rulecount].external_program, tok_tmp, sizeof(rulestruct[counters->rulecount].external_program)); } #ifdef WITH_BLUEDOT if (!strcmp(rulesplit, "bluedot")) { if ( config->bluedot_flag == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has 'bluedot' option enabled, but 'processor bluedot' is not configured, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } tmptoken = strtok_r(NULL, ",", &saveptrrule2); if (!Sagan_strstr(tmptoken, "type")) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] No Bluedot 'type' found in %s at line %d, skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } if ( Sagan_strstr(tmptoken, "type" )) { if ( Sagan_strstr(tmptoken, "ip_reputation" )) { tmptoken = strtok_r(NULL, ",", &saveptrrule2); if ( Sagan_strstr(tmptoken, "track" )) { /* 1 == src, 2 == dst, 3 == both, 4 == all */ if ( Sagan_strstr(tmptoken, "by_src" )) { rulestruct[counters->rulecount].bluedot_ipaddr_type = 1; } if ( Sagan_strstr(tmptoken, "by_dst" )) { rulestruct[counters->rulecount].bluedot_ipaddr_type = 2; } if ( Sagan_strstr(tmptoken, "both" )) { rulestruct[counters->rulecount].bluedot_ipaddr_type = 3; } if ( Sagan_strstr(tmptoken, "all" )) { rulestruct[counters->rulecount].bluedot_ipaddr_type = 4; } if ( rulestruct[counters->rulecount].bluedot_ipaddr_type == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] No Bluedot by_src, by_dst, both or all specified in %s at line %d, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } } tmptoken = strtok_r(NULL, ",", &saveptrrule2); if (!Sagan_strstr(tmptoken, "mdate_effective_period" ) && !Sagan_strstr(tmptoken, "cdate_effective_period" ) && !Sagan_strstr(tmptoken, "none" )) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] No Bluedot 'mdate_effective_period', 'cdate_effective_period' or 'none' not specified in %s at line %d, skipping rule", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } if (!Sagan_strstr(tmptoken, "none")) { tok_tmp = strtok_r(tmptoken, " ", &saveptrrule3); if (Sagan_strstr(tmptoken, "mdate_effective_period" )) { bluedot_time = strtok_r(NULL, " ", &saveptrrule3); if ( bluedot_time == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no Bluedot numeric time value, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } bluedot_type = strtok_r(NULL, " ", &saveptrrule3); if ( bluedot_type == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has not Bluedot timeframe type (hour, week, month, year, etc) specified, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } Remove_Spaces(bluedot_time); Remove_Spaces(bluedot_type); bluedot_time_u32 = atol(bluedot_time); if ( bluedot_time_u32 == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no or invalid Bluedot timeframe, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } rulestruct[counters->rulecount].bluedot_mdate_effective_period = Value_To_Seconds(bluedot_type, bluedot_time_u32); } else if (Sagan_strstr(tmptoken, "cdate_effective_period" )) { bluedot_time = strtok_r(NULL, " ", &saveptrrule3); if ( bluedot_time == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no Bluedot numeric time value, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } bluedot_type = strtok_r(NULL, " ", &saveptrrule3); if ( bluedot_type == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has not Bluedot timeframe type (hour, week, month, year, etc) specified, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } Remove_Spaces(bluedot_time); Remove_Spaces(bluedot_type); bluedot_time_u32 = atol(bluedot_time); if ( bluedot_time_u32 == 0 ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no or invalid Bluedot timeframe, skipping rule.", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } rulestruct[counters->rulecount].bluedot_cdate_effective_period = Value_To_Seconds(bluedot_type, bluedot_time_u32); } } else { rulestruct[counters->rulecount].bluedot_mdate_effective_period = 0; rulestruct[counters->rulecount].bluedot_cdate_effective_period = 0; } tmptoken = strtok_r(NULL, ";", &saveptrrule2); if ( tmptoken == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no Bluedot categories defined, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount); continue; } Remove_Spaces(tmptoken); Sagan_Verify_Categories( tmptoken, counters->rulecount, ruleset_fullname, linecount, BLUEDOT_LOOKUP_IP); } if ( Sagan_strstr(tmptoken, "file_hash" )) { rulestruct[counters->rulecount].bluedot_file_hash = 1; tmptok_tmp = strtok_r(NULL, ";", &saveptrrule2); /* Support var's */ if ( tmptok_tmp == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no Bluedot categories defined, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount, tmptok_tmp); continue; } Var_To_Value(tmptok_tmp, tmp1, sizeof(tmp1)); Sagan_Verify_Categories( tmp1, counters->rulecount, ruleset_fullname, linecount, BLUEDOT_LOOKUP_HASH); } if ( Sagan_strstr(tmptoken, "url" )) { rulestruct[counters->rulecount].bluedot_url = 1; tmptok_tmp = strtok_r(NULL, ";", &saveptrrule2); /* Support var's */ if ( tmptok_tmp == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no Bluedot categories defined, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount, tmptok_tmp); continue; } Var_To_Value(tmptok_tmp, tmp1, sizeof(tmp1)); Sagan_Verify_Categories( tmp1, counters->rulecount, ruleset_fullname, linecount, BLUEDOT_LOOKUP_URL); } if ( Sagan_strstr(tmptoken, "filename" )) { rulestruct[counters->rulecount].bluedot_filename = 1; tmptok_tmp = strtok_r(NULL, ";", &saveptrrule2); /* Support var's */ if ( tmptok_tmp == NULL ) { bad_rule = true; Sagan_Log(WARN, "[%s, line %d] %s at line %d has no Bluedot categories defined, skipping rule!", __FILE__, __LINE__, ruleset_fullname, linecount, tmptok_tmp); continue; } Var_To_Value(tmptok_tmp, tmp1, sizeof(tmp1)); Sagan_Verify_Categories( tmp1, counters->rulecount, ruleset_fullname, linecount, BLUEDOT_LOOKUP_FILENAME); } /* Error check ( set flag? */ } } #endif #ifndef WITH_BLUEDOT if (!strcmp(rulesplit, "bluedot")) { bad_rule = true; Sagan_Log(WARN, "%s has Bluedot rules, but support isn't compiled in, skipping rule!", ruleset_fullname); continue; } #endif /* -< Go to next line >- */ tokenrule = strtok_r(NULL, ";", &saveptrrule1); } if (bad_rule) { continue; } /* Some new stuff (normalization) stuff needs to be added */ if ( debug->debugload ) { Sagan_Log(DEBUG, "---[Rule %s]------------------------------------------------------", rulestruct[counters->rulecount].s_sid); Sagan_Log(DEBUG, "= sid: %s", rulestruct[counters->rulecount].s_sid); Sagan_Log(DEBUG, "= rev: %s", rulestruct[counters->rulecount].s_rev); Sagan_Log(DEBUG, "= msg: %s", rulestruct[counters->rulecount].s_msg); Sagan_Log(DEBUG, "= pri: %d", rulestruct[counters->rulecount].s_pri); Sagan_Log(DEBUG, "= classtype: %s", rulestruct[counters->rulecount].s_classtype); Sagan_Log(DEBUG, "= drop: %d", rulestruct[counters->rulecount].drop); Sagan_Log(DEBUG, "= default_dst_port: %d", rulestruct[counters->rulecount].default_dst_port); if ( rulestruct[counters->rulecount].s_find_src_ip != 0 ) { Sagan_Log(DEBUG, "= parse_src_ip"); } if ( rulestruct[counters->rulecount].s_find_port != 0 ) { Sagan_Log(DEBUG, "= parse_port"); } for (i=0; irulecount].s_content[i]); } for (i=0; irulecount].s_reference[i]); } } counters->rulecount++; } /* end of while loop */ fclose(rulesfile); } sagan-1.2.0/src/ipc.c0000644000175000017500000024433613310531444013265 0ustar champchamp/* $Id$ */ /* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* ipc.c * * This allows Sagan to share data with other Sagan processes. This is for * Inter-process communications (IPC). * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #include #include "version.h" #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "util-time.h" #include "ipc.h" #include "xbit-mmap.h" #include "processors/track-clients.h" struct _Sagan_IPC_Counters *counters_ipc; struct _Sagan_IPC_Xbit *xbit_ipc; struct _SaganConfig *config; pthread_mutex_t CounterMutex; pthread_mutex_t After_By_Src_Mutex; pthread_mutex_t After_By_Dst_Mutex; pthread_mutex_t After_By_Src_Port_Mutex; pthread_mutex_t After_By_Dst_Port_Mutex; pthread_mutex_t After_By_Username_Mutex; pthread_mutex_t Thresh_By_Src_Mutex; pthread_mutex_t Thresh_By_Dst_Mutex; pthread_mutex_t Thresh_By_Src_Port_Mutex; pthread_mutex_t Thresh_By_Dst_Port_Mutex; pthread_mutex_t Thresh_By_Username_Mutex; pthread_mutex_t Xbit_Mutex; struct thresh_by_src_ipc *threshbysrc_ipc; struct thresh_by_dst_ipc *threshbydst_ipc; struct thresh_by_dstport_ipc *threshbydstport_ipc; struct thresh_by_srcport_ipc *threshbysrcport_ipc; struct thresh_by_username_ipc *threshbyusername_ipc; struct after_by_src_ipc *afterbysrc_ipc; struct after_by_dst_ipc *afterbydst_ipc; struct after_by_srcport_ipc *afterbysrcport_ipc; struct after_by_dstport_ipc *afterbydstport_ipc; struct after_by_username_ipc *afterbyusername_ipc; struct _Sagan_Track_Clients_IPC *SaganTrackClients_ipc; struct _SaganDebug *debug; /***************************************************************************** * Clean_IPC_Object - If the max IPC is hit, we attempt to "clean" out * any stale IPC entries. *****************************************************************************/ sbool Clean_IPC_Object( int type ) { /* After by src */ if ( type == AFTER_BY_SRC && config->max_after_by_src < counters_ipc->after_count_by_src ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Cleaning IPC data. Type: %d", __FILE__, __LINE__, type); } File_Lock(config->shm_after_by_src); pthread_mutex_lock(&After_By_Src_Mutex); struct after_by_src_ipc *temp_afterbysrc_ipc; temp_afterbysrc_ipc = malloc(sizeof(struct after_by_src_ipc) * config->max_after_by_src); memset(temp_afterbysrc_ipc, 0, sizeof(sizeof(struct after_by_src_ipc) * config->max_after_by_src)); old_count = counters_ipc->after_count_by_src; for (i = 0; i < counters_ipc->after_count_by_src; i++) { if ( (utime - afterbysrc_ipc[i].utime) < afterbysrc_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Afterbysrc_IPC : Keeping 0x%.08X%.08X%.08X%.08X.", __FILE__, __LINE__, htonl(((unsigned int *)&afterbysrc_ipc[i].ipsrc)[0]), htonl(((unsigned int *)&afterbysrc_ipc[i].ipsrc)[1]), htonl(((unsigned int *)&afterbysrc_ipc[i].ipsrc)[2]), htonl(((unsigned int *)&afterbysrc_ipc[i].ipsrc)[3])); } memcpy(temp_afterbysrc_ipc[new_count].ipsrc, afterbysrc_ipc[i].ipsrc, sizeof(afterbysrc_ipc[i].ipsrc)); temp_afterbysrc_ipc[new_count].count = afterbysrc_ipc[i].count; temp_afterbysrc_ipc[new_count].utime = afterbysrc_ipc[i].utime; temp_afterbysrc_ipc[new_count].expire = afterbysrc_ipc[i].expire; strlcpy(temp_afterbysrc_ipc[new_count].sid, afterbysrc_ipc[i].sid, sizeof(temp_afterbysrc_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { memcpy(afterbysrc_ipc[i].ipsrc, temp_afterbysrc_ipc[i].ipsrc, sizeof(temp_afterbysrc_ipc[i].ipsrc)); afterbysrc_ipc[i].count = temp_afterbysrc_ipc[i].count; afterbysrc_ipc[i].utime = temp_afterbysrc_ipc[i].utime; afterbysrc_ipc[i].expire = temp_afterbysrc_ipc[i].expire; strlcpy(afterbysrc_ipc[i].sid, temp_afterbysrc_ipc[i].sid, sizeof(afterbysrc_ipc[i].sid)); } counters_ipc->after_count_by_src = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean after_by_src. Nothing to remove!", __FILE__, __LINE__); free(temp_afterbysrc_ipc); pthread_mutex_unlock(&After_By_Src_Mutex); File_Unlock(config->shm_after_by_src); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for after_by_src", __FILE__, __LINE__, new_count, old_count); free(temp_afterbysrc_ipc); pthread_mutex_unlock(&After_By_Src_Mutex); File_Unlock(config->shm_after_by_src); return(0); } /* Afterbydst_IPC */ else if ( type == AFTER_BY_DST && config->max_after_by_dst < counters_ipc->after_count_by_dst ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_after_by_dst); pthread_mutex_lock(&After_By_Dst_Mutex); struct after_by_dst_ipc *temp_afterbydst_ipc; temp_afterbydst_ipc = malloc(sizeof(struct after_by_dst_ipc) * config->max_after_by_dst); memset(temp_afterbydst_ipc, 0, sizeof(sizeof(struct after_by_dst_ipc) * config->max_after_by_dst)); old_count = counters_ipc->after_count_by_dst; for (i = 0; i < counters_ipc->after_count_by_dst; i++) { if ( (utime - afterbydst_ipc[i].utime) < afterbydst_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Afterbydst_IPC : Keeping 0x%.08X%.08X%.08X%.08X.", __FILE__, __LINE__, htonl(((unsigned int *)&afterbydst_ipc[i].ipdst)[0]), htonl(((unsigned int *)&afterbydst_ipc[i].ipdst)[1]), htonl(((unsigned int *)&afterbydst_ipc[i].ipdst)[2]), htonl(((unsigned int *)&afterbydst_ipc[i].ipdst)[3])); } memcpy(temp_afterbydst_ipc[new_count].ipdst, afterbydst_ipc[i].ipdst, sizeof(afterbydst_ipc[i].ipdst)); temp_afterbydst_ipc[new_count].count = afterbydst_ipc[i].count; temp_afterbydst_ipc[new_count].utime = afterbydst_ipc[i].utime; temp_afterbydst_ipc[new_count].expire = afterbydst_ipc[i].expire; strlcpy(temp_afterbydst_ipc[new_count].sid, afterbydst_ipc[i].sid, sizeof(temp_afterbydst_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { memcpy(afterbydst_ipc[i].ipdst, temp_afterbydst_ipc[i].ipdst, sizeof(temp_afterbydst_ipc[i].ipdst)); afterbydst_ipc[i].count = temp_afterbydst_ipc[i].count; afterbydst_ipc[i].utime = temp_afterbydst_ipc[i].utime; afterbydst_ipc[i].expire = temp_afterbydst_ipc[i].expire; strlcpy(afterbydst_ipc[i].sid, temp_afterbydst_ipc[i].sid, sizeof(afterbydst_ipc[i].sid)); } counters_ipc->after_count_by_dst = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean after_by_dst. Nothing to remove!", __FILE__, __LINE__); free(temp_afterbydst_ipc); pthread_mutex_unlock(&After_By_Dst_Mutex); File_Unlock(config->shm_after_by_dst); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for after_by_dst", __FILE__, __LINE__, new_count, old_count); free(temp_afterbydst_ipc); pthread_mutex_unlock(&After_By_Dst_Mutex); File_Unlock(config->shm_after_by_dst); return(0); } /* Afterbysrcport_IPC */ else if ( type == AFTER_BY_SRCPORT && config->max_after_by_srcport < counters_ipc->after_count_by_srcport ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_after_by_srcport); pthread_mutex_lock(&After_By_Src_Port_Mutex); struct after_by_srcport_ipc *temp_afterbysrcport_ipc; temp_afterbysrcport_ipc = malloc(sizeof(struct after_by_srcport_ipc) * config->max_after_by_srcport); memset(temp_afterbysrcport_ipc, 0, sizeof(sizeof(struct after_by_srcport_ipc) * config->max_after_by_srcport)); old_count = counters_ipc->after_count_by_srcport; for (i = 0; i < counters_ipc->after_count_by_srcport; i++) { if ( (utime - afterbysrcport_ipc[i].utime) < afterbysrcport_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Afterbysrcport_IPC : Keeping %u.", __FILE__, __LINE__, afterbysrcport_ipc[i].ipsrcport); } temp_afterbysrcport_ipc[new_count].ipsrcport = afterbysrcport_ipc[i].ipsrcport; temp_afterbysrcport_ipc[new_count].count = afterbysrcport_ipc[i].count; temp_afterbysrcport_ipc[new_count].utime = afterbysrcport_ipc[i].utime; temp_afterbysrcport_ipc[new_count].expire = afterbysrcport_ipc[i].expire; strlcpy(temp_afterbysrcport_ipc[new_count].sid, afterbysrcport_ipc[i].sid, sizeof(temp_afterbysrcport_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { afterbysrcport_ipc[i].ipsrcport = temp_afterbysrcport_ipc[i].ipsrcport; afterbysrcport_ipc[i].count = temp_afterbysrcport_ipc[i].count; afterbysrcport_ipc[i].utime = temp_afterbysrcport_ipc[i].utime; afterbysrcport_ipc[i].expire = temp_afterbysrcport_ipc[i].expire; strlcpy(afterbysrcport_ipc[i].sid, temp_afterbysrcport_ipc[i].sid, sizeof(afterbysrcport_ipc[i].sid)); } counters_ipc->after_count_by_srcport = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean after_by_srcport. Nothing to remove!", __FILE__, __LINE__); free(temp_afterbysrcport_ipc); pthread_mutex_unlock(&After_By_Src_Port_Mutex); File_Unlock(config->shm_after_by_srcport); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for after_by_srcport", __FILE__, __LINE__, new_count, old_count); free(temp_afterbysrcport_ipc); pthread_mutex_unlock(&After_By_Src_Port_Mutex); File_Unlock(config->shm_after_by_srcport); return(0); } /* Afterbydstport_IPC */ else if ( type == AFTER_BY_DSTPORT && config->max_after_by_dstport < counters_ipc->after_count_by_dstport ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_after_by_dstport); pthread_mutex_lock(&After_By_Dst_Port_Mutex); struct after_by_dstport_ipc *temp_afterbydstport_ipc; temp_afterbydstport_ipc = malloc(sizeof(struct after_by_dstport_ipc) * config->max_after_by_dstport); memset(temp_afterbydstport_ipc, 0, sizeof(sizeof(struct after_by_dstport_ipc) * config->max_after_by_dstport)); old_count = counters_ipc->after_count_by_dstport; for (i = 0; i < counters_ipc->after_count_by_dstport; i++) { if ( (utime - afterbydstport_ipc[i].utime) < afterbydstport_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Afterbydstport_IPC : Keeping %u.", __FILE__, __LINE__, afterbydstport_ipc[i].ipdstport); } temp_afterbydstport_ipc[new_count].ipdstport = afterbydstport_ipc[i].ipdstport; temp_afterbydstport_ipc[new_count].count = afterbydstport_ipc[i].count; temp_afterbydstport_ipc[new_count].utime = afterbydstport_ipc[i].utime; temp_afterbydstport_ipc[new_count].expire = afterbydstport_ipc[i].expire; strlcpy(temp_afterbydstport_ipc[new_count].sid, afterbydstport_ipc[i].sid, sizeof(temp_afterbydstport_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { afterbydstport_ipc[i].ipdstport = temp_afterbydstport_ipc[i].ipdstport; afterbydstport_ipc[i].count = temp_afterbydstport_ipc[i].count; afterbydstport_ipc[i].utime = temp_afterbydstport_ipc[i].utime; afterbydstport_ipc[i].expire = temp_afterbydstport_ipc[i].expire; strlcpy(afterbydstport_ipc[i].sid, temp_afterbydstport_ipc[i].sid, sizeof(afterbydstport_ipc[i].sid)); } counters_ipc->after_count_by_dstport = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean after_by_dstport. Nothing to remove!", __FILE__, __LINE__); free(temp_afterbydstport_ipc); pthread_mutex_unlock(&After_By_Dst_Port_Mutex); File_Unlock(config->shm_after_by_dstport); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for after_by_dstport", __FILE__, __LINE__, new_count, old_count); free(temp_afterbydstport_ipc); pthread_mutex_unlock(&After_By_Dst_Port_Mutex); File_Unlock(config->shm_after_by_dstport); return(0); } /* AfterbyUsername_IPC */ else if ( type == AFTER_BY_USERNAME && config->max_after_by_username < counters_ipc->after_count_by_username ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_after_by_username); pthread_mutex_lock(&After_By_Username_Mutex); struct after_by_username_ipc *temp_afterbyusername_ipc; temp_afterbyusername_ipc = malloc(sizeof(struct after_by_username_ipc) * config->max_after_by_username); memset(temp_afterbyusername_ipc, 0, sizeof(sizeof(struct after_by_username_ipc) * config->max_after_by_username)); old_count = counters_ipc->after_count_by_username; for (i = 0; i < counters_ipc->after_count_by_username; i++) { if ( (utime - afterbyusername_ipc[i].utime) < afterbyusername_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Afterbyusername_IPC : Keeping '%s'.", __FILE__, __LINE__, afterbyusername_ipc[i].username); } temp_afterbyusername_ipc[new_count].count = afterbyusername_ipc[i].count; temp_afterbyusername_ipc[new_count].utime = afterbyusername_ipc[i].utime; temp_afterbyusername_ipc[new_count].expire = afterbyusername_ipc[i].expire; strlcpy(temp_afterbyusername_ipc[new_count].sid, afterbyusername_ipc[i].sid, sizeof(temp_afterbyusername_ipc[new_count].sid)); strlcpy(temp_afterbyusername_ipc[new_count].username, afterbyusername_ipc[i].username, sizeof(temp_afterbyusername_ipc[new_count].username)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { afterbyusername_ipc[i].count = temp_afterbyusername_ipc[i].count; afterbyusername_ipc[i].utime = temp_afterbyusername_ipc[i].utime; afterbyusername_ipc[i].expire = temp_afterbyusername_ipc[i].expire; strlcpy(afterbyusername_ipc[i].sid, temp_afterbyusername_ipc[i].sid, sizeof(afterbyusername_ipc[i].sid)); strlcpy(afterbyusername_ipc[i].username, temp_afterbyusername_ipc[i].username, sizeof(afterbyusername_ipc[i].username)); } counters_ipc->after_count_by_username = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean after_by_username. Nothing to remove!", __FILE__, __LINE__); free(temp_afterbyusername_ipc); pthread_mutex_unlock(&After_By_Username_Mutex); File_Unlock(config->shm_after_by_username); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for after_by_username", __FILE__, __LINE__, new_count, old_count); free(temp_afterbyusername_ipc); pthread_mutex_unlock(&After_By_Username_Mutex); File_Unlock(config->shm_after_by_username); return(0); } /* Threshbysrc_IPC */ else if ( type == THRESH_BY_SRC && config->max_threshold_by_src < counters_ipc->thresh_count_by_src ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_thresh_by_src); pthread_mutex_lock(&Thresh_By_Src_Mutex); struct thresh_by_src_ipc *temp_threshbysrc_ipc; temp_threshbysrc_ipc = malloc(sizeof(struct thresh_by_src_ipc) * config->max_threshold_by_src); memset(temp_threshbysrc_ipc, 0, sizeof(sizeof(struct thresh_by_src_ipc) * config->max_threshold_by_src)); old_count = counters_ipc->thresh_count_by_src; for (i = 0; i < counters_ipc->thresh_count_by_src; i++) { if ( (utime - threshbysrc_ipc[i].utime) < threshbysrc_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Threshbysrc_IPC : Keeping 0x%.08X%.08X%.08X%.08X.", __FILE__, __LINE__, htonl(((unsigned int *)&threshbysrc_ipc[i].ipsrc)[0]), htonl(((unsigned int *)&threshbysrc_ipc[i].ipsrc)[1]), htonl(((unsigned int *)&threshbysrc_ipc[i].ipsrc)[2]), htonl(((unsigned int *)&threshbysrc_ipc[i].ipsrc)[3])); } memcpy(temp_threshbysrc_ipc[new_count].ipsrc, threshbysrc_ipc[i].ipsrc, sizeof(threshbysrc_ipc[i].ipsrc)); temp_threshbysrc_ipc[new_count].count = threshbysrc_ipc[i].count; temp_threshbysrc_ipc[new_count].utime = threshbysrc_ipc[i].utime; temp_threshbysrc_ipc[new_count].expire = threshbysrc_ipc[i].expire; strlcpy(temp_threshbysrc_ipc[new_count].sid, threshbysrc_ipc[i].sid, sizeof(temp_threshbysrc_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { memcpy(threshbysrc_ipc[i].ipsrc, temp_threshbysrc_ipc[i].ipsrc, sizeof(temp_threshbysrc_ipc[i].ipsrc)); threshbysrc_ipc[i].count = temp_threshbysrc_ipc[i].count; threshbysrc_ipc[i].utime = temp_threshbysrc_ipc[i].utime; threshbysrc_ipc[i].expire = temp_threshbysrc_ipc[i].expire; strlcpy(threshbysrc_ipc[i].sid, temp_threshbysrc_ipc[i].sid, sizeof(threshbysrc_ipc[i].sid)); } counters_ipc->thresh_count_by_src = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean thresh_by_src. Nothing to remove!", __FILE__, __LINE__); free(temp_threshbysrc_ipc); pthread_mutex_unlock(&Thresh_By_Src_Mutex); File_Unlock(config->shm_thresh_by_src); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for thresh_by_src", __FILE__, __LINE__, new_count, old_count); free(temp_threshbysrc_ipc); pthread_mutex_unlock(&Thresh_By_Src_Mutex); File_Unlock(config->shm_thresh_by_src); return(0); } /* Threshbydst_IPC */ else if ( type == THRESH_BY_SRC && config->max_threshold_by_dst < counters_ipc->thresh_count_by_dst ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_thresh_by_dst); pthread_mutex_lock(&Thresh_By_Dst_Mutex); struct thresh_by_dst_ipc *temp_threshbydst_ipc; temp_threshbydst_ipc = malloc(sizeof(struct thresh_by_dst_ipc) * config->max_threshold_by_dst); memset(temp_threshbydst_ipc, 0, sizeof(sizeof(struct thresh_by_dst_ipc) * config->max_threshold_by_dst)); old_count = counters_ipc->thresh_count_by_dst; for (i = 0; i < counters_ipc->thresh_count_by_dst; i++) { if ( (utime - threshbydst_ipc[i].utime) < threshbydst_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Threshbydst_IPC : Keeping 0x%.08X%.08X%.08X%.08X.", __FILE__, __LINE__, htonl(((unsigned int *)&threshbydst_ipc[i].ipdst)[0]), htonl(((unsigned int *)&threshbydst_ipc[i].ipdst)[1]), htonl(((unsigned int *)&threshbydst_ipc[i].ipdst)[2]), htonl(((unsigned int *)&threshbydst_ipc[i].ipdst)[3])); } memcpy(temp_threshbydst_ipc[new_count].ipdst, threshbydst_ipc[i].ipdst, sizeof(threshbydst_ipc[i].ipdst)); temp_threshbydst_ipc[new_count].count = threshbydst_ipc[i].count; temp_threshbydst_ipc[new_count].utime = threshbydst_ipc[i].utime; temp_threshbydst_ipc[new_count].expire = threshbydst_ipc[i].expire; strlcpy(temp_threshbydst_ipc[new_count].sid, threshbydst_ipc[i].sid, sizeof(temp_threshbydst_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { memcpy(threshbydst_ipc[i].ipdst, temp_threshbydst_ipc[i].ipdst, sizeof(temp_threshbydst_ipc[i].ipdst)); threshbydst_ipc[i].count = temp_threshbydst_ipc[i].count; threshbydst_ipc[i].utime = temp_threshbydst_ipc[i].utime; threshbydst_ipc[i].expire = temp_threshbydst_ipc[i].expire; strlcpy(threshbydst_ipc[i].sid, temp_threshbydst_ipc[i].sid, sizeof(threshbydst_ipc[i].sid)); } counters_ipc->thresh_count_by_dst = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean thresh_by_dst. Nothing to remove!", __FILE__, __LINE__); free(temp_threshbydst_ipc); pthread_mutex_unlock(&Thresh_By_Dst_Mutex); File_Unlock(config->shm_thresh_by_dst); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for thresh_by_dst", __FILE__, __LINE__, new_count, old_count); free(temp_threshbydst_ipc); pthread_mutex_unlock(&Thresh_By_Dst_Mutex); File_Unlock(config->shm_thresh_by_dst); return(0); } /* Threshbysrcport_IPC */ else if ( type == THRESH_BY_SRCPORT && config->max_threshold_by_srcport < counters_ipc->thresh_count_by_srcport ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_thresh_by_srcport); pthread_mutex_lock(&Thresh_By_Src_Port_Mutex); struct thresh_by_srcport_ipc *temp_threshbysrcport_ipc; temp_threshbysrcport_ipc = malloc(sizeof(struct thresh_by_srcport_ipc) * config->max_threshold_by_srcport); memset(temp_threshbysrcport_ipc, 0, sizeof(sizeof(struct thresh_by_srcport_ipc) * config->max_threshold_by_srcport)); old_count = counters_ipc->thresh_count_by_srcport; for (i = 0; i < counters_ipc->thresh_count_by_src; i++) { if ( (utime - threshbysrc_ipc[i].utime) < threshbysrc_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Threshbysrcport_IPC : Keeping %u.", __FILE__, __LINE__, threshbysrcport_ipc[i].ipsrcport); } temp_threshbysrcport_ipc[new_count].ipsrcport = threshbysrcport_ipc[i].ipsrcport; temp_threshbysrcport_ipc[new_count].count = threshbysrcport_ipc[i].count; temp_threshbysrcport_ipc[new_count].utime = threshbysrcport_ipc[i].utime; temp_threshbysrcport_ipc[new_count].expire = threshbysrcport_ipc[i].expire; strlcpy(temp_threshbysrcport_ipc[new_count].sid, threshbysrcport_ipc[i].sid, sizeof(temp_threshbysrcport_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { threshbysrcport_ipc[i].ipsrcport = temp_threshbysrcport_ipc[i].ipsrcport; threshbysrcport_ipc[i].count = temp_threshbysrcport_ipc[i].count; threshbysrcport_ipc[i].utime = temp_threshbysrcport_ipc[i].utime; threshbysrcport_ipc[i].expire = temp_threshbysrcport_ipc[i].expire; strlcpy(threshbysrcport_ipc[i].sid, temp_threshbysrcport_ipc[i].sid, sizeof(threshbysrcport_ipc[i].sid)); } counters_ipc->thresh_count_by_srcport = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean thresh_by_srcport. Nothing to remove!", __FILE__, __LINE__); free(temp_threshbysrcport_ipc); pthread_mutex_unlock(&Thresh_By_Src_Port_Mutex); File_Unlock(config->shm_thresh_by_src); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for thresh_by_srcport", __FILE__, __LINE__, new_count, old_count); free(temp_threshbysrcport_ipc); pthread_mutex_unlock(&Thresh_By_Src_Port_Mutex); File_Unlock(config->shm_thresh_by_srcport); return(0); } /* Threshbydstport_IPC */ else if ( type == THRESH_BY_DSTPORT && config->max_threshold_by_dstport < counters_ipc->thresh_count_by_dstport ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_thresh_by_dstport); pthread_mutex_lock(&Thresh_By_Dst_Port_Mutex); struct thresh_by_dstport_ipc *temp_threshbydstport_ipc; temp_threshbydstport_ipc = malloc(sizeof(struct thresh_by_dstport_ipc) * config->max_threshold_by_dstport); memset(temp_threshbydstport_ipc, 0, sizeof(sizeof(struct thresh_by_dstport_ipc) * config->max_threshold_by_dstport)); old_count = counters_ipc->thresh_count_by_dstport; for (i = 0; i < counters_ipc->thresh_count_by_dst; i++) { if ( (utime - threshbydst_ipc[i].utime) < threshbydst_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Threshbydstport_IPC : Keeping %u.", __FILE__, __LINE__, threshbydstport_ipc[i].ipdstport); } temp_threshbydstport_ipc[new_count].ipdstport = threshbydstport_ipc[i].ipdstport; temp_threshbydstport_ipc[new_count].count = threshbydstport_ipc[i].count; temp_threshbydstport_ipc[new_count].utime = threshbydstport_ipc[i].utime; temp_threshbydstport_ipc[new_count].expire = threshbydstport_ipc[i].expire; strlcpy(temp_threshbydstport_ipc[new_count].sid, threshbydstport_ipc[i].sid, sizeof(temp_threshbydstport_ipc[new_count].sid)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { threshbydstport_ipc[i].ipdstport = temp_threshbydstport_ipc[i].ipdstport; threshbydstport_ipc[i].count = temp_threshbydstport_ipc[i].count; threshbydstport_ipc[i].utime = temp_threshbydstport_ipc[i].utime; threshbydstport_ipc[i].expire = temp_threshbydstport_ipc[i].expire; strlcpy(threshbydstport_ipc[i].sid, temp_threshbydstport_ipc[i].sid, sizeof(threshbydstport_ipc[i].sid)); } counters_ipc->thresh_count_by_dstport = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean thresh_by_dstport. Nothing to remove!", __FILE__, __LINE__); free(temp_threshbydstport_ipc); pthread_mutex_unlock(&Thresh_By_Dst_Port_Mutex); File_Unlock(config->shm_thresh_by_dst); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for thresh_by_dstport", __FILE__, __LINE__, new_count, old_count); free(temp_threshbydstport_ipc); pthread_mutex_unlock(&Thresh_By_Dst_Port_Mutex); File_Unlock(config->shm_thresh_by_dstport); return(0); } /* ThreshbyUsername_IPC */ else if ( type == THRESH_BY_USERNAME && config->max_threshold_by_username < counters_ipc->thresh_count_by_username ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_thresh_by_username); pthread_mutex_lock(&Thresh_By_Username_Mutex); struct thresh_by_username_ipc *temp_threshbyusername_ipc; temp_threshbyusername_ipc = malloc(sizeof(struct thresh_by_username_ipc) * config->max_threshold_by_username); memset(temp_threshbyusername_ipc, 0, sizeof(sizeof(struct thresh_by_username_ipc) * config->max_threshold_by_username)); old_count = counters_ipc->thresh_count_by_username; for (i = 0; i < counters_ipc->thresh_count_by_username; i++) { if ( (utime - threshbyusername_ipc[i].utime) < threshbyusername_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Afterbyusername_IPC : Keeping '%s'.", __FILE__, __LINE__, threshbyusername_ipc[i].username); } temp_threshbyusername_ipc[new_count].count = threshbyusername_ipc[i].count; temp_threshbyusername_ipc[new_count].utime = threshbyusername_ipc[i].utime; temp_threshbyusername_ipc[new_count].expire = threshbyusername_ipc[i].expire; strlcpy(temp_threshbyusername_ipc[new_count].sid, threshbyusername_ipc[i].sid, sizeof(temp_threshbyusername_ipc[new_count].sid)); strlcpy(temp_threshbyusername_ipc[new_count].username, threshbyusername_ipc[i].username, sizeof(temp_threshbyusername_ipc[new_count].username)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { threshbyusername_ipc[i].count = temp_threshbyusername_ipc[i].count; threshbyusername_ipc[i].utime = temp_threshbyusername_ipc[i].utime; threshbyusername_ipc[i].expire = temp_threshbyusername_ipc[i].expire; strlcpy(threshbyusername_ipc[i].sid, temp_threshbyusername_ipc[i].sid, sizeof(threshbyusername_ipc[i].sid)); strlcpy(threshbyusername_ipc[i].username, temp_threshbyusername_ipc[i].username, sizeof(threshbyusername_ipc[i].username)); } counters_ipc->thresh_count_by_username = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean thresh_by_username. Nothing to remove!", __FILE__, __LINE__); free(temp_threshbyusername_ipc); pthread_mutex_unlock(&Thresh_By_Username_Mutex); File_Unlock(config->shm_thresh_by_username); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for thresh_by_username", __FILE__, __LINE__, new_count, old_count); free(temp_threshbyusername_ipc); pthread_mutex_unlock(&Thresh_By_Username_Mutex); File_Unlock(config->shm_thresh_by_username); return(0); } /* Xbit_IPC */ else if ( type == XBIT && config->max_xbits < counters_ipc->xbit_count && config->xbit_storage == XBIT_STORAGE_MMAP ) { time_t t; struct tm *now; int i; int utime = 0; int new_count = 0; int old_count = 0; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); utime = atol(timet); new_count = 0; old_count = 0; File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); struct _Sagan_IPC_Xbit *temp_xbit_ipc; temp_xbit_ipc = malloc(sizeof(struct _Sagan_IPC_Xbit) * config->max_xbits); memset(temp_xbit_ipc, 0, sizeof(sizeof(struct _Sagan_IPC_Xbit) * config->max_xbits)); old_count = counters_ipc->xbit_count; for (i = 0; i < counters_ipc->xbit_count; i++) { if ( (utime - xbit_ipc[i].xbit_expire) < xbit_ipc[i].expire ) { if ( debug->debugipc ) { Sagan_Log(DEBUG, "[%s, %d line] Flowbot_IPC : Keeping [0x%.08X%.08X%.08X%.08X -> 0x%.08X%.08X%.08X%.08X].", __FILE__, __LINE__, htonl(((unsigned int *)&xbit_ipc[i].ip_src)[0]), htonl(((unsigned int *)&xbit_ipc[i].ip_src)[1]), htonl(((unsigned int *)&xbit_ipc[i].ip_src)[2]), htonl(((unsigned int *)&xbit_ipc[i].ip_src)[3]), htonl(((unsigned int *)&xbit_ipc[i].ip_dst)[0]), htonl(((unsigned int *)&xbit_ipc[i].ip_dst)[1]), htonl(((unsigned int *)&xbit_ipc[i].ip_dst)[2]), htonl(((unsigned int *)&xbit_ipc[i].ip_dst)[3])); } temp_xbit_ipc[new_count].xbit_state = xbit_ipc[i].xbit_state; memcpy(temp_xbit_ipc[new_count].ip_src, xbit_ipc[i].ip_src, sizeof(xbit_ipc[i].ip_src)); memcpy(temp_xbit_ipc[new_count].ip_dst, xbit_ipc[i].ip_dst, sizeof(xbit_ipc[i].ip_dst)); temp_xbit_ipc[new_count].xbit_expire = xbit_ipc[i].xbit_expire; temp_xbit_ipc[new_count].expire = xbit_ipc[i].expire; strlcpy(temp_xbit_ipc[new_count].xbit_name, xbit_ipc[i].xbit_name, sizeof(temp_xbit_ipc[new_count].xbit_name)); new_count++; } } if ( new_count > 0 ) { for ( i = 0; i < new_count; i++ ) { xbit_ipc[i].xbit_state = temp_xbit_ipc[i].xbit_state; memcpy(temp_xbit_ipc[i].ip_src, temp_xbit_ipc[i].ip_src, sizeof(temp_xbit_ipc[i].ip_src)); memcpy(temp_xbit_ipc[i].ip_dst, temp_xbit_ipc[i].ip_dst, sizeof(temp_xbit_ipc[i].ip_dst)); xbit_ipc[i].xbit_expire = temp_xbit_ipc[i].xbit_expire; xbit_ipc[i].expire = temp_xbit_ipc[i].expire; strlcpy(xbit_ipc[i].xbit_name, temp_xbit_ipc[i].xbit_name, sizeof(xbit_ipc[i].xbit_name)); } counters_ipc->xbit_count = new_count; } else { Sagan_Log(WARN, "[%s, line %d] Could not clean _Sagan_IPC_Xbit. Nothing to remove!", __FILE__, __LINE__); free(temp_xbit_ipc); pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); return(1); } Sagan_Log(NORMAL, "[%s, line %d] Kept %d elements out of %d for _Sagan_IPC_Xbit.", __FILE__, __LINE__, new_count, old_count); free(temp_xbit_ipc); pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); return(0); } return(0); } /***************************************************************************** * IPC_Check_Object - If "counters" have been reset, we want to * recreate the other objects (hence the unlink). This function tests for * this case *****************************************************************************/ void IPC_Check_Object(char *tmp_object_check, sbool new_counters, char *object_name) { struct stat object_check; if ( ( stat(tmp_object_check, &object_check) == 0 ) && new_counters == 1 ) { if ( unlink(tmp_object_check) == -1 ) { Sagan_Log(ERROR, "[%s, line %d] Could not unlink %s memory object! [%s]", __FILE__, __LINE__, object_name, strerror(errno)); } Sagan_Log(NORMAL, "* Stale %s memory object found & unlinked.", object_name); } } /***************************************************************************** * IPC_Init - Create (if needed) or map to an IPC object. *****************************************************************************/ void IPC_Init(void) { /* If we have a "new" counters shared memory object, but other "old" data, we need to remove * the "old" data! The counters need to stay in sync with the other data objects! */ sbool new_counters = 0; sbool new_object = 0; int i; char tmp_object_check[255]; char time_buf[80]; char ip_src[MAXIP]; char ip_dst[MAXIP]; /* For convert 32 bit IP to octet */ Sagan_Log(NORMAL, "Initializing shared memory objects."); Sagan_Log(NORMAL, "---------------------------------------------------------------------------"); /* Init counters first. Need to track all other share memory objects */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, COUNTERS_IPC_FILE); if ((config->shm_counters = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Counters shared object (new)."); new_counters = 1; } else if ((config->shm_counters = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for counters. [%s:%s]", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } else { Sagan_Log(NORMAL, "- Counters shared object (reload)"); } if ( ftruncate(config->shm_counters, sizeof(_Sagan_IPC_Counters)) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate counters. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( counters_ipc = mmap(0, sizeof(_Sagan_IPC_Counters), (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_counters, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for counters object! [%s]", __FILE__, __LINE__, strerror(errno)); } /* Xbit memory object - File based mmap() */ if ( config->xbit_storage == XBIT_STORAGE_MMAP ) { snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, XBIT_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "xbit"); if ((config->shm_xbit = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Xbit shared object (new)."); new_object=1; } else if ((config->shm_xbit = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for xbit (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_xbit, sizeof(_Sagan_IPC_Xbit) * config->max_xbits ) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate xbit. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( xbit_ipc = mmap(0, sizeof(_Sagan_IPC_Xbit) * config->max_xbits, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_xbit, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for xbit object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0) { Sagan_Log(NORMAL, "- Xbit shared object reloaded (%d xbits loaded / max: %d).", counters_ipc->xbit_count, config->max_xbits); } new_object = 0; if ( debug->debugipc && counters_ipc->xbit_count >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** Xbits ***"); Sagan_Log(DEBUG, "--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-2s| %-45s| %-25s| %-45s| %-45s| %-21s| %s", "S", "Selector", "Xbit name", "SRC IP", "DST IP", "Date added/modified", "Expire"); Sagan_Log(DEBUG, "--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for (i= 0; i < counters_ipc->xbit_count; i++ ) { Bit2IP(xbit_ipc[i].ip_src, ip_src, sizeof(ip_src)); Bit2IP(xbit_ipc[i].ip_dst, ip_dst, sizeof(ip_dst)); if ( xbit_ipc[i].xbit_state == 1 ) { u32_Time_To_Human(xbit_ipc[i].xbit_expire, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-2d| %-45s| %-25s| %-45s| %-45s| %-21s| %d", xbit_ipc[i].xbit_state, xbit_ipc[i].selector, xbit_ipc[i].xbit_name, ip_src, ip_dst, time_buf, xbit_ipc[i].expire ); } } Sagan_Log(DEBUG, ""); } } else /* if ( config->xbit_storage == XBIT_STORAGE_MMAP ) */ { Sagan_Log(NORMAL, "- Xbit shared object (Objects stored in Redis)"); } /* Threshold by source */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, THRESH_BY_SRC_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "thresh_by_src"); if ((config->shm_thresh_by_src = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Thresh_by_src shared object (new)."); new_object=1; } else if ((config->shm_thresh_by_src = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for thresh_by_src (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_thresh_by_src, sizeof(thresh_by_src_ipc) * config->max_threshold_by_src ) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate thresh_by_src. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( threshbysrc_ipc = mmap(0, sizeof(thresh_by_src_ipc) * config->max_threshold_by_src, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_thresh_by_src, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for thresh_by_src object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0) { Sagan_Log(NORMAL, "- Thresh_by_src shared object reloaded (%d sources loaded / max: %d).", counters_ipc->thresh_count_by_src, config->max_threshold_by_src); } new_object = 0; if ( debug->debugipc && counters_ipc->thresh_count_by_src >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** Threshold by source ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-45s| %-11s| %-21s| %-11s| %s", "Selector", "SRC IP", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->thresh_count_by_src; i++) { Bit2IP(threshbysrc_ipc[i].ipsrc, ip_src, sizeof(ip_src)); u32_Time_To_Human(threshbysrc_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-45s| %-11d| %-21s| %-11s| %d", threshbysrc_ipc[i].selector, ip_src, threshbysrc_ipc[i].count, time_buf, threshbysrc_ipc[i].sid, threshbysrc_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* Threshold by destination */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, THRESH_BY_DST_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "thresh_by_dst"); if ((config->shm_thresh_by_dst = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Thresh_by_dst shared object (new)."); new_object=1; } else if ((config->shm_thresh_by_dst = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for thresh_by_dst (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_thresh_by_dst, sizeof(thresh_by_dst_ipc) * config->max_threshold_by_dst) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate thresh_by_dst. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( threshbydst_ipc = mmap(0, sizeof(thresh_by_dst_ipc) * config->max_threshold_by_dst, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_thresh_by_dst, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for thresh_by_dst object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0) { Sagan_Log(NORMAL, "- Thresh_by_dst shared object reloaded (%d destinations loaded / max: %d).", counters_ipc->thresh_count_by_dst, config->max_threshold_by_dst); } new_object = 0; if ( debug->debugipc && counters_ipc->thresh_count_by_dst >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** Threshold by destination ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-45s| %-11s| %-21s| %-11s| %s", "Selector", "DST IP", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->thresh_count_by_dst; i++) { Bit2IP(threshbydst_ipc[i].ipdst, ip_dst, sizeof(ip_dst)); u32_Time_To_Human(threshbydst_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-45s| %-11d| %-21s| %-11s| %d", threshbydst_ipc[i].selector, ip_dst, threshbydst_ipc[i].count, time_buf, threshbydst_ipc[i].sid, threshbydst_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* Threshold by source port */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, THRESH_BY_SRCPORT_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "thresh_by_srcport"); if ((config->shm_thresh_by_srcport = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Thresh_by_srcport shared object (new)."); new_object=1; } else if ((config->shm_thresh_by_srcport = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for thresh_by_srcport (%s)", __FILE__, __LINE__, strerror(errno)); } if ( ftruncate(config->shm_thresh_by_srcport, sizeof(thresh_by_srcport_ipc) * config->max_threshold_by_srcport) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate thresh_by_srcport. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( threshbysrcport_ipc = mmap(0, sizeof(thresh_by_srcport_ipc) * config->max_threshold_by_srcport, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_thresh_by_srcport, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for thresh_by_srcport object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0) { Sagan_Log(NORMAL, "- Thresh_by_srcport shared object reloaded (%d source ports loaded / max: %d).", counters_ipc->thresh_count_by_srcport, config->max_threshold_by_srcport); } new_object = 0; if ( debug->debugipc && counters_ipc->thresh_count_by_srcport >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** Threshold by source port ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-16s| %-11s| %-21s| %-11s| %s", "Selector", "SRCPORT IP", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->thresh_count_by_srcport; i++) { uint32_t srcport = htonl(threshbysrcport_ipc[i].ipsrcport); u32_Time_To_Human(threshbysrcport_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-16d| %-11d| %-21s| %-11s| %d", threshbysrcport_ipc[i].selector, srcport, threshbysrcport_ipc[i].count, time_buf, threshbysrcport_ipc[i].sid, threshbysrcport_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* Threshold by destination port */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, THRESH_BY_DSTPORT_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "thresh_by_dstport"); if ((config->shm_thresh_by_dstport = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Thresh_by_dstport shared object (new)."); new_object=1; } else if ((config->shm_thresh_by_dstport = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for thresh_by_dstport (%s)", __FILE__, __LINE__, strerror(errno)); } if ( ftruncate(config->shm_thresh_by_dstport, sizeof(thresh_by_dstport_ipc) * config->max_threshold_by_dstport) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate thresh_by_dstport. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( threshbydstport_ipc = mmap(0, sizeof(thresh_by_dstport_ipc) * config->max_threshold_by_dstport, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_thresh_by_dstport, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for thresh_by_dstport object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0) { Sagan_Log(NORMAL, "- Thresh_by_dstport shared object reloaded (%d destination ports loaded / max: %d).", counters_ipc->thresh_count_by_dstport, config->max_threshold_by_dstport); } new_object = 0; if ( debug->debugipc && counters_ipc->thresh_count_by_dstport >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** Threshold by destination port ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-16s| %-11s| %-21s| %-11s| %s", "Selector", "DSTPORT IP", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->thresh_count_by_dstport; i++) { uint32_t dstport = htonl(threshbydstport_ipc[i].ipdstport); u32_Time_To_Human(threshbydstport_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-16d| %-11d| %-21s| %-11s| %d", threshbydstport_ipc[i].selector, dstport, threshbydstport_ipc[i].count, time_buf, threshbydstport_ipc[i].sid, threshbydstport_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* Threshold by username */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, THRESH_BY_USERNAME_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "thresh_by_username"); if ((config->shm_thresh_by_username = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Thresh_by_username shared object (new)."); new_object=1; } else if ((config->shm_thresh_by_username = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for thresh_by_username (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_thresh_by_username, sizeof(thresh_by_username_ipc) * config->max_threshold_by_username ) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate thresh_by_username. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( threshbyusername_ipc = mmap(0, sizeof(thresh_by_username_ipc) * config->max_threshold_by_username, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_thresh_by_username, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for thresh_by_username object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0 ) { Sagan_Log(NORMAL, "- Thresh_by_username shared object reloaded (%d usernames loaded / max: %d).", counters_ipc->thresh_count_by_username, config->max_threshold_by_username); } new_object = 0; if ( debug->debugipc && counters_ipc->thresh_count_by_username >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** Threshold by username ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-16s| %-11s| %-21s| %-11s| %s", "Selector", "Username", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->thresh_count_by_username; i++) { u32_Time_To_Human(threshbyusername_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-16s| %-11d| %-21s| %-11s| %d", threshbyusername_ipc[i].selector, threshbyusername_ipc[i].username, threshbyusername_ipc[i].count, time_buf, threshbyusername_ipc[i].sid, threshbyusername_ipc[i].expire); } } /* After by source */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, AFTER_BY_SRC_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "after_by_src"); if ((config->shm_after_by_src = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ After_by_src shared object (new)."); new_object=1; } else if ((config->shm_after_by_src = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for after_by_src (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_after_by_src, sizeof(after_by_src_ipc) * config->max_after_by_src ) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate after_by_src. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( afterbysrc_ipc = mmap(0, sizeof(after_by_src_ipc) * config->max_after_by_src, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_after_by_src, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for after_by_src object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0 ) { Sagan_Log(NORMAL, "- After_by_src shared object reloaded (%d sources loaded / max: %d).", counters_ipc->after_count_by_src, config->max_after_by_src); } new_object = 0; if ( debug->debugipc && counters_ipc->after_count_by_src >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** After by source ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-45s| %-11s| %-21s| %-11s| %s", "Selector", "SRC IP", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->after_count_by_src; i++ ) { Bit2IP(afterbysrc_ipc[i].ipsrc, ip_src, sizeof(ip_src)); u32_Time_To_Human(afterbysrc_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-45s| %-11d| %-21s| %-11s| %d", afterbysrc_ipc[i].selector, ip_src, afterbysrc_ipc[i].count, time_buf, afterbysrc_ipc[i].sid, afterbysrc_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* After by destination */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, AFTER_BY_DST_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "after_by_dst"); if ((config->shm_after_by_dst = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ After_by_dst shared object (new)."); new_object=1; } else if ((config->shm_after_by_dst = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for after_by_dst (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_after_by_dst, sizeof(after_by_dst_ipc) * config->max_after_by_dst) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate after_by_dst. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( afterbydst_ipc = mmap(0, sizeof(after_by_dst_ipc) * config->max_after_by_dst, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_after_by_dst, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for after_by_src object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0 ) { Sagan_Log(NORMAL, "- After_by_dst shared object reloaded (%d destinations loaded / max: %d).", counters_ipc->after_count_by_dst, config->max_after_by_dst); } new_object = 0; if ( debug->debugipc && counters_ipc->after_count_by_dst >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** After by destination ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-45s| %-11s| %-21s| %-11s| %s", "Selector", "DST IP", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->after_count_by_dst; i++) { Bit2IP(afterbydst_ipc[i].ipdst, ip_dst, sizeof(ip_dst)); u32_Time_To_Human(afterbydst_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-45s| %-11d| %-21s| %-11s| %d", afterbydst_ipc[i].selector, ip_dst, afterbydst_ipc[i].count, time_buf, afterbydst_ipc[i].sid, afterbydst_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* After by source port */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, AFTER_BY_SRCPORT_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "after_by_srcport"); if ((config->shm_after_by_srcport = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ After_by_srcport shared object (new)."); new_object=1; } else if ((config->shm_after_by_srcport = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for after_by_srcport (%s)", __FILE__, __LINE__, strerror(errno)); } if ( ftruncate(config->shm_after_by_srcport, sizeof(after_by_srcport_ipc) * config->max_after_by_srcport) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate after_by_srcport. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( afterbysrcport_ipc = mmap(0, sizeof(after_by_srcport_ipc) * config->max_after_by_srcport, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_after_by_srcport, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for after_by_src object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0 ) { Sagan_Log(NORMAL, "- After_by_srcport shared object reloaded (%d source ports loaded / max: %d).", counters_ipc->after_count_by_srcport, config->max_after_by_srcport); } new_object = 0; if ( debug->debugipc && counters_ipc->after_count_by_srcport >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** After by source port ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-16s| %-11s| %-21s| %-11s| %s", "Selector", "SRCPORT", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->after_count_by_srcport; i++) { uint32_t srcport = htonl(afterbysrcport_ipc[i].ipsrcport); u32_Time_To_Human(afterbysrcport_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-16d| %-11d| %-21s| %-11s| %d", afterbysrcport_ipc[i].selector, srcport, afterbysrcport_ipc[i].count, time_buf, afterbysrcport_ipc[i].sid, afterbysrcport_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* After by destination port */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, AFTER_BY_DSTPORT_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "after_by_dstport"); if ((config->shm_after_by_dstport = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ After_by_dstport shared object (new)."); new_object=1; } else if ((config->shm_after_by_dstport = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for after_by_dstport (%s)", __FILE__, __LINE__, strerror(errno)); } if ( ftruncate(config->shm_after_by_dstport, sizeof(after_by_dstport_ipc) * config->max_after_by_dstport) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate after_by_dstport. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( afterbydstport_ipc = mmap(0, sizeof(after_by_dstport_ipc) * config->max_after_by_dstport, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_after_by_dstport, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for after_by_src object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0 ) { Sagan_Log(NORMAL, "- After_by_dstport shared object reloaded (%d destinations ports loaded / max: %d).", counters_ipc->after_count_by_dstport, config->max_after_by_dstport); } new_object = 0; if ( debug->debugipc && counters_ipc->after_count_by_dstport >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** After by destination port ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-16s| %-11s| %-21s| %-11s| %s", "Selector", "DSTPORT", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->after_count_by_dstport; i++) { uint32_t dstport = htonl(afterbydstport_ipc[i].ipdstport); u32_Time_To_Human(afterbydstport_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-16d| %-11d| %-21s| %-11s| %d", afterbydstport_ipc[i].selector, dstport, afterbydstport_ipc[i].count, time_buf, afterbydstport_ipc[i].sid, afterbydstport_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* After by username */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, AFTER_BY_USERNAME_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "after_by_username"); if ((config->shm_after_by_username = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ After_by_username shared object (new)."); new_object=1; } else if ((config->shm_after_by_username = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for after_by_username (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_after_by_username, sizeof(after_by_username_ipc) * config->max_after_by_username ) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate after_by_username. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( afterbyusername_ipc = mmap(0, sizeof(after_by_username_ipc) * config->max_after_by_username, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_after_by_username, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for after_by_src object! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0 ) { Sagan_Log(NORMAL, "- After_by_username shared object reloaded (%d usernames loaded / max: %d).", counters_ipc->after_count_by_username, config->max_after_by_username); } new_object = 0; if ( debug->debugipc && counters_ipc->after_count_by_username >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** After by username ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-45s| %-16s| %-11s| %-21s| %-11s| %s", "Selector", "Username", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->after_count_by_username; i++) { u32_Time_To_Human(afterbyusername_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-45s| %-16s| %-11d| %-21s| %-11s| %d", afterbyusername_ipc[i].selector, afterbyusername_ipc[i].username, afterbyusername_ipc[i].count, time_buf, afterbyusername_ipc[i].sid, afterbyusername_ipc[i].expire); } Sagan_Log(DEBUG, ""); } /* Client tracking */ if ( config->sagan_track_clients_flag ) { snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", config->ipc_directory, CLIENT_TRACK_IPC_FILE); IPC_Check_Object(tmp_object_check, new_counters, "_Sagan_Track_Clients_IPC"); if ((config->shm_track_clients = open(tmp_object_check, (O_CREAT | O_EXCL | O_RDWR), (S_IREAD | S_IWRITE))) > 0 ) { Sagan_Log(NORMAL, "+ Sagan_track_clients shared object (new)."); new_object=1; } else if ((config->shm_track_clients = open(tmp_object_check, (O_CREAT | O_RDWR), (S_IREAD | S_IWRITE))) < 1 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open() for Sagan_track_clients (%s:%s)", __FILE__, __LINE__, tmp_object_check, strerror(errno)); } if ( ftruncate(config->shm_track_clients, sizeof(_Sagan_Track_Clients_IPC) * config->max_track_clients ) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed to ftruncate _Sagan_Track_Clients_IPC. [%s]", __FILE__, __LINE__, strerror(errno)); } if (( SaganTrackClients_ipc = mmap(0, sizeof(_Sagan_Track_Clients_IPC) * config->max_track_clients, (PROT_READ | PROT_WRITE), MAP_SHARED, config->shm_track_clients, 0)) == MAP_FAILED ) { Sagan_Log(ERROR, "[%s, line %d] Error allocating memory for _Sagan_Track_Clients_IPC! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( new_object == 0 ) { Sagan_Log(NORMAL, "- Sagan_track_clients shared object reloaded (%d clients loaded / max: %d).", counters_ipc->track_clients_client_count, config->max_track_clients); } new_object = 0; /* if ( debug->debugipc && counters_ipc->track_client_count >= 1 ) { Sagan_Log(DEBUG, ""); Sagan_Log(DEBUG, "*** After by username ***"); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); Sagan_Log(DEBUG, "%-16s| %-11s| %-21s| %-11s| %s", "Username", "Counter","Date added/modified", "SID", "Expire" ); Sagan_Log(DEBUG, "----------------------------------------------------------------------------------------------------------------------------------------------------------------------------"); for ( i = 0; i < counters_ipc->after_count_by_username; i++) { u32_Time_To_Human(afterbyusername_ipc[i].utime, time_buf, sizeof(time_buf)); Sagan_Log(DEBUG, "%-16s| %-11d| %-21s| %-11s| %d", afterbyusername_ipc[i].username, afterbyusername_ipc[i].count, time_buf, afterbyusername_ipc[i].sid, afterbyusername_ipc[i].expire); } Sagan_Log(DEBUG, ""); } */ } } sagan-1.2.0/src/util-strlcat.c0000644000175000017500000000401713310531444015127 0ustar champchamp/* strlcat * * Provided by the OpenBSD team. This is here for systems that do not * support the strlcat call. * */ /* $OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */ /* * Copyright (c) 1998 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifndef HAVE_STRLCAT #include #include /* * Appends src to string dst of size siz (unlike strncat, siz is the * full size of dst, not space left). At most siz-1 characters * will be copied. Always NUL terminates (unless siz <= strlen(dst)). * Returns strlen(src) + MIN(siz, strlen(initial dst)). * If retval >= siz, truncation occurred. */ size_t strlcat(char *dst, const char *src, size_t siz) { char *d = dst; const char *s = src; size_t n = siz; size_t dlen; /* Find the end of dst and adjust bytes left but don't go past end */ while (n-- != 0 && *d != '\0') d++; dlen = d - dst; n = siz - dlen; if (n == 0) return(dlen + strlen(s)); while (*s != '\0') { if (n != 1) { *d++ = *s; n--; } s++; } *d = '\0'; return(dlen + (s - src)); /* count does not include NUL */ } #endif sagan-1.2.0/src/plog.h0000644000175000017500000000226213310531444013446 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBPCAP char plog_interface[50]; char plog_logdev[50]; char plog_filter[256]; sbool plog_flag; int plog_promiscuous; void Plog_Handler( void ); #endif sagan-1.2.0/src/protocol-map.h0000644000175000017500000000273313310531444015124 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif /* Storage for protocol.map (program search) */ typedef struct _Sagan_Protocol_Map_Program _Sagan_Protocol_Map_Program; struct _Sagan_Protocol_Map_Program { int type; int proto; int nocase; char program[64]; }; /* Storage for protocol.map (message search) */ typedef struct _Sagan_Protocol_Map_Message _Sagan_Protocol_Map_Message; struct _Sagan_Protocol_Map_Message { int type; int proto; int nocase; char search[512]; }; void Load_Protocol_Map( const char * ); sagan-1.2.0/src/classifications.h0000644000175000017500000000241213310531444015660 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif /* Classification strucure */ typedef struct _Class_Struct _Class_Struct; struct _Class_Struct { char s_shortname[512]; char s_desc[512]; int s_priority; }; void Load_Classifications( const char * ); int Classtype_Lookup( const char *classtype, char *str, size_t size ); sagan-1.2.0/src/xbit-redis.c0000644000175000017500000007120313310531444014553 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBHIREDIS #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "rules.h" #include "xbit.h" #include "xbit-mmap.h" #include "xbit-redis.h" #include "parsers/parsers.h" #include "redis.h" struct _SaganConfig *config; struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganCounters *counters; pthread_mutex_t CounterRedisWriterThreadsDrop=PTHREAD_MUTEX_INITIALIZER; int redis_msgslot = 0; pthread_cond_t SaganRedisDoWork=PTHREAD_COND_INITIALIZER; pthread_mutex_t SaganRedisWorkMutex=PTHREAD_MUTEX_INITIALIZER; struct _Sagan_Redis *SaganRedis; #define NONE 0 #define OR 1 #define AND 2 /**************************************************************** README * README * README * README * README * README * README README * README * README * README * README * README * README **************************************************************** This is very PoC (proof of concept) code and is NOT production ready. This is to test the functionality of using Redis as a backend to store "xbits" (making them "global" xbits). store what "Set" an xbit in redis? ****************************************************************/ /***************************************************************************** Xbit_Condition_Redis - Test the condition of xbits. For example, "isset" and "isnotset" *****************************************************************************/ sbool Xbit_Condition_Redis(int rule_position, char *ip_src_char, char *ip_dst_char, int src_port, int dst_port, char *selector ) { int i; int j; int xbit_total_match = 0; time_t t; struct tm *now; char timet[20]; redisReply *reply; char redis_command[1024] = { 0 }; char redis_reply[32] = { 0 }; char tmp[128]; char *tmp_xbit_name = NULL; char *tok = NULL; uint32_t djb2_hash; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); int and_or = NONE; /* | == true, & == false */ char *src_or_dst = NULL; char *src_or_dst_type = NULL; char notnull_selector[MAXSELECTOR] = { 0 }; /* If "selector" is in use, make it ready for redis */ if ( config->selector_flag ) { snprintf(notnull_selector, sizeof(notnull_selector), "%s:", selector); } /* if ( debug->debugredis ) { Sagan_Log(DEBUG, "[%s, line %d] Redis Xbit Condition.", __FILE__, __LINE__); } */ /* Cycle through xbits in the rule */ for (i = 0; i < rulestruct[rule_position].xbit_count; i++) { /* Only dealing with isset and isnotset */ if ( rulestruct[rule_position].xbit_type[i] == 3 || rulestruct[rule_position].xbit_type[i] == 4 ) { strlcpy(tmp, rulestruct[rule_position].xbit_name[i], sizeof(tmp)); /* Determine if there are any | or &. If so, we'll cycle through all xbits */ if (Sagan_strstr(rulestruct[rule_position].xbit_name[i], "|")) { tmp_xbit_name = strtok_r(tmp, "|", &tok); and_or = OR; } else { tmp_xbit_name = strtok_r(tmp, "&", &tok); and_or = AND; } /* Cycle through all xbits, if needed */ while (tmp_xbit_name != NULL ) { /* direction: none - may add support for this later. */ if ( rulestruct[rule_position].xbit_direction[i] == 0 ) { { Sagan_Log(WARN, "[%s, line %d] Call for \"isset\" or \"isnotset\" xbit \"%s\" with Redis is not supported! \"unset\" needs an IP source or destination", __FILE__, __LINE__, tmp_xbit_name); } } /*****************************************************************/ /* direction: both - this is the easiest as we have all the data */ /*****************************************************************/ else if ( rulestruct[rule_position].xbit_direction[i] == 1 ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"both\"). (%s -> %s)", __FILE__, __LINE__, tmp_xbit_name, ip_src_char, ip_dst_char); } snprintf(redis_command, sizeof(redis_command), "ZRANGEBYLEX %s%s:both [%s:%s [%s:%s", notnull_selector, tmp_xbit_name, ip_src_char, ip_dst_char, ip_src_char, ip_dst_char); Redis_Reader(redis_command, redis_reply, sizeof(redis_reply)); /* If the xbit is found ... */ if ( redis_reply[0] != ' ' ) { /* isset */ if ( rulestruct[rule_position].xbit_type[i] == 3 ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] Found xbit '%s' for 'isset'.", __FILE__, __LINE__, tmp_xbit_name ); } /* The rule has a |, we can short circuit here */ if ( and_or == OR || and_or == NONE ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] '|' set or only one xbit used, returning TRUE", __FILE__, __LINE__, tmp_xbit_name ); } return(true); } /* No | in the rule, so increment the match counter */ xbit_total_match++; } /* End of rulestruct[rule_position].xbit_type[i] == 3 */ } else /* End of reply->str != NULL */ { /* No match was found */ /* isnotset */ if ( rulestruct[rule_position].xbit_type[i] == 4 ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] Did not find xbit '%s' for 'isnotset'.", __FILE__, __LINE__, tmp_xbit_name ); } /* If the run contains &'s we can short circuit here */ if ( and_or == AND || and_or == NONE ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] AND in isnotset, returning TRUE.", __FILE__, __LINE__, tmp_xbit_name ); } return(true); } /* The rule contain no &, so increment the match counter */ xbit_total_match++; } /* End of rulestruct[rule_position].xbit_type[i] == 4 */ } /* End of else reply->str != NULL */ } /* End of if (rulestruct[rule_position].xbit_direction[i] == 1 || both ) */ /*******************************/ /* direction: by_src || by_dst */ /*******************************/ /* Since by_src and by_dst similar Redis queries, we handle both here */ if ( rulestruct[rule_position].xbit_direction[i] == 2 || rulestruct[rule_position].xbit_direction[i] == 3 ) { if ( rulestruct[rule_position].xbit_direction[i] == 2 ) { src_or_dst = ip_src_char; src_or_dst_type = "by_src"; } else { src_or_dst = ip_dst_char; src_or_dst_type = "by_dst"; } snprintf(redis_command, sizeof(redis_command), "ZRANGEBYLEX %s:%s [%s [%s", tmp_xbit_name, src_or_dst_type, src_or_dst, src_or_dst); Redis_Reader(redis_command, redis_reply, sizeof(redis_reply)); /**************************************************************/ /* If nothing is found, we can stop a lot of processing here.*/ /**************************************************************/ if ( redis_reply[0] != ' ' ) { /* "isset" - If nothing is found then no need to continue */ if ( rulestruct[rule_position].xbit_type[i] == 3 ) { if ( and_or == OR || and_or == NONE ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] xbit found, return TRUE", __FILE__, __LINE__ ); } return(true); } xbit_total_match++; } } else { /* isnotset .... */ if ( rulestruct[rule_position].xbit_type[i] == 4 ) { /* If we are looking for flowbit1&flowbit2 and flowbit1 is not set, we can short circuit now */ if ( and_or == AND || and_or == NONE ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] Single xbit or '&' found in xbit set. Returning TRUE", __FILE__, __LINE__ ); } return(true); } xbit_total_match++; } } /* if ( redis_reply[0] ) */ } /* rulestruct[rule_position].xbit_direction[i] == 2 || 3 */ /************************************/ /* If needed, move to the next xbit */ /************************************/ if ( and_or == OR ) { tmp_xbit_name = strtok_r(NULL, "|", &tok); } else { tmp_xbit_name = strtok_r(NULL, "&", &tok); } } /* while (tmp_xbit_name != NULL */ } /* rulestruct[rule_position].xbit_type[i] == 3 | 4 */ } /* for (i = 0; .... */ /* IF we match all criteria for isset/isnotset * * If we match the xbit_conditon_count (number of concurrent xbits) * we trigger. It it's an "or" statement, we trigger if any of the * xbits are set. * */ if ( ( rulestruct[rule_position].xbit_condition_count == xbit_total_match ) || ( and_or == OR && xbit_total_match != 0 ) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] Condition of xbit returning TRUE. %d %d", __FILE__, __LINE__, rulestruct[rule_position].xbit_condition_count, xbit_total_match); } return(true); } /* isset/isnotset failed. */ if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] Condition of xbit returning FALSE. Needed %d but got %d.", __FILE__, __LINE__, rulestruct[rule_position].xbit_condition_count, xbit_total_match); } return(false); } /***************************************************************************** * Xbit_Set_Redis - This will "set" and "unset" xbits in Redis *****************************************************************************/ void Xbit_Set_Redis(int rule_position, char *ip_src_char, char *ip_dst_char, int src_port, int dst_port, char *selector, _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ) { time_t t; struct tm *now; char timet[20]; int i; int j; char *tmp_xbit_name = NULL; char tmp[128] = { 0 }; char *tok = NULL; redisReply *reply; redisReply *reply_2; char redis_command[16384] = { 0 }; char fullsyslog_orig[400 + MAX_SYSLOGMSG] = { 0 }; // char altered_syslog[ (400*2) + (MAX_SYSLOGMSG*2)] = { 0 }; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); uint32_t djb2_hash; uint32_t djb2_hash_src; uint32_t djb2_hash_dst; uint32_t utime = atoi(timet); uint32_t utime_plus_timeout; char notnull_selector[MAXSELECTOR] = { 0 }; if ( debug->debugredis ) { Sagan_Log(DEBUG, "[%s, line %d] Redis Xbit Xbit_Set_Redis()", __FILE__, __LINE__); } snprintf(fullsyslog_orig, sizeof(fullsyslog_orig), "%s|%s|%s|%s|%s|%s|%s|%s|%s", SaganProcSyslog_LOCAL->syslog_host, SaganProcSyslog_LOCAL->syslog_facility, SaganProcSyslog_LOCAL->syslog_priority, SaganProcSyslog_LOCAL->syslog_level, SaganProcSyslog_LOCAL->syslog_tag, SaganProcSyslog_LOCAL->syslog_date, SaganProcSyslog_LOCAL->syslog_time, SaganProcSyslog_LOCAL->syslog_program, SaganProcSyslog_LOCAL->syslog_message ); for ( i = 0; i < strlen(fullsyslog_orig); i++ ) { switch(fullsyslog_orig[i]) { case ' ': fullsyslog_orig[i] = '_'; break; case ';': fullsyslog_orig[i] = ':'; break; } } /* If "selector" is in use, make it ready for redis */ if ( config->selector_flag ) { snprintf(notnull_selector, sizeof(notnull_selector), "%s:", selector); } for (i = 0; i < rulestruct[rule_position].xbit_count; i++) { /* xbit SET */ if ( rulestruct[rule_position].xbit_type[i] == 1 ) { strlcpy(tmp, rulestruct[rule_position].xbit_name[i], sizeof(tmp)); tmp_xbit_name = strtok_r(tmp, "&", &tok); while( tmp_xbit_name != NULL ) { if ( redis_msgslot < config->redis_max_writer_threads ) { /* First, clean up */ Xbit_Cleanup_Redis(tmp_xbit_name, utime, notnull_selector, ip_src_char, ip_dst_char); utime_plus_timeout = utime + rulestruct[rule_position].xbit_timeout[i]; snprintf(SaganRedis[redis_msgslot].redis_command, sizeof(SaganRedis[redis_msgslot].redis_command), "ZADD %s%s:by_src %lu %s;" "ZADD %s%s:by_dst %lu %s;" "ZADD %s%s:both %lu %s:%s;" "ZADD %s%s:%s:%s:set_log %lu %s", notnull_selector, tmp_xbit_name, utime_plus_timeout, ip_src_char, notnull_selector, tmp_xbit_name, utime_plus_timeout, ip_dst_char, notnull_selector, tmp_xbit_name, utime_plus_timeout, ip_src_char, ip_dst_char, notnull_selector, tmp_xbit_name, ip_src_char, ip_dst_char, utime_plus_timeout, fullsyslog_orig ); redis_msgslot++; pthread_cond_signal(&SaganRedisDoWork); pthread_mutex_unlock(&SaganRedisWorkMutex); } else { Sagan_Log(WARN, "Out of Redis 'writer' threads for 'set'. Skipping!"); pthread_mutex_lock(&CounterRedisWriterThreadsDrop); counters->redis_writer_threads_drop++; pthread_mutex_unlock(&CounterRedisWriterThreadsDrop); } tmp_xbit_name = strtok_r(NULL, "&", &tok); } } /* xbit UNSET */ else if ( rulestruct[rule_position].xbit_type[i] == 2 ) { /* Xbits & (ie - bit1&bit2) */ strlcpy(tmp, rulestruct[rule_position].xbit_name[i], sizeof(tmp)); tmp_xbit_name = strtok_r(tmp, "&", &tok); while( tmp_xbit_name != NULL ) { /* direction: none */ if ( rulestruct[rule_position].xbit_direction[i] == 0 ) { { Sagan_Log(WARN, "[%s, line %d] Call for \"unset\" xbit \"%s\" with Redis is not supported! \"unset\" needs an IP source or destination", __FILE__, __LINE__, tmp_xbit_name); } } /* direction: both - This should be easiest since we have all the data we need */ else if ( rulestruct[rule_position].xbit_direction[i] == 1 ) { if ( redis_msgslot < config->redis_max_writer_threads ) { Xbit_Cleanup_Redis(tmp_xbit_name, utime, notnull_selector, ip_src_char, ip_dst_char); snprintf(SaganRedis[redis_msgslot].redis_command, sizeof(SaganRedis[redis_msgslot].redis_command), "ZREM %s%s:by_src %s;" "ZREM %s%s:by_dst %s;" "ZREM %s%s:both %s:%s" "ZREM %s%s:%s:%s:set_log", notnull_selector, tmp_xbit_name, ip_src_char, notnull_selector, tmp_xbit_name, ip_dst_char, notnull_selector, tmp_xbit_name, ip_src_char, ip_dst_char, notnull_selector, tmp_xbit_name, ip_src_char, ip_dst_char ); redis_msgslot++; pthread_cond_signal(&SaganRedisDoWork); pthread_mutex_unlock(&SaganRedisWorkMutex); } else { Sagan_Log(WARN, "Out of Redis 'writer' threads for 'unset' by 'both'. Skipping!"); pthread_mutex_lock(&CounterRedisWriterThreadsDrop); counters->redis_writer_threads_drop++; pthread_mutex_unlock(&CounterRedisWriterThreadsDrop); } } else if ( rulestruct[rule_position].xbit_direction[i] == 2 ) { if ( redis_msgslot < config->redis_max_writer_threads ) { Xbit_Cleanup_Redis(tmp_xbit_name, utime, notnull_selector, ip_src_char, ip_dst_char); snprintf(SaganRedis[redis_msgslot].redis_command, sizeof(SaganRedis[redis_msgslot].redis_command), "ZREM %s%s:by_src %s", notnull_selector, tmp_xbit_name, ip_src_char ); redis_msgslot++; pthread_cond_signal(&SaganRedisDoWork); pthread_mutex_unlock(&SaganRedisWorkMutex); } else { Sagan_Log(WARN, "Out of Redis 'writer' threads for 'unset' by 'ip_src'. Skipping!"); pthread_mutex_lock(&CounterRedisWriterThreadsDrop); counters->redis_writer_threads_drop++; pthread_mutex_unlock(&CounterRedisWriterThreadsDrop); } } /* direction: ip_dst */ else if ( rulestruct[rule_position].xbit_direction[i] == 3 ) { if ( redis_msgslot < config->redis_max_writer_threads ) { Xbit_Cleanup_Redis(tmp_xbit_name, utime, notnull_selector, ip_src_char, ip_dst_char); snprintf(SaganRedis[redis_msgslot].redis_command, sizeof(SaganRedis[redis_msgslot].redis_command), "ZREM %s%s:by_dst %s", notnull_selector, tmp_xbit_name, ip_dst_char ); redis_msgslot++; pthread_cond_signal(&SaganRedisDoWork); pthread_mutex_unlock(&SaganRedisWorkMutex); } else { Sagan_Log(WARN, "Out of Redis 'writer' threads for 'unset' by 'ip_dst'. Skipping!"); pthread_mutex_lock(&CounterRedisWriterThreadsDrop); counters->redis_writer_threads_drop++; pthread_mutex_unlock(&CounterRedisWriterThreadsDrop); } } tmp_xbit_name = strtok_r(NULL, "&", &tok); } /* while( tmp_xbit_name != NULL ) */ } /* else if ( rulestruct[rule_position].xbit_type[i] == 2 ) UNSET */ } /* for (i = 0; i < rulestruct[rule_position].xbit_count; i++) */ } /***************************************************************************** * Xbit_Cleanup_Redis - Cleans up old/stale xbits from Redis *****************************************************************************/ void Xbit_Cleanup_Redis( char *xbit_name, uint32_t utime, char *notnull_selector, char *ip_src_char, char *ip_dst_char ) { if ( redis_msgslot < config->redis_max_writer_threads ) { snprintf(SaganRedis[redis_msgslot].redis_command, sizeof(SaganRedis[redis_msgslot].redis_command), "ZREMRANGEBYSCORE %s%s:by_src -inf %lu;" "ZREMRANGEBYSCORE %s%s:by_dst -inf %lu;" "ZREMRANGEBYSCORE %s%s:both -inf %lu;" "ZREMRANGEBYSCORE %s%s:%s:%s:set_log -inf %lu", notnull_selector, xbit_name, utime, notnull_selector, xbit_name, utime, notnull_selector, xbit_name, utime, notnull_selector, xbit_name, ip_src_char, ip_dst_char, utime ); redis_msgslot++; pthread_cond_signal(&SaganRedisDoWork); pthread_mutex_unlock(&SaganRedisWorkMutex); } else { Sagan_Log(WARN, "Out of Redis 'writer' threads for 'unset' by 'ip_dst'. Skipping!"); pthread_mutex_lock(&CounterRedisWriterThreadsDrop); counters->redis_writer_threads_drop++; pthread_mutex_unlock(&CounterRedisWriterThreadsDrop); } } #endif sagan-1.2.0/src/xbit-mmap.c0000644000175000017500000022442613310531444014406 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* * xbit-mmap.c - Functions used for tracking events over multiple log * lines. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "ipc.h" #include "xbit-mmap.h" #include "rules.h" #include "sagan-config.h" #include "parsers/parsers.h" struct _SaganCounters *counters; struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganConfig *config; pthread_mutex_t Xbit_Mutex=PTHREAD_MUTEX_INITIALIZER; struct _Sagan_IPC_Counters *counters_ipc; struct _Sagan_IPC_Xbit *xbit_ipc; /***************************************************************************** * Xbit_Condition - Used for testing "isset" & "isnotset". Full * rule condition is tested here and returned. *****************************************************************************/ sbool Xbit_Condition_MMAP(int rule_position, char *ip_src, char *ip_dst, int src_port, int dst_port, char *selector ) { time_t t; struct tm *now; char timet[20]; int i; int a; int xbit_total_match = 0; sbool xbit_match = 0; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); Xbit_Cleanup_MMAP(); for (i = 0; i < rulestruct[rule_position].xbit_count; i++) { /******************* * ISSET * *******************/ if ( rulestruct[rule_position].xbit_type[i] == 3 ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] Condition \"isset\" found in rule.", __FILE__, __LINE__); } for (a = 0; a < counters_ipc->xbit_count; a++) { /* Short circuit if no selector match */ if ( (selector == NULL && xbit_ipc[a].selector[0] != '\0') || (selector != NULL && strcmp(selector, xbit_ipc[a].selector) != 0) ) { continue; } if ( !memcmp(rulestruct[rule_position].xbit_name[i], xbit_ipc[a].xbit_name, sizeof(rulestruct[rule_position].xbit_name[i])) && xbit_ipc[a].xbit_state == true ) { /* direction: by_src - most common check */ if ( rulestruct[rule_position].xbit_direction[i] == 2 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"by_src\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, xbit_ipc[a].ip_src); } xbit_total_match++; } /* direction: none */ else if ( rulestruct[rule_position].xbit_direction[i] == 0 ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"none\"). (any -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name); } xbit_total_match++; } /* direction: both */ else if ( rulestruct[rule_position].xbit_direction[i] == 1 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"both\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, ip_dst); } xbit_total_match++; } /* direction: by_dst */ else if ( rulestruct[rule_position].xbit_direction[i] == 3 && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"by_dst\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_total_match++; } /* direction: reverse */ else if ( rulestruct[rule_position].xbit_direction[i] == 4 && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"reverse\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst, ip_src); } xbit_total_match++; } /* direction: src_xbitdst */ else if ( rulestruct[rule_position].xbit_direction[i] == 5 && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"src_xbitdst\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } xbit_total_match++; } /* direction: dst_xbitsrc */ else if ( rulestruct[rule_position].xbit_direction[i] == 6 && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"dst_xbitsrc\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_total_match++; } /* direction: both_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 7 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == src_port && xbit_ipc[a].dst_port == dst_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"both_p\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, ip_dst); } xbit_total_match++; } /* direction: by_src_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 8 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && xbit_ipc[a].src_port == src_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"by_src_p\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } xbit_total_match++; } /* direction: by_dst_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 9 && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].dst_port == dst_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"by_dst_p\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_total_match++; } /* direction: reverse_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 10 && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == dst_port && xbit_ipc[a].dst_port == src_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"reverse_p\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst, ip_src); } xbit_total_match++; } /* direction: src_xbitdst_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 11 && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].dst_port == src_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"src_xbitdst_p\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } xbit_total_match++; } /* direction: dst_xbitsrc_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 12 && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && xbit_ipc[a].src_port == dst_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"isset\" xbit \"%s\" (direction: \"dst_xbitsrc_p\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_total_match++; } } /* End of strcmp xbit_name & xbit_state = 1 */ } /* End of "for a" */ } /* End "if" xbit_type == 3 (ISSET) */ /******************* * ISNOTSET * *******************/ if ( rulestruct[rule_position].xbit_type[i] == 4 ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] Condition \"isnotset\" found in rule.", __FILE__, __LINE__); } xbit_match = false; for (a = 0; a < counters_ipc->xbit_count; a++) { if ( !memcmp(rulestruct[rule_position].xbit_name[i], xbit_ipc[a].xbit_name, sizeof(rulestruct[rule_position].xbit_name[i])) ) { /* direction: none */ if ( rulestruct[rule_position].xbit_direction[i] == 0 ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"none\"). (any -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name); } xbit_match = true; } } /* direction: both */ if ( rulestruct[rule_position].xbit_direction[i] == 1 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"by_src\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, ip_dst); } xbit_match = true; } } } /* direction: by_src */ if ( rulestruct[rule_position].xbit_direction[i] == 2 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"by_src\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } xbit_match = true; } } } /* direction: by_dst */ else if ( rulestruct[rule_position].xbit_direction[i] == 3 ) { if ( !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"by_dst\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_match = true; } } } /* direction: reverse */ else if ( rulestruct[rule_position].xbit_direction[i] == 4 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"reverse\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst, ip_src); } xbit_match = true; } } } /* direciton: src_xbitdst */ else if ( rulestruct[rule_position].xbit_direction[i] == 5 ) { if ( !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"src_xbitdst\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_match = true; } } } /* direction: dst_xbitsrc */ else if ( rulestruct[rule_position].xbit_direction[i] == 6 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"src_xbitdst\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_match = true; } } } /* direction: both_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 7 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == src_port && xbit_ipc[a].dst_port == dst_port ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"src_xbitdst\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } xbit_match = true; } } } /* direction: by_src_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 8 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && xbit_ipc[a].src_port == src_port ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"by_src_p\"). (%s:%d -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, src_port); } xbit_match = true; } } } /* direction: by_dst_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 9 ) { if ( !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].dst_port == dst_port ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"by_dst_p\"). (any -> %s:%d)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst, dst_port); } xbit_match = true; } } } /* direction: reverse_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 10 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == dst_port && xbit_ipc[a].dst_port == src_port) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"reverse_p\"). (%s:%d -> %s:%d)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, dst_port, ip_dst, src_port); } xbit_match = true; } } } /* direction: src_xbitdst_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 11 ) { if ( !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].dst_port == src_port ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"src_xbitdst_p\"). (any -> %s:%d)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, src_port); } xbit_match = true; } } } /* direction: dst_xbitsrc_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 12 ) { if ( !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && xbit_ipc[a].src_port == dst_port ) { if ( xbit_ipc[a].xbit_state == true ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] \"isnotset\" xbit \"%s\" true (direction: \"dst_xbitsrc_p\"). (%s:%d-> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst, dst_port); } xbit_match = true; } } } } /* if memcmp(rulestruct[rule_position].xbit_name[i] */ } /* for a = 0 */ /* xbit wasn't found for isnotset */ if ( xbit_match == false ) { xbit_total_match++; } } /* rulestruct[rule_position].xbit_type[i] == 4 */ } /* for (i = 0; i < rulestruct[rule_position].xbit_count; i++) */ if ( xbit_total_match == rulestruct[rule_position].xbit_condition_count ) { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] Got %d xbits & needed %d. Got corrent number of xbits, return true!", __FILE__, __LINE__, xbit_total_match, rulestruct[rule_position].xbit_condition_count ); } return(true); } else { if ( debug->debugxbit ) { Sagan_Log(DEBUG, "[%s, line %d] Got %d xbits, needed %d", __FILE__, __LINE__, xbit_total_match, rulestruct[rule_position].xbit_condition_count ); } return(false); } Sagan_Log(WARN, "Shouldn't make it this far in Xbit_Condition()!\n"); } /* End of Xbit_Condition(); */ /***************************************************************************** * Xbit_Count - Used to determine how many xbits have been set based on a * source or destination address. This is useful for identification of * distributed attacks. *****************************************************************************/ sbool Xbit_Count_MMAP( int rule_position, char *ip_src, char *ip_dst, char *selector ) { uint32_t a = 0; uint32_t i = 0; uint32_t counter = 0; for (i = 0; i < rulestruct[rule_position].xbit_count_count; i++) { for (a = 0; a < counters_ipc->xbit_count; a++) { /* Short circuit if no selector match */ if ( (selector == NULL && xbit_ipc[a].selector[0] != '\0') || (selector != NULL && 0 != strcmp(selector, xbit_ipc[a].selector)) ) { continue; } if ( rulestruct[rule_position].xbit_direction[i] == 2 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) ) { counter++; if ( rulestruct[rule_position].xbit_count_gt_lt[i] == 0 ) { if ( counter > rulestruct[rule_position].xbit_count_counter[i] ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] Xbit count 'by_src' threshold reached for xbit '%s'.", __FILE__, __LINE__, xbit_ipc[a].xbit_name); } return(true); } } } else if ( rulestruct[rule_position].xbit_direction[i] == 3 && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) ) { counter++; if ( rulestruct[rule_position].xbit_count_gt_lt[i] == 0 ) { if ( counter > rulestruct[rule_position].xbit_count_counter[i] ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] Xbit count 'by_dst' threshold reached for xbit '%s'.", __FILE__, __LINE__, xbit_ipc[a].xbit_name); } return(true); } } } } } if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] Xbit count threshold NOT reached for xbit." , __FILE__, __LINE__); } return(false); } /***************************************************************************** * Xbit_Set - Used to "set" & "unset" xbit. All rule "set" and * "unset" happen here. *****************************************************************************/ void Xbit_Set_MMAP(int rule_position, char *ip_src, char *ip_dst, int src_port, int dst_port, char *selector, char *syslog_message ) { int i = 0; int a = 0; time_t t; struct tm *now; char timet[20]; sbool xbit_match = false; sbool xbit_unset_match = 0; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); struct _Sagan_Xbit_Track *xbit_track; xbit_track = malloc(sizeof(_Sagan_Xbit_Track)); if ( xbit_track == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for xbit_track. Abort!", __FILE__, __LINE__); } memset(xbit_track, 0, sizeof(_Sagan_Xbit_Track)); int xbit_track_count = 0; Xbit_Cleanup_MMAP(); for (i = 0; i < rulestruct[rule_position].xbit_count; i++) { /******************* * UNSET * *******************/ if ( rulestruct[rule_position].xbit_type[i] == 2 ) { for (a = 0; a < counters_ipc->xbit_count; a++) { /* Short circuit if no selector match */ if ( ( selector == NULL && xbit_ipc[a].selector[0] != '\0') || ( selector != NULL && strcmp(selector, xbit_ipc[a].selector) != 0 ) ) { continue; } if ( !strcmp(xbit_ipc[a].xbit_name, rulestruct[rule_position].xbit_name[i] )) { /* direction: none */ if ( rulestruct[rule_position].xbit_direction[i] == 0 ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"none\"). (any -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = false; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: both */ else if ( rulestruct[rule_position].xbit_direction[i] == 1 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"both\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, ip_dst); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = false; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: by_src */ else if ( rulestruct[rule_position].xbit_direction[i] == 2 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"by_src\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = false; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: by_dst */ else if ( rulestruct[rule_position].xbit_direction[i] == 3 && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"by_dst\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = false; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: reverse */ else if ( rulestruct[rule_position].xbit_direction[i] == 4 && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"reverse\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst, ip_src); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = false; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: src_xbitdst */ else if ( rulestruct[rule_position].xbit_direction[i] == 5 && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"src_xbitdst\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: dst_xbitsrc */ else if ( rulestruct[rule_position].xbit_direction[i] == 6 && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"dst_xbitsrc\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: both_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 7 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == src_port && xbit_ipc[a].dst_port == dst_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"both_p\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src, ip_dst); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: by_src_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 8 && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && xbit_ipc[a].src_port == src_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"by_src_p\"). (%s -> any)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: by_dst_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 9 && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].dst_port == dst_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"by_dst\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: reverse_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 10 && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && xbit_ipc[a].src_port == dst_port && xbit_ipc[a].dst_port == src_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"reverse_p\"). (%s -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst, ip_src); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: src_xbitdst_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 11 && !memcmp(xbit_ipc[a].ip_dst, ip_src, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].dst_port == src_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"src_xbitdst_p\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_src); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } /* direction: dst_xbitsrc_p */ else if ( rulestruct[rule_position].xbit_direction[i] == 12 && !memcmp(xbit_ipc[a].ip_src, ip_dst, sizeof(xbit_ipc[a].ip_src)) && xbit_ipc[a].src_port == dst_port ) { if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] \"unset\" xbit \"%s\" (direction: \"dst_xbitsrc_p\"). (any -> %s)", __FILE__, __LINE__, xbit_ipc[a].xbit_name, ip_dst); } File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_state = 0; pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_unset_match = 1; } } } if ( debug->debugxbit && xbit_unset_match == 0 ) { Sagan_Log(DEBUG, "[%s, line %d] No xbit found to \"unset\" for %s.", __FILE__, __LINE__, rulestruct[rule_position].xbit_name[i]); } } /* if ( rulestruct[rule_position].xbit_type[i] == 2 ) */ /******************* * SET * *******************/ else if ( rulestruct[rule_position].xbit_type[i] == 1 ) { for (a = 0; a < counters_ipc->xbit_count; a++) { /* Short circuit if no selector match */ if ( ( selector == NULL && xbit_ipc[a].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, xbit_ipc[a].selector )) ) { continue; } /* Do we have the xbit already in memory? If so, update the information */ if (!strcmp(xbit_ipc[a].xbit_name, rulestruct[rule_position].xbit_name[i]) && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == config->sagan_port && xbit_ipc[a].dst_port == config->sagan_port ) { File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_date = atol(timet); xbit_ipc[a].xbit_expire = atol(timet) + rulestruct[rule_position].xbit_timeout[i]; xbit_ipc[a].xbit_state = true; strlcpy(xbit_ipc[a].syslog_message, syslog_message, sizeof(xbit_ipc[a].syslog_message)); strlcpy(xbit_ipc[a].signature_msg, rulestruct[rule_position].s_msg, sizeof(xbit_ipc[a].signature_msg)); strlcpy(xbit_ipc[a].sid, rulestruct[rule_position].s_sid, sizeof(xbit_ipc[a].sid)); if ( debug->debugxbit) { Sagan_Log(DEBUG,"[%s, line %d] [%d] Updated via \"set\" for xbit \"%s\". Nex expire time is %d (%d) [ %s:%d -> %s:%d ]", __FILE__, __LINE__, a, rulestruct[rule_position].xbit_name[i], xbit_ipc[i].xbit_expire, rulestruct[rule_position].xbit_timeout[i], xbit_ipc[a].ip_src, xbit_ipc[a].src_port, xbit_ipc[a].ip_dst, xbit_ipc[a].dst_port); } pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_match = true; } } /* If the xbit isn't in memory, store it to be created later */ if ( xbit_match == false ) { xbit_track = ( _Sagan_Xbit_Track * ) realloc(xbit_track, (xbit_track_count+1) * sizeof(_Sagan_Xbit_Track)); if ( xbit_track == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for xbit_track. Abort!", __FILE__, __LINE__); } strlcpy(xbit_track[xbit_track_count].xbit_name, rulestruct[rule_position].xbit_name[i], sizeof(xbit_track[xbit_track_count].xbit_name)); strlcpy(xbit_ipc[xbit_track_count].syslog_message, syslog_message, sizeof(xbit_ipc[xbit_track_count].syslog_message)); strlcpy(xbit_ipc[xbit_track_count].signature_msg, rulestruct[rule_position].s_msg, sizeof(xbit_ipc[xbit_track_count].signature_msg)); strlcpy(xbit_ipc[xbit_track_count].sid, rulestruct[rule_position].s_sid, sizeof(xbit_ipc[xbit_track_count].sid)); xbit_track[xbit_track_count].xbit_timeout = rulestruct[rule_position].xbit_timeout[i]; xbit_track[xbit_track_count].xbit_srcport = config->sagan_port; xbit_track[xbit_track_count].xbit_dstport = config->sagan_port; xbit_track_count++; } } /* if xbit_type == 1 */ /*************************** * SET_SRCPORT * ****************************/ else if ( rulestruct[rule_position].xbit_type[i] == 5 ) { xbit_match = false; for (a = 0; a < counters_ipc->xbit_count; a++) { /* Short circuit if no selector match */ if ( ( selector == NULL && xbit_ipc[a].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, xbit_ipc[a].selector )) ) { continue; } /* Do we have the xbit already in memory? If so, update the information */ if (!strcmp(xbit_ipc[a].xbit_name, rulestruct[rule_position].xbit_name[i]) && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == src_port && xbit_ipc[a].dst_port == config->sagan_port ) { File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_date = atol(timet); xbit_ipc[a].xbit_expire = atol(timet) + rulestruct[rule_position].xbit_timeout[i]; xbit_ipc[a].xbit_state = true; strlcpy(xbit_ipc[a].syslog_message, syslog_message, sizeof(xbit_ipc[a].syslog_message)); if ( debug->debugxbit) { Sagan_Log(DEBUG,"[%s, line %d] [%d] Updated via \"set_srcport\" for xbit \"%s\". Nex expire time is %d (%d) [ %s:%d -> %s:%d ]", __FILE__, __LINE__, a, rulestruct[rule_position].xbit_name[i], xbit_ipc[i].xbit_expire, rulestruct[rule_position].xbit_timeout[i], xbit_ipc[a].ip_src, xbit_ipc[a].src_port, xbit_ipc[a].ip_dst, xbit_ipc[a].dst_port); } pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_match = true; } } /* If the xbit isn't in memory, store it to be created later */ if ( xbit_match == false ) { xbit_track = ( _Sagan_Xbit_Track * ) realloc(xbit_track, (xbit_track_count+1) * sizeof(_Sagan_Xbit_Track)); if ( xbit_track == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for xbit_track. Abort!", __FILE__, __LINE__); } strlcpy(xbit_track[xbit_track_count].xbit_name, rulestruct[rule_position].xbit_name[i], sizeof(xbit_track[xbit_track_count].xbit_name)); strlcpy(xbit_ipc[xbit_track_count].syslog_message, syslog_message, sizeof(xbit_ipc[xbit_track_count].syslog_message)); xbit_track[xbit_track_count].xbit_timeout = rulestruct[rule_position].xbit_timeout[i]; xbit_track[xbit_track_count].xbit_srcport = src_port; xbit_track[xbit_track_count].xbit_dstport = config->sagan_port; xbit_track_count++; } } /* if xbit_type == 5 */ /*************************** * SET_DSTPORT * ****************************/ else if ( rulestruct[rule_position].xbit_type[i] == 6 ) { xbit_match = false; for (a = 0; a < counters_ipc->xbit_count; a++) { /* Short circuit if no selector match */ if ( ( selector == NULL && xbit_ipc[a].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, xbit_ipc[a].selector)) ) { continue; } /* Do we have the xbit already in memory? If so, update the information */ if (!strcmp(xbit_ipc[a].xbit_name, rulestruct[rule_position].xbit_name[i]) && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == config->sagan_port && xbit_ipc[a].dst_port == dst_port ) { File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_date = atol(timet); xbit_ipc[a].xbit_expire = atol(timet) + rulestruct[rule_position].xbit_timeout[i]; xbit_ipc[a].xbit_state = true; strlcpy(xbit_ipc[a].syslog_message, syslog_message, sizeof(xbit_ipc[a].syslog_message)); if ( debug->debugxbit) { Sagan_Log(DEBUG,"[%s, line %d] [%d] Updated via \"set_dstport\" for xbit \"%s\". Nex expire time is %d (%d) [ %s:%d -> %s:%d ]", __FILE__, __LINE__, a, rulestruct[rule_position].xbit_name[i], xbit_ipc[i].xbit_expire, rulestruct[rule_position].xbit_timeout[i], xbit_ipc[a].ip_src, xbit_ipc[a].src_port, xbit_ipc[a].ip_dst, xbit_ipc[a].dst_port); } pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_match = true; } } /* If the xbit isn't in memory, store it to be created later */ if ( xbit_match == false ) { xbit_track = ( _Sagan_Xbit_Track * ) realloc(xbit_track, (xbit_track_count+1) * sizeof(_Sagan_Xbit_Track)); if ( xbit_track == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for xbit_track. Abort!", __FILE__, __LINE__); } strlcpy(xbit_track[xbit_track_count].xbit_name, rulestruct[rule_position].xbit_name[i], sizeof(xbit_track[xbit_track_count].xbit_name)); strlcpy(xbit_ipc[xbit_track_count].syslog_message, syslog_message, sizeof(xbit_ipc[xbit_track_count].syslog_message)); xbit_track[xbit_track_count].xbit_timeout = rulestruct[rule_position].xbit_timeout[i]; xbit_track[xbit_track_count].xbit_srcport = config->sagan_port; xbit_track[xbit_track_count].xbit_dstport = dst_port; xbit_track_count++; } } /* if xbit_type == 6 */ /************************* * SET_PORTS * **************************/ else if ( rulestruct[rule_position].xbit_type[i] == 7 ) { xbit_match = false; for (a = 0; a < counters_ipc->xbit_count; a++) { /* Short circuit if no selector match */ if ( ( selector == NULL && xbit_ipc[a].selector[0] != '\0') || ( selector != NULL && 0 != strcmp(selector, xbit_ipc[a].selector)) ) { continue; } /* Do we have the xbit already in memory? If so, update the information */ if (!strcmp(xbit_ipc[a].xbit_name, rulestruct[rule_position].xbit_name[i]) && !memcmp(xbit_ipc[a].ip_src, ip_src, sizeof(xbit_ipc[a].ip_src)) && !memcmp(xbit_ipc[a].ip_dst, ip_dst, sizeof(xbit_ipc[a].ip_dst)) && xbit_ipc[a].src_port == src_port && xbit_ipc[a].dst_port == dst_port ) { File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); xbit_ipc[a].xbit_date = atol(timet); xbit_ipc[a].xbit_expire = atol(timet) + rulestruct[rule_position].xbit_timeout[i]; xbit_ipc[a].xbit_state = true; strlcpy(xbit_ipc[a].syslog_message, syslog_message, sizeof(xbit_ipc[a].syslog_message)); if ( debug->debugxbit) { Sagan_Log(DEBUG,"[%s, line %d] [%d] Updated via \"set_ports\" for xbit \"%s\". Nex expire time is %d (%d) [ %s:%d -> %s:%d ]", __FILE__, __LINE__, a, rulestruct[rule_position].xbit_name[i], xbit_ipc[i].xbit_expire, rulestruct[rule_position].xbit_timeout[i], xbit_ipc[a].ip_src, xbit_ipc[a].src_port, xbit_ipc[a].ip_dst, xbit_ipc[a].dst_port); } pthread_mutex_unlock(&Xbit_Mutex); File_Unlock(config->shm_xbit); xbit_match = true; } } /* If the xbit isn't in memory, store it to be created later */ if ( xbit_match == false ) { xbit_track = ( _Sagan_Xbit_Track * ) realloc(xbit_track, (xbit_track_count+1) * sizeof(_Sagan_Xbit_Track)); if ( xbit_track == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for xbit_track. Abort!", __FILE__, __LINE__); } strlcpy(xbit_track[xbit_track_count].xbit_name, rulestruct[rule_position].xbit_name[i], sizeof(xbit_track[xbit_track_count].xbit_name)); strlcpy(xbit_ipc[xbit_track_count].syslog_message, syslog_message, sizeof(xbit_ipc[xbit_track_count].syslog_message)); strlcpy(xbit_ipc[xbit_track_count].signature_msg, rulestruct[rule_position].s_msg, sizeof(xbit_ipc[xbit_track_count].signature_msg)); strlcpy(xbit_ipc[xbit_track_count].sid, rulestruct[rule_position].s_sid, sizeof(xbit_ipc[xbit_track_count].sid)); xbit_track[xbit_track_count].xbit_timeout = rulestruct[rule_position].xbit_timeout[i]; xbit_track[xbit_track_count].xbit_srcport = src_port; xbit_track[xbit_track_count].xbit_dstport = dst_port; xbit_track_count++; } } /* if xbit_type == 7 */ } /* Out of for i loop */ /* Do we have any xbits in memory that need to be created? */ if ( xbit_track_count != 0 ) { for (i = 0; i < xbit_track_count; i++) { if ( Clean_IPC_Object(XBIT) == 0 ) { File_Lock(config->shm_xbit); pthread_mutex_lock(&Xbit_Mutex); memcpy(xbit_ipc[counters_ipc->xbit_count].ip_src, ip_src, sizeof(xbit_ipc[counters_ipc->xbit_count].ip_src)); memcpy(xbit_ipc[counters_ipc->xbit_count].ip_dst, ip_dst, sizeof(xbit_ipc[counters_ipc->xbit_count].ip_dst)); selector == NULL ? xbit_ipc[counters_ipc->xbit_count].selector[0] = '\0' : strlcpy(xbit_ipc[counters_ipc->xbit_count].selector, selector, MAXSELECTOR); xbit_ipc[counters_ipc->xbit_count].src_port = xbit_track[i].xbit_srcport; xbit_ipc[counters_ipc->xbit_count].dst_port = xbit_track[i].xbit_dstport; xbit_ipc[counters_ipc->xbit_count].xbit_date = atol(timet); xbit_ipc[counters_ipc->xbit_count].xbit_expire = atol(timet) + xbit_track[i].xbit_timeout; xbit_ipc[counters_ipc->xbit_count].xbit_state = true; xbit_ipc[counters_ipc->xbit_count].expire = xbit_track[i].xbit_timeout; strlcpy(xbit_ipc[counters_ipc->xbit_count].xbit_name, xbit_track[i].xbit_name, sizeof(xbit_ipc[counters_ipc->xbit_count].xbit_name)); strlcpy(xbit_ipc[counters_ipc->xbit_count].signature_msg, rulestruct[rule_position].s_msg, sizeof(xbit_ipc[counters_ipc->xbit_count].signature_msg)); strlcpy(xbit_ipc[counters_ipc->xbit_count].sid, rulestruct[rule_position].s_sid, sizeof(xbit_ipc[counters_ipc->xbit_count].sid)); strlcpy(xbit_ipc[counters_ipc->xbit_count].syslog_message, syslog_message, sizeof(xbit_ipc[counters_ipc->xbit_count].syslog_message)); if ( debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] [%d] Created xbit \"%s\" via \"set, set_srcport, set_dstport, or set_ports\" [%s:%d -> %s:%d]", __FILE__, __LINE__, counters_ipc->xbit_count, xbit_ipc[counters_ipc->xbit_count].xbit_name, ip_src, xbit_track[i].xbit_srcport, ip_dst, xbit_track[i].xbit_dstport); } File_Lock(config->shm_counters); counters_ipc->xbit_count++; File_Unlock(config->shm_counters); File_Unlock(config->shm_xbit); pthread_mutex_unlock(&Xbit_Mutex); } } } free(xbit_track); } /* End of Xbit_Set */ /***************************************************************************** * Xbit_Cleanup - Find "expired" xbits and toggle the "state" * to "off" *****************************************************************************/ void Xbit_Cleanup_MMAP(void) { int i = 0; time_t t; struct tm *now; char timet[20]; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); for (i=0; ixbit_count; i++) { if ( xbit_ipc[i].xbit_state == true && atol(timet) >= xbit_ipc[i].xbit_expire ) { if (debug->debugxbit) { Sagan_Log(DEBUG, "[%s, line %d] Setting xbit %s to \"expired\" state.", __FILE__, __LINE__, xbit_ipc[i].xbit_name); } xbit_ipc[i].xbit_state = false; } } } sagan-1.2.0/src/processors/0000755000175000017500000000000013310531444014534 5ustar champchampsagan-1.2.0/src/processors/bro-intel.c0000644000175000017500000010641613310531444016603 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* bro-intel.c * * This allows Sagan to read in Bro Intel files, like those from Critical * Stack (https://intel.brointel.com). * */ /* TODO: needs stats and perfmon! */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "parsers/parsers.h" #include "processors/bro-intel.h" #define MAX_BROINTEL_LINE_SIZE 10240 struct _SaganConfig *config; struct _SaganCounters *counters; struct _SaganDebug *debug; struct _Sagan_Processor_Info *processor_info_brointel = NULL; struct _Sagan_BroIntel_Intel_Addr *Sagan_BroIntel_Intel_Addr; struct _Sagan_BroIntel_Intel_Domain *Sagan_BroIntel_Intel_Domain; struct _Sagan_BroIntel_Intel_File_Hash *Sagan_BroIntel_Intel_File_Hash; struct _Sagan_BroIntel_Intel_URL *Sagan_BroIntel_Intel_URL; struct _Sagan_BroIntel_Intel_Software *Sagan_BroIntel_Intel_Software; struct _Sagan_BroIntel_Intel_Email *Sagan_BroIntel_Intel_Email; struct _Sagan_BroIntel_Intel_User_Name *Sagan_BroIntel_Intel_User_Name; struct _Sagan_BroIntel_Intel_File_Name *Sagan_BroIntel_Intel_File_Name; struct _Sagan_BroIntel_Intel_Cert_Hash *Sagan_BroIntel_Intel_Cert_Hash; pthread_mutex_t CounterBroIntelGenericMutex=PTHREAD_MUTEX_INITIALIZER; /***************************************************************************** * Sagan_BroIntel_Init - Sets up globals. Not really used yet. *****************************************************************************/ void Sagan_BroIntel_Init(void) { } /***************************************************************************** * Sagan_BroIntel_Load_File - Loads BroIntel data and splits it up * into different arrays. * ***************************************************************************/ void Sagan_BroIntel_Load_File ( void ) { FILE *brointel_file; char *value; char *type; char *description; sbool found_flag; sbool found_flag_array; char *tok = NULL; ; char *ptmp = NULL; int line_count; int i; unsigned char bits_ip[MAXIPBIT] = {0}; char *brointel_filename = NULL; char brointelbuf[MAX_BROINTEL_LINE_SIZE] = { 0 }; pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups = 0; pthread_mutex_unlock(&CounterBroIntelGenericMutex); brointel_filename = strtok_r(config->brointel_files, ",", &ptmp); while ( brointel_filename != NULL ) { Sagan_Log(NORMAL, "Bro Intel Processor Loading File: %s.", brointel_filename); if (( brointel_file = fopen(brointel_filename, "r")) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Could not load Bro Intel file! (%s - %s)", __FILE__, __LINE__, brointel_filename, strerror(errno)); } while(fgets(brointelbuf, MAX_BROINTEL_LINE_SIZE, brointel_file) != NULL) { /* Skip comments and blank linkes */ if (brointelbuf[0] == '#' || brointelbuf[0] == 10 || brointelbuf[0] == ';' || brointelbuf[0] == 32 ) { line_count++; continue; } else { Remove_Return(brointelbuf); value = strtok_r(brointelbuf, "\t", &tok); type = strtok_r(NULL, "\t", &tok); description = strtok_r(NULL, "\t", &tok); if ( value == NULL || type == NULL || description == NULL ) { Sagan_Log(WARN, "[%s, line %d] Got invalid line at %d in %s", __FILE__, __LINE__, line_count, brointel_filename); } found_flag = 0; if (!strcmp(type, "Intel::ADDR") && IP2Bit(value, bits_ip)) { found_flag = 1; /* Used to short circuit other 'type' lookups */ found_flag_array = 0; /* Used to short circuit/warn when dups are found. This way we don't waste memory/CPU */ /* Check for duplicates. */ for (i=0; i < counters->brointel_addr_count; i++) { if ( !memcmp(Sagan_BroIntel_Intel_Addr[i].bits_ip, bits_ip, MAXIPBIT) ) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::ADDR address %s in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Addr = (_Sagan_BroIntel_Intel_Addr *) realloc(Sagan_BroIntel_Intel_Addr, (counters->brointel_addr_count+1) * sizeof(_Sagan_BroIntel_Intel_Addr)); if ( Sagan_BroIntel_Intel_Addr == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Addr. Abort!", __FILE__, __LINE__); } pthread_mutex_lock(&CounterBroIntelGenericMutex); memcpy( Sagan_BroIntel_Intel_Addr[counters->brointel_addr_count].bits_ip, bits_ip, sizeof(bits_ip) ); counters->brointel_addr_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); } } if (!strcmp(type, "Intel::DOMAIN") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters-> brointel_domain_count; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_Domain[i].domain, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::DOMAIN '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Domain = (_Sagan_BroIntel_Intel_Domain *) realloc(Sagan_BroIntel_Intel_Domain, (counters->brointel_domain_count+1) * sizeof(_Sagan_BroIntel_Intel_Domain)); if ( Sagan_BroIntel_Intel_Domain == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Domain. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain, value, sizeof(Sagan_BroIntel_Intel_Domain[counters->brointel_domain_count].domain)); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_domain_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); } } if (!strcmp(type, "Intel::FILE_HASH") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_file_hash_count; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_File_Hash[i].hash, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::FILE_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_File_Hash = (_Sagan_BroIntel_Intel_File_Hash *) realloc(Sagan_BroIntel_Intel_File_Hash, (counters->brointel_file_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Hash)); if ( Sagan_BroIntel_Intel_File_Hash == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Hash. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash, value, sizeof(Sagan_BroIntel_Intel_File_Hash[counters->brointel_file_hash_count].hash)); counters->brointel_file_hash_count++; } } if (!strcmp(type, "Intel::URL") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_url_count; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_URL[i].url, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::URL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_URL = (_Sagan_BroIntel_Intel_URL *) realloc(Sagan_BroIntel_Intel_URL, (counters->brointel_url_count+1) * sizeof(_Sagan_BroIntel_Intel_URL)); if ( Sagan_BroIntel_Intel_URL == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_URL. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url, value, sizeof(Sagan_BroIntel_Intel_URL[counters->brointel_url_count].url)); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_url_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); } } if (!strcmp(type, "Intel::SOFTWARE") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_software_count++; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_Software[i].software, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::SOFTWARE '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Software = (_Sagan_BroIntel_Intel_Software *) realloc(Sagan_BroIntel_Intel_Software, (counters->brointel_software_count+1) * sizeof(_Sagan_BroIntel_Intel_Software)); if ( Sagan_BroIntel_Intel_Software == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Software. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software, value, sizeof(Sagan_BroIntel_Intel_Software[counters->brointel_software_count].software)); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_software_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); } } if (!strcmp(type, "Intel::EMAIL") && found_flag == 0) { To_LowerC(value); found_flag_array = 0; for (i=0; i < counters->brointel_email_count; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_Email[i].email, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::EMAIL '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Email = (_Sagan_BroIntel_Intel_Email *) realloc(Sagan_BroIntel_Intel_Email, (counters->brointel_email_count+1) * sizeof(_Sagan_BroIntel_Intel_Email)); if ( Sagan_BroIntel_Intel_Email == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Email. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email, value, sizeof(Sagan_BroIntel_Intel_Email[counters->brointel_email_count].email)); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_email_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag = 1; } } if (!strcmp(type, "Intel::USER_NAME") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_user_name_count; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_User_Name[i].username, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::USER_NAME '%s' in %s on line %.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_User_Name = (_Sagan_BroIntel_Intel_User_Name *) realloc(Sagan_BroIntel_Intel_User_Name, (counters->brointel_user_name_count+1) * sizeof(_Sagan_BroIntel_Intel_User_Name)); if ( Sagan_BroIntel_Intel_User_Name == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_User_Name. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username, value, sizeof(Sagan_BroIntel_Intel_User_Name[counters->brointel_user_name_count].username)); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_user_name_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); } } if (!strcmp(type, "Intel::FILE_NAME") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_file_name_count; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_File_Name[i].file_name, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::FILE_NAME '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_File_Name = (_Sagan_BroIntel_Intel_File_Name *) realloc(Sagan_BroIntel_Intel_File_Name, (counters->brointel_file_name_count+1) * sizeof(_Sagan_BroIntel_Intel_File_Name)); if ( Sagan_BroIntel_Intel_File_Name == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_File_Name. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name, value, sizeof(Sagan_BroIntel_Intel_File_Name[counters->brointel_file_name_count].file_name)); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_file_name_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); } } if (!strcmp(type, "Intel::CERT_HASH") && found_flag == 0) { To_LowerC(value); found_flag = 1; found_flag_array = 0; for (i=0; i < counters->brointel_cert_hash_count; i++) { if (!strcasecmp(Sagan_BroIntel_Intel_Cert_Hash[i].cert_hash, value)) { Sagan_Log(WARN, "[%s, line %d] Got duplicate Intel::CERT_HASH '%s' in %s on line %d.", __FILE__, __LINE__, value, brointel_filename, line_count + 1); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_dups++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); found_flag_array = 1; } } if ( found_flag_array == 0 ) { Sagan_BroIntel_Intel_Cert_Hash = (_Sagan_BroIntel_Intel_Cert_Hash *) realloc(Sagan_BroIntel_Intel_Cert_Hash, (counters->brointel_cert_hash_count+1) * sizeof(_Sagan_BroIntel_Intel_Cert_Hash)); if ( Sagan_BroIntel_Intel_Cert_Hash == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for Sagan_BroIntel_Intel_Cert_Hash. Abort!", __FILE__, __LINE__); } strlcpy(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash, value, sizeof(Sagan_BroIntel_Intel_Cert_Hash[counters->brointel_cert_hash_count].cert_hash)); pthread_mutex_lock(&CounterBroIntelGenericMutex); counters->brointel_cert_hash_count++; pthread_mutex_unlock(&CounterBroIntelGenericMutex); } } } line_count++; } fclose(brointel_file); brointel_filename = strtok_r(NULL, ",", &ptmp); line_count = 0; } } /***************************************************************************** * Sagan_BroIntel_IPADDR - Search array for blacklisted IP addresses *****************************************************************************/ sbool Sagan_BroIntel_IPADDR ( unsigned char *ip, char *ipaddr ) { int i = 0; unsigned char ip_convert[MAXIPBIT] = { 0 }; memset(ip_convert, 0, MAXIPBIT); memcpy(ip_convert, ip, MAXIPBIT); /* If RFC1918 and friends, we can short circuit here */ if ( is_notroutable(ip) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] %s is RFC1918, link local or invalid.", __FILE__, __LINE__, ipaddr ); } return(false); } /* Search array for for the IP address */ for ( i = 0; i < counters->brointel_addr_count; i++) { if ( !memcmp(ip_convert, Sagan_BroIntel_Intel_Addr[i].bits_ip, MAXIPBIT) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found IP %u.", __FILE__, __LINE__, ip); } return(true); } } return(false); } /***************************************************************************** * Sagan_BroIntel_IPADDR_All - Search and tests _all_ IP addresses within * a syslog_message (reguardless of lognorm/parse ip)! *****************************************************************************/ sbool Sagan_BroIntel_IPADDR_All ( char *syslog_message, _Sagan_Lookup_Cache_Entry *lookup_cache, size_t cache_size) { int i; int b; for (i = 0; i < MAX_PARSE_IP; i++) { if ( lookup_cache[i].status == 0 ) { return(false); } for ( b = 0; b < counters->brointel_addr_count; b++ ) { if ( !memcmp(Sagan_BroIntel_Intel_Addr[b].bits_ip, lookup_cache[i].ip_bits, sizeof(Sagan_BroIntel_Intel_Addr[b].bits_ip))) { return(true); } } } return(false); } /***************************************************************************** * Sagan_BroIntel_DOMAIN - Search DOMAIN array *****************************************************************************/ sbool Sagan_BroIntel_DOMAIN ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_domain_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_Domain[i].domain, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found domain %s.", __FILE__, __LINE__, Sagan_BroIntel_Intel_Domain[i].domain); } return(true); } } return(false); } /***************************************************************************** * Sagan_BroIntel_FILE_HASH - Search FILE_HASH array *****************************************************************************/ sbool Sagan_BroIntel_FILE_HASH ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_file_hash_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_File_Hash[i].hash, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found file hash %s.", __FILE__, __LINE__, Sagan_BroIntel_Intel_File_Hash[i].hash); } return(true); } } return(false); } /***************************************************************************** * Sagan_BroIntel_URL - Search URL array *****************************************************************************/ sbool Sagan_BroIntel_URL ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_url_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_URL[i].url, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found URL \"%s\".", __FILE__, __LINE__, Sagan_BroIntel_Intel_URL[i].url); } return(true); } } return(false); } /***************************************************************************** * Sagan_BroIntel_SOFTWARE - Search SOFTWARE array ****************************************************************************/ sbool Sagan_BroIntel_SOFTWARE ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_software_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_Software[i].software, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found software \"%s\".", __FILE__, __LINE__, Sagan_BroIntel_Intel_Software[i].software); } return(true); } } return(false); } /***************************************************************************** * Sagan_BroIntel_EMAIL - Search EMAIL array *****************************************************************************/ sbool Sagan_BroIntel_EMAIL ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_email_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_Email[i].email, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found e-mail address \"%s\".", __FILE__, __LINE__, Sagan_BroIntel_Intel_Email[i].email); } return(true); } } return(false); } /***************************************************************************** * Sagan_BroIntel_USER_NAME - Search USER_NAME array ****************************************************************************/ sbool Sagan_BroIntel_USER_NAME ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_user_name_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_User_Name[i].username, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found the username \"%s\".", __FILE__, __LINE__, Sagan_BroIntel_Intel_User_Name[i].username); } return(true); } } return(false); } /**************************************************************************** * Sagan_BroIntel_FILE_NAME - Search FILE_NAME array ****************************************************************************/ sbool Sagan_BroIntel_FILE_NAME ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_file_name_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_File_Name[i].file_name, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found the file name \"%s\".", __FILE__, __LINE__, Sagan_BroIntel_Intel_File_Name[i].file_name); } return(true); } } return(false); } /*************************************************************************** * Sagan_BroIntel_CERT_HASH - Search CERT_HASH array ***************************************************************************/ sbool Sagan_BroIntel_CERT_HASH ( char *syslog_message ) { int i; for ( i = 0; i < counters->brointel_cert_hash_count; i++) { if ( Sagan_stristr(syslog_message, Sagan_BroIntel_Intel_Cert_Hash[i].cert_hash, false) ) { if ( debug->debugbrointel ) { Sagan_Log(DEBUG, "[%s, line %d] Found the CERT_HASH \"%s\".", __FILE__, __LINE__, Sagan_BroIntel_Intel_Cert_Hash[i].cert_hash); } return(true); } } return(false); } sagan-1.2.0/src/processors/blacklist.c0000644000175000017500000002530213310531444016652 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* blacklist.c * * This searches log lines for IP addresses/networks that are loaded * from a "blacklist" file. For example, you might search log lines for * known bad IP/Networks. This processor uses the CIDR format: * 192.168.1.1/32 (single ip) or 192.168.1.0./24. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "parsers/parsers.h" #include "processors/blacklist.h" struct _SaganCounters *counters; struct _SaganConfig *config; struct _SaganDebug *debug; struct _Sagan_Blacklist *SaganBlacklist; pthread_mutex_t CounterBlacklistGenericMutex=PTHREAD_MUTEX_INITIALIZER; /**************************************************************************** * Sagan_Blacklist_Init - Init any global memory structures we might need ****************************************************************************/ void Sagan_Blacklist_Init ( void ) { pthread_mutex_lock(&CounterBlacklistGenericMutex); counters->blacklist_count=0; pthread_mutex_unlock(&CounterBlacklistGenericMutex); } /**************************************************************************** * Sagan_Blacklist_Load - Loads 32 bit IP addresses into memory so that they * can be queried later ****************************************************************************/ void Sagan_Blacklist_Load ( void ) { FILE *blacklist; char *tok = NULL; char *tmpmask = NULL; char tmp[1024] = { 0 }; int mask = 0; char *iprange=NULL; char blacklistbuf[1024] = { 0 }; char *blacklist_filename = NULL; char *ptmp = NULL; unsigned char ipbits[MAXIPBIT] = { 0 }; unsigned char maskbits[MAXIPBIT]= { 0 }; int line_count; int item_count; int i; sbool found = 0; pthread_mutex_lock(&CounterBlacklistGenericMutex); counters->blacklist_count=0; pthread_mutex_unlock(&CounterBlacklistGenericMutex); blacklist_filename = strtok_r(config->blacklist_files, ",", &ptmp); Sagan_Log(NORMAL, ""); while ( blacklist_filename != NULL ) { if (( blacklist = fopen(blacklist_filename, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Could not load blacklist file! (%s - %s)", __FILE__, __LINE__, blacklist_filename, strerror(errno)); } line_count = 0; item_count = 0; while(fgets(blacklistbuf, 1024, blacklist) != NULL) { /* Skip comments and blank linkes */ if (blacklistbuf[0] == '#' || blacklistbuf[0] == 10 || blacklistbuf[0] == ';' || blacklistbuf[0] == 32) { line_count++; continue; } else { /* Allocate memory for Blacklists, not comments */ line_count++; SaganBlacklist = (_Sagan_Blacklist *) realloc(SaganBlacklist, (counters->blacklist_count+1) * sizeof(_Sagan_Blacklist)); if ( SaganBlacklist == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBlacklist. Abort!", __FILE__, __LINE__); } Remove_Return(blacklistbuf); iprange = NULL; tmpmask = NULL; iprange = strtok_r(blacklistbuf, "/", &tok); tmpmask = strtok_r(NULL, "/", &tok); if ( tmpmask == NULL ) { /* If there is no CIDR, then assume it's a /32 */ strlcpy(tmp, iprange, sizeof(tmp)); iprange = tmp; mask = 32; tmpmask = "32"; } else { mask = atoi(tmpmask); } /* Should do better error checking? */ found = 0; if ( iprange == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Invalid range in %s at line %d, skipping....", __FILE__, __LINE__, blacklist_filename, line_count); found = 1; } if ( mask == 0 || !Mask2Bit(mask, maskbits)) { Sagan_Log(ERROR, "[%s, line %d] Invalid mask in %s at line %d, skipping....", __FILE__, __LINE__, blacklist_filename, line_count); found = 1; } /* Record lower and upper range based on the /CIDR. We then use IP2Bit(ipaddr) to determine * if it's within the blacklist range. * * Idea came from "ashitpro" * http://bytes.com/topic/c/answers/765104-determining-whether-given-ip-exist-cidr-ip-range * */ if ( found == 0 ) { if (!IP2Bit(iprange, ipbits)) { Sagan_Log(WARN, "[%s, line %d] Got invalid blacklist address %s/%s in %s on line %d, skipping....", __FILE__, __LINE__, iprange, tmpmask, blacklist_filename, line_count); found = 1; } else { for ( i = 0; i < counters->blacklist_count; i++ ) { if ( !memcmp(SaganBlacklist[i].range.ipbits, ipbits, MAXIPBIT ) && !memcmp(SaganBlacklist[i].range.maskbits, maskbits, MAXIPBIT ) ) { Sagan_Log(WARN, "[%s, line %d] Got duplicate blacklist address %s/%s in %s on line %d, skipping....", __FILE__, __LINE__, iprange, tmpmask, blacklist_filename, line_count); found = 1; } } } } if ( found == 0 ) { memcpy(SaganBlacklist[counters->blacklist_count].range.ipbits, ipbits, sizeof(ipbits)); memcpy(SaganBlacklist[counters->blacklist_count].range.maskbits, maskbits, sizeof(maskbits)); item_count++; pthread_mutex_lock(&CounterBlacklistGenericMutex); counters->blacklist_count++; pthread_mutex_unlock(&CounterBlacklistGenericMutex); } } } fclose(blacklist); Sagan_Log(NORMAL, "Blacklist Processor Loaded File: %s (File: %d, Total: %d)", blacklist_filename, item_count, counters->blacklist_count++); blacklist_filename = strtok_r(NULL, ",", &ptmp); } } /*************************************************************************** * Sagan_Blacklist_IPADDR - Looks up the IP address in the Blacklist * array. If found, returns TRUE. ***************************************************************************/ sbool Sagan_Blacklist_IPADDR ( unsigned char *ipaddr ) { int i = 0; counters->blacklist_lookup_count++; for ( i = 0; i < counters->blacklist_count; i++) { if ( is_inrange(ipaddr, (unsigned char *)&SaganBlacklist[i].range, 1) ) { pthread_mutex_lock(&CounterBlacklistGenericMutex); counters->blacklist_hit_count++; pthread_mutex_unlock(&CounterBlacklistGenericMutex); return(true); } } return(false); } /*************************************************************************** * Sagan_Blacklist_IPADDR_All - Check all IPv4 addresses against the * blacklist IP's in memory! ***************************************************************************/ sbool Sagan_Blacklist_IPADDR_All ( char *syslog_message, _Sagan_Lookup_Cache_Entry *lookup_cache, int lookup_cache_size ) { int i; int b; for (i = 0; i < lookup_cache_size; i++) { for ( b = 0; b < counters->blacklist_count; b++ ) { if ( is_inrange(lookup_cache[i].ip_bits, (unsigned char *)&SaganBlacklist[b].range, 1) ) { pthread_mutex_lock(&CounterBlacklistGenericMutex); counters->blacklist_hit_count++; pthread_mutex_unlock(&CounterBlacklistGenericMutex); return(true); } } } return(false); } sagan-1.2.0/src/processors/track-clients.c0000644000175000017500000003640213310531444017450 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Adam Hall ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* track-clients.c * * Simple pre-processors that keeps track of reporting syslog clients/agents. * This is based off the IP address the clients, not based on normalization. * If a client/agent hasn't sent a syslog/event message in X minutes, then * generate an alert. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #ifdef HAVE_SYS_PRCTL_H #include #endif #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "send-alert.h" #include "util-time.h" #include "processors/track-clients.h" pthread_mutex_t IPCTrackClientCounter=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t IPCTrackClientsStatus=PTHREAD_MUTEX_INITIALIZER; struct _Sagan_Processor_Info *processor_info_track_client = NULL; struct _Sagan_Proc_Syslog *SaganProcSyslog; struct _Sagan_Track_Clients_IPC *SaganTrackClients_ipc; struct _Sagan_IPC_Counters *counters_ipc; struct _SaganConfig *config; /**************************************************************************** * Sagan_Track_Clients - Main routine to "tracks" via IPC/memory IPs that * are reporting or not. ****************************************************************************/ void Track_Clients ( char *host ) { char utime_tmp[20] = { 0 }; time_t t; struct tm *now; int i; uint64_t utime_u64; unsigned char hostbits[MAXIPBIT] = { 0 }; t = time(NULL); now=localtime(&t); strftime(utime_tmp, sizeof(utime_tmp), "%s", now); utime_u64 = atol(utime_tmp); int expired_time = config->pp_sagan_track_clients * 60; IP2Bit(host, hostbits); /********************************************/ /** Record update tracking if record exsist */ /********************************************/ pthread_mutex_lock(&IPCTrackClientCounter); File_Lock(config->shm_track_clients); for (i=0; itrack_clients_client_count; i++) { if ( !memcmp(SaganTrackClients_ipc[i].hostbits, hostbits, MAXIPBIT ) ) { SaganTrackClients_ipc[i].utime = utime_u64; SaganTrackClients_ipc[i].expire = expired_time; File_Unlock(config->shm_track_clients); pthread_mutex_unlock(&IPCTrackClientCounter); return; } } if ( counters_ipc->track_clients_client_count < config->max_track_clients ) { memcpy(SaganTrackClients_ipc[counters_ipc->track_clients_client_count].hostbits, hostbits, sizeof(hostbits)); SaganTrackClients_ipc[counters_ipc->track_clients_client_count].utime = utime_u64; SaganTrackClients_ipc[counters_ipc->track_clients_client_count].status = 0; SaganTrackClients_ipc[counters_ipc->track_clients_client_count].expire = expired_time; File_Lock(config->shm_counters); counters_ipc->track_clients_client_count++; File_Unlock(config->shm_counters); File_Unlock(config->shm_track_clients); pthread_mutex_unlock(&IPCTrackClientCounter); return; } else { File_Unlock(config->shm_track_clients); pthread_mutex_unlock(&IPCTrackClientCounter); Sagan_Log(WARN, "[%s, line %d] Client tracking has reached it's max! (%d). Increase 'track_clients' in your configuration!", __FILE__, __LINE__, config->max_track_clients); } } /* Close sagan_track_clients */ /**************************************************************************** * Sagan_Track_Clients_Init - Initialize shared memory object for the * tracking client processor to use ****************************************************************************/ void Track_Clients_Thread_Init ( void ) { processor_info_track_client = malloc(sizeof(struct _Sagan_Processor_Info)); if ( processor_info_track_client == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for processor_info_track_client. Abort!", __FILE__, __LINE__); } memset(processor_info_track_client, 0, sizeof(_Sagan_Processor_Info)); processor_info_track_client->processor_name = PROCESSOR_NAME; processor_info_track_client->processor_generator_id = PROCESSOR_GENERATOR_ID; processor_info_track_client->processor_name = PROCESSOR_NAME; processor_info_track_client->processor_facility = PROCESSOR_FACILITY; processor_info_track_client->processor_priority = PROCESSOR_PRIORITY; processor_info_track_client->processor_pri = PROCESSOR_PRI; processor_info_track_client->processor_class = PROCESSOR_CLASS; processor_info_track_client->processor_tag = PROCESSOR_TAG; processor_info_track_client->processor_rev = PROCESSOR_REV; } /**************************************************************************** * Sagan_Report_Clients - Main routine to "report" via IPC/memory IPs that * are reporting or not. ****************************************************************************/ void Track_Clients_Thread ( void ) { for(;;) { (void)SetThreadName("SaganClientTrck"); struct _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL = NULL; int alertid; int i; const char *tmp_ip = NULL; char utime_tmp[20] = { 0 }; time_t t; struct tm *now; uint64_t utime_u32; struct timeval tp; t = time(NULL); now=localtime(&t); strftime(utime_tmp, sizeof(utime_tmp), "%s", now); utime_u32 = atol(utime_tmp); int expired_time = config->pp_sagan_track_clients * 60; /* We populate this later for output plugins */ SaganProcSyslog_LOCAL = malloc(sizeof(struct _Sagan_Proc_Syslog)); if ( SaganProcSyslog_LOCAL == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for SaganProcSyslog_LOCAL. Abort!", __FILE__, __LINE__); } /*********************************/ /* Look through "known" system */ /*********************************/ for (i=0; itrack_clients_client_count; i++) { /* Check if host is in a down state */ if ( SaganTrackClients_ipc[i].status == 1 ) { /* If host was done, verify host last seen time is still not an expired time */ if ( ( utime_u32 - SaganTrackClients_ipc[i].utime ) < expired_time ) { /* Update status and seen time */ pthread_mutex_lock(&IPCTrackClientsStatus); File_Lock(config->shm_track_clients); SaganTrackClients_ipc[i].status = 0; /* Update counters */ File_Lock(config->shm_counters); counters_ipc->track_clients_down--; File_Unlock(config->shm_counters); File_Unlock(config->shm_track_clients); pthread_mutex_unlock(&IPCTrackClientsStatus); tmp_ip = Bit2IP(SaganTrackClients_ipc[i].hostbits, NULL, 0); Sagan_Log(WARN, "[Processor: %s] Logs are being received from %s again.", PROCESSOR_NAME, tmp_ip ); /* Populate SaganProcSyslog_LOCAL for output plugins */ strlcpy(SaganProcSyslog_LOCAL->syslog_host, tmp_ip, sizeof(SaganProcSyslog_LOCAL->syslog_host)); strlcpy(SaganProcSyslog_LOCAL->syslog_facility, PROCESSOR_FACILITY, sizeof(SaganProcSyslog_LOCAL->syslog_facility)); strlcpy(SaganProcSyslog_LOCAL->syslog_priority, PROCESSOR_PRIORITY, sizeof(SaganProcSyslog_LOCAL->syslog_priority)); strlcpy(SaganProcSyslog_LOCAL->syslog_level, "info", sizeof(SaganProcSyslog_LOCAL->syslog_level)); strlcpy(SaganProcSyslog_LOCAL->syslog_tag, "00", sizeof(SaganProcSyslog_LOCAL->syslog_tag)); strlcpy(SaganProcSyslog_LOCAL->syslog_program, PROCESSOR_NAME, sizeof(SaganProcSyslog_LOCAL->syslog_program)); Return_Date(utime_u32, SaganProcSyslog_LOCAL->syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date)); Return_Time(utime_u32, SaganProcSyslog_LOCAL->syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time)); snprintf(SaganProcSyslog_LOCAL->syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message)-1, "The IP address %s was previously not sending logs. The system appears to be sending logs again at %s", tmp_ip, ctime(&SaganTrackClients_ipc[i].utime) ); alertid=101; /* See gen-msg.map */ gettimeofday(&tp, 0); /* Send alert to output plugins */ Send_Alert(SaganProcSyslog_LOCAL, NULL, processor_info_track_client, SaganProcSyslog_LOCAL->syslog_host, config->sagan_host, "\0", "\0", config->sagan_proto, alertid, config->sagan_port, config->sagan_port, 0, tp); } /* End last seen check time */ } else { /**** Check if last seen time of host has exceeded track time meaning it's down! ****/ if ( ( utime_u32 - SaganTrackClients_ipc[i].utime ) >= expired_time ) { /* Update status and utime */ pthread_mutex_lock(&IPCTrackClientsStatus); File_Lock(config->shm_track_clients); SaganTrackClients_ipc[i].status = 1; /* Update counters */ File_Lock(config->shm_counters); counters_ipc->track_clients_down++; File_Unlock(config->shm_counters); File_Unlock(config->shm_track_clients); pthread_mutex_unlock(&IPCTrackClientsStatus); tmp_ip = Bit2IP(SaganTrackClients_ipc[i].hostbits, NULL, 0); Sagan_Log(WARN, "[Processor: %s] Logs have not been seen from %s for %d minute(s).", PROCESSOR_NAME, tmp_ip, config->pp_sagan_track_clients); /* Populate SaganProcSyslog_LOCAL for output plugins */ strlcpy(SaganProcSyslog_LOCAL->syslog_host, tmp_ip, sizeof(SaganProcSyslog_LOCAL->syslog_host)); strlcpy(SaganProcSyslog_LOCAL->syslog_facility, PROCESSOR_FACILITY, sizeof(SaganProcSyslog_LOCAL->syslog_facility)); strlcpy(SaganProcSyslog_LOCAL->syslog_priority, PROCESSOR_PRIORITY, sizeof(SaganProcSyslog_LOCAL->syslog_priority)); strlcpy(SaganProcSyslog_LOCAL->syslog_level, "info", sizeof(SaganProcSyslog_LOCAL->syslog_level)); strlcpy(SaganProcSyslog_LOCAL->syslog_tag, "00", sizeof(SaganProcSyslog_LOCAL->syslog_tag)); strlcpy(SaganProcSyslog_LOCAL->syslog_program, PROCESSOR_NAME, sizeof(SaganProcSyslog_LOCAL->syslog_program)); Return_Date(utime_u32, SaganProcSyslog_LOCAL->syslog_date, sizeof(SaganProcSyslog_LOCAL->syslog_date)); Return_Time(utime_u32, SaganProcSyslog_LOCAL->syslog_time, sizeof(SaganProcSyslog_LOCAL->syslog_time)); snprintf(SaganProcSyslog_LOCAL->syslog_message, sizeof(SaganProcSyslog_LOCAL->syslog_message)-1, "Sagan has not recieved any logs from the IP address %s in over %d minute(s). Last log was seen at %s. This could be an indication that the system is down.", tmp_ip, config->pp_sagan_track_clients, ctime(&SaganTrackClients_ipc[i].utime) ); alertid=100; /* See gen-msg.map */ gettimeofday(&tp, 0); /* Send alert to output plugins */ Send_Alert(SaganProcSyslog_LOCAL, NULL, processor_info_track_client, SaganProcSyslog_LOCAL->syslog_host, config->sagan_host, "\0", "\0", config->sagan_proto, alertid, config->sagan_port, config->sagan_port, 0, tp); } /* End of existing utime check */ } /* End of else */ } /* End for 'for' loop */ free(SaganProcSyslog_LOCAL); sleep(60); } /* End Ifinite Loop */ } /* End Sagan_report_clients */ sagan-1.2.0/src/processors/dynamic-rules.h0000644000175000017500000000211013310531444017453 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif int Sagan_Dynamic_Rules ( _Sagan_Proc_Syslog *, int, _Sagan_Processor_Info *, char *, char * ); sagan-1.2.0/src/processors/bluedot.h0000644000175000017500000000706113310531444016347 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-bluedot.h * * Does real time lookups of IP addresses from the Quadrant reputation * database. This means you have to have authentication! * */ #ifdef WITH_BLUEDOT #define BLUEDOT_PROCESSOR_USER_AGENT "User-Agent: Sagan-SIEM" /* Extensions on URL passed depending on what type of query we want to do */ #define BLUEDOT_IP_LOOKUP_URL "&qip=" #define BLUEDOT_HASH_LOOKUP_URL "&qhash=" #define BLUEDOT_FILENAME_LOOKUP_URL "&qfilename=" #define BLUEDOT_URL_LOOKUP_URL "&qurl=" #define BLUEDOT_LOOKUP_IP 1 #define BLUEDOT_LOOKUP_HASH 2 #define BLUEDOT_LOOKUP_URL 3 #define BLUEDOT_LOOKUP_FILENAME 4 int Sagan_Bluedot_Cat_Compare ( unsigned char, int, unsigned char ); int Sagan_Bluedot ( _Sagan_Proc_Syslog *, int ); unsigned char Sagan_Bluedot_Lookup(char *, unsigned char, int, unsigned char *ip_bits); /* what to lookup, lookup type */ int Sagan_Bluedot_IP_Lookup_All ( char *, int , _Sagan_Lookup_Cache_Entry *, int ); void Sagan_Bluedot_Clean_Cache ( void ); void Sagan_Bluedot_Init(void); void Sagan_Bluedot_Load_Cat(void); void Sagan_Verify_Categories( char *, int , const char *, int, unsigned char ); void Sagan_Bluedot_Check_Cache_Time (void); int Sagan_Bluedot_Clean_Queue ( char *, unsigned char, unsigned char *ip ); typedef struct _Sagan_Bluedot_Cat_List _Sagan_Bluedot_Cat_List; struct _Sagan_Bluedot_Cat_List { int cat_number; char cat[50]; }; typedef struct _Sagan_Bluedot_IP_Cache _Sagan_Bluedot_IP_Cache; struct _Sagan_Bluedot_IP_Cache { unsigned char ip[MAXIPBIT]; uint64_t mdate_utime; uint64_t cdate_utime; uint64_t cache_utime; int alertid; }; typedef struct _Sagan_Bluedot_Hash_Cache _Sagan_Bluedot_Hash_Cache; struct _Sagan_Bluedot_Hash_Cache { char hash[SHA256_HASH_SIZE+1]; uint64_t cache_utime; int alertid; }; typedef struct _Sagan_Bluedot_URL_Cache _Sagan_Bluedot_URL_Cache; struct _Sagan_Bluedot_URL_Cache { char url[8192]; uint64_t cache_utime; int alertid; }; typedef struct _Sagan_Bluedot_Filename_Cache _Sagan_Bluedot_Filename_Cache; struct _Sagan_Bluedot_Filename_Cache { char filename[256]; uint64_t cache_utime; int alertid; }; typedef struct _Sagan_Bluedot_IP_Queue _Sagan_Bluedot_IP_Queue; struct _Sagan_Bluedot_IP_Queue { unsigned char ip[MAXIPBIT]; }; typedef struct _Sagan_Bluedot_Hash_Queue _Sagan_Bluedot_Hash_Queue; struct _Sagan_Bluedot_Hash_Queue { char hash[SHA256_HASH_SIZE+1]; }; typedef struct _Sagan_Bluedot_URL_Queue _Sagan_Bluedot_URL_Queue; struct _Sagan_Bluedot_URL_Queue { char url[8192]; }; typedef struct _Sagan_Bluedot_Filename_Queue _Sagan_Bluedot_Filename_Queue; struct _Sagan_Bluedot_Filename_Queue { char filename[256]; }; #endif sagan-1.2.0/src/processors/blacklist.h0000644000175000017500000000253013310531444016655 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #include "sagan-defs.h" void Sagan_Blacklist_Load ( void ); void Sagan_Blacklist_Init( void ); sbool Sagan_Blacklist_IPADDR( unsigned char * ); sbool Sagan_Blacklist_IPADDR_All ( char *, _Sagan_Lookup_Cache_Entry *lookup_cache, int lookup_cache_size ); typedef struct _Sagan_Blacklist _Sagan_Blacklist; struct _Sagan_Blacklist { struct { unsigned char ipbits[MAXIPBIT]; unsigned char maskbits[MAXIPBIT]; } range; }; sagan-1.2.0/src/processors/bluedot.c0000644000175000017500000020456313310531444016350 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* bluedot.c * * Does real time lookups of IP addresses from the Quadrant reputation * database. This means you have to have authentication! * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef WITH_BLUEDOT #include #include #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "rules.h" #include "processors/bluedot.h" #include "parsers/parsers.h" struct _SaganCounters *counters; struct _SaganConfig *config; struct _SaganDebug *debug; struct _Sagan_Bluedot_IP_Cache *SaganBluedotIPCache; struct _Sagan_Bluedot_Hash_Cache *SaganBluedotHashCache; struct _Sagan_Bluedot_URL_Cache *SaganBluedotURLCache; struct _Sagan_Bluedot_Filename_Cache *SaganBluedotFilenameCache; struct _Sagan_Bluedot_Cat_List *SaganBluedotCatList; struct _Sagan_Bluedot_IP_Queue *SaganBluedotIPQueue; struct _Sagan_Bluedot_Hash_Queue *SaganBluedotHashQueue; struct _Sagan_Bluedot_URL_Queue *SaganBluedotURLQueue; struct _Sagan_Bluedot_Filename_Queue *SaganBluedotFilenameQueue; struct _Rule_Struct *rulestruct; pthread_mutex_t SaganProcBluedotWorkMutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t CounterBluedotGenericMutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganProcBluedotIPWorkMutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganProcBluedotHashWorkMutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganProcBluedotURLWorkMutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganProcBluedotFilenameWorkMutex=PTHREAD_MUTEX_INITIALIZER; sbool bluedot_cache_clean_lock=0; sbool bluedot_dns_global=0; sbool bluedot_ip_update = 0; sbool bluedot_hash_update = 0; sbool bluedot_url_update = 0; sbool bluedot_filename_update = 0; int bluedot_ip_queue=0; int bluedot_hash_queue=0; int bluedot_url_queue=0; int bluedot_filename_queue=0; /**************************************************************************** * Sagan_Bluedot_Init() - init's some global variables and other items * that need to be done only once. - Champ Clark 05/15/2013 ****************************************************************************/ void Sagan_Bluedot_Init(void) { char timet[20] = { 0 }; time_t t; struct tm *now = NULL; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); config->bluedot_last_time = atol(timet); } /**************************************************************************** * Sagan_Bluedot_Clean_Queue - Clean's the "queue" of the type of lookup * that happened. This is called after a successful lookup. We do this to * prevent multiple lookups (at the same time!) of the same item! This * happens a lot with IP address looks ****************************************************************************/ int Sagan_Bluedot_Clean_Queue ( char *data, unsigned char type, unsigned char *ip ) { uint32_t ip_u32; int i=0; unsigned char ip_convert[MAXIPBIT] = { 0 }; memset(ip_convert, 0, MAXIPBIT); memcpy(ip_convert, ip, MAXIPBIT); int tmp_bluedot_queue_count=0; /* Remove IP address from lookup queue */ if ( type == BLUEDOT_LOOKUP_IP ) { struct _Sagan_Bluedot_IP_Queue *TmpSaganBluedotIPQueue; TmpSaganBluedotIPQueue = malloc(sizeof(_Sagan_Bluedot_IP_Queue)); if ( TmpSaganBluedotIPQueue == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for TmpSaganBluedotIPQueue. Abort!", __FILE__, __LINE__); } for (i=0; idebugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Going to query hash %s from Bluedot.", __FILE__, __LINE__, data); } } bluedot_hash_update = 0; pthread_mutex_unlock(&SaganProcBluedotHashWorkMutex); free(TmpSaganBluedotHashQueue); } else if ( type == BLUEDOT_LOOKUP_URL ) { struct _Sagan_Bluedot_URL_Queue *TmpSaganBluedotURLQueue; TmpSaganBluedotURLQueue = malloc(sizeof(_Sagan_Bluedot_URL_Queue)); if ( TmpSaganBluedotURLQueue == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for TmpSaganBluedotURLQueue. Abort!", __FILE__, __LINE__); } for (i=0; ibluedot_cat, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] No Bluedot categories list to load (%s)!", __FILE__, __LINE__, config->bluedot_cat); } while(fgets(buf, 1024, bluedot_cat_file) != NULL) { /* Skip comments and blank linkes */ if (buf[0] == '#' || buf[0] == 10 || buf[0] == ';' || buf[0] == 32) { continue; } else { /* Allocate memory for references, not comments */ SaganBluedotCatList = (_Sagan_Bluedot_Cat_List *) realloc(SaganBluedotCatList, (counters->bluedot_cat_count+1) * sizeof(_Sagan_Bluedot_Cat_List)); if ( SaganBluedotCatList == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotCatList. Abort!", __FILE__, __LINE__); } /* Normalize the list for later use. Better to do this here than when processing rules */ bluedot_tok1 = strtok_r(buf, "|", &saveptr); if ( bluedot_tok1 == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__); } Remove_Return(bluedot_tok1); Remove_Spaces(bluedot_tok1); SaganBluedotCatList[counters->bluedot_cat_count].cat_number = atoi(bluedot_tok1); bluedot_tok2 = strtok_r(NULL, "|", &saveptr); if ( bluedot_tok2 == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Bluedot categories file appears to be malformed.", __FILE__, __LINE__); } Remove_Return(bluedot_tok2); Remove_Spaces(bluedot_tok2); To_LowerC(bluedot_tok2); strlcpy(SaganBluedotCatList[counters->bluedot_cat_count].cat, bluedot_tok2, sizeof(SaganBluedotCatList[counters->bluedot_cat_count].cat)); pthread_mutex_lock(&CounterBluedotGenericMutex); counters->bluedot_cat_count++; pthread_mutex_unlock(&CounterBluedotGenericMutex); } } } /**************************************************************************** * write_callback_func() - Callback for data received via libcurl ****************************************************************************/ size_t static write_callback_func(void *buffer, size_t size, size_t nmemb, void *userp) { char **response_ptr = (char**)userp; *response_ptr = strndup(buffer, (size_t)(size *nmemb)); /* Return the string */ } /**************************************************************************** * Sagan_Bluedot_Clean_Cache() - Cleans cache. Remove old, stale entries * to make room for new, fresh entries :) ****************************************************************************/ void Sagan_Bluedot_Check_Cache_Time (void) { time_t t; struct tm *now = NULL; char timet[20] = { 0 }; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); if (atol(timet) > config->bluedot_last_time + config->bluedot_timeout) { Sagan_Log(NORMAL, "Bluedot cache timeout reached %d minutes. Cleaning up.", config->bluedot_timeout / 60); if ( bluedot_cache_clean_lock == 0 ) { Sagan_Bluedot_Clean_Cache(); } } /* if ( counters->bluedot_ip_cache_count >= config->bluedot_max_cache ) { Sagan_Log(WARN, "[%s, line %d] ***** Out of cache space! Increasing from %" PRIu64 " to %" PRIu64 "!", __FILE__, __LINE__, config->bluedot_max_cache, config->bluedot_max_cache + BLUEDOT_EMERG_CACHE_INCREASE); if ( bluedot_config_change == 0 ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); bluedot_config_change = 1; config->bluedot_max_cache = config->bluedot_max_cache + BLUEDOT_EMERG_CACHE_INCREASE; bluedot_config_change = 0; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); } } */ } /**************************************************************************** * Sagan_Bluedot_Clean_Cache - Cleans old Bluedot entries over the * specified "cache_timeout". ****************************************************************************/ void Sagan_Bluedot_Clean_Cache ( void ) { int i; int timeout_count=0; int deleted_count=0; char timet[20] = { 0 }; time_t t; struct tm *now=NULL; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); struct _Sagan_Bluedot_IP_Cache *TmpSaganBluedotIPCache = NULL; struct _Sagan_Bluedot_Hash_Cache *TmpSaganBluedotHashCache = NULL; struct _Sagan_Bluedot_URL_Cache *TmpSaganBluedotURLCache = NULL; struct _Sagan_Bluedot_Filename_Cache *TmpSaganBluedotFilenameCache = NULL; if ( bluedot_cache_clean_lock == 0 ) /* So no two threads try to "clean up" */ { pthread_mutex_lock(&SaganProcBluedotWorkMutex); bluedot_cache_clean_lock = 1; if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Sagan/Bluedot cache clean time has been reached.", __FILE__, __LINE__); Sagan_Log(DEBUG, "[%s, line %d] ----------------------------------------------------------------------", __FILE__, __LINE__); } config->bluedot_last_time = atol(timet); for (i=0; ibluedot_ip_cache_count; i++) { if ( atol(timet) - SaganBluedotIPCache[i].cache_utime > config->bluedot_timeout ) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] == Deleting IP address from cache -> %u", __FILE__, __LINE__, SaganBluedotIPCache[i].ip); } } else { TmpSaganBluedotIPCache = (_Sagan_Bluedot_IP_Cache *) realloc(TmpSaganBluedotIPCache, (timeout_count+1) * sizeof(_Sagan_Bluedot_IP_Cache)); if ( TmpSaganBluedotIPCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for TmpSaganBluedotIPCache. Abort!", __FILE__, __LINE__); } memcpy(TmpSaganBluedotIPCache[timeout_count].ip, SaganBluedotIPCache[i].ip, sizeof(SaganBluedotIPCache[i].ip)); TmpSaganBluedotIPCache[timeout_count].cache_utime = SaganBluedotIPCache[i].cache_utime; TmpSaganBluedotIPCache[timeout_count].cache_utime = SaganBluedotIPCache[i].mdate_utime; TmpSaganBluedotIPCache[timeout_count].cache_utime = SaganBluedotIPCache[i].cdate_utime; TmpSaganBluedotIPCache[timeout_count].alertid = SaganBluedotIPCache[i].alertid; timeout_count++; } } for (i=0; ibluedot_ip_cache_count - (uint64_t)timeout_count; pthread_mutex_lock(&CounterBluedotGenericMutex); counters->bluedot_ip_cache_count = (uint64_t)timeout_count; pthread_mutex_unlock(&CounterBluedotGenericMutex); Sagan_Log(NORMAL, "[%s, line %d] Deleted %d IP addresses from Bluedot cache.",__FILE__, __LINE__, deleted_count); /* Clean hash cache */ timeout_count = 0; for (i=0; ibluedot_hash_cache_count; i++) { if ( atol(timet) - SaganBluedotHashCache[i].cache_utime > config->bluedot_timeout ) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] == Deleting hash from cache -> %s", __FILE__, __LINE__, SaganBluedotHashCache[i].hash); } } else { TmpSaganBluedotHashCache = (_Sagan_Bluedot_Hash_Cache *) realloc(TmpSaganBluedotHashCache, (timeout_count+1) * sizeof(_Sagan_Bluedot_Hash_Cache)); if ( TmpSaganBluedotHashCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for TmpSaganBluedotHashCache. Abort!", __FILE__, __LINE__); } strlcpy(TmpSaganBluedotHashCache[timeout_count].hash, SaganBluedotHashCache[i].hash, sizeof(TmpSaganBluedotHashCache[timeout_count].hash)); TmpSaganBluedotHashCache[timeout_count].cache_utime = SaganBluedotHashCache[i].cache_utime; /* store utime */ TmpSaganBluedotHashCache[timeout_count].alertid = SaganBluedotHashCache[i].alertid; timeout_count++; } } for (i=0; ibluedot_hash_cache_count - (uint64_t)timeout_count; pthread_mutex_lock(&CounterBluedotGenericMutex); counters->bluedot_hash_cache_count = (uint64_t)timeout_count; pthread_mutex_unlock(&CounterBluedotGenericMutex); Sagan_Log(NORMAL, "[%s, line %d] Deleted %d hashes from Bluedot cache.",__FILE__, __LINE__, deleted_count); /* Clean URL cache */ timeout_count = 0; for (i=0; ibluedot_url_cache_count; i++) { if ( atol(timet) - SaganBluedotURLCache[i].cache_utime > config->bluedot_timeout ) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] == Deleting URL from cache -> %s", __FILE__, __LINE__, SaganBluedotURLCache[i].url); } } else { TmpSaganBluedotURLCache = (_Sagan_Bluedot_URL_Cache *) realloc(TmpSaganBluedotURLCache, (timeout_count+1) * sizeof(_Sagan_Bluedot_URL_Cache)); if ( TmpSaganBluedotURLCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for TmpSaganBluedotURLCache. Abort!", __FILE__, __LINE__); } strlcpy(TmpSaganBluedotURLCache[timeout_count].url, SaganBluedotURLCache[i].url, sizeof(TmpSaganBluedotURLCache[timeout_count].url)); TmpSaganBluedotURLCache[timeout_count].cache_utime = SaganBluedotURLCache[i].cache_utime; TmpSaganBluedotURLCache[timeout_count].alertid = SaganBluedotURLCache[i].alertid; timeout_count++; } } for (i=0; ibluedot_url_cache_count - (uint64_t)timeout_count; pthread_mutex_lock(&CounterBluedotGenericMutex); counters->bluedot_url_cache_count = (uint64_t)timeout_count; pthread_mutex_unlock(&CounterBluedotGenericMutex); Sagan_Log(NORMAL, "[%s, line %d] Deleted %d URLs from Bluedot cache.",__FILE__, __LINE__, deleted_count); /* Clean Filename cache */ timeout_count = 0; for (i=0; ibluedot_filename_cache_count; i++) { if ( atol(timet) - SaganBluedotFilenameCache[i].cache_utime > config->bluedot_timeout ) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] == Deleting Filename from cache -> %s", __FILE__, __LINE__, SaganBluedotFilenameCache[i].filename); } } else { TmpSaganBluedotFilenameCache = (_Sagan_Bluedot_Filename_Cache *) realloc(TmpSaganBluedotFilenameCache, (timeout_count+1) * sizeof(_Sagan_Bluedot_Filename_Cache)); if ( TmpSaganBluedotFilenameCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for TmpSaganBluedotFilenameCache. Abort!", __FILE__, __LINE__); } strlcpy(TmpSaganBluedotFilenameCache[timeout_count].filename, SaganBluedotFilenameCache[i].filename, sizeof(TmpSaganBluedotFilenameCache[timeout_count].filename)); TmpSaganBluedotFilenameCache[timeout_count].cache_utime = SaganBluedotFilenameCache[i].cache_utime; TmpSaganBluedotFilenameCache[timeout_count].alertid = SaganBluedotFilenameCache[i].alertid; timeout_count++; } } for (i=0; ibluedot_filename_cache_count - (uint64_t)timeout_count; pthread_mutex_lock(&CounterBluedotGenericMutex); counters->bluedot_filename_cache_count = (uint64_t)timeout_count; pthread_mutex_unlock(&CounterBluedotGenericMutex); Sagan_Log(NORMAL, "[%s, line %d] Deleted %d filenames from Bluedot cache.",__FILE__, __LINE__, deleted_count); bluedot_cache_clean_lock = 0; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); } free(TmpSaganBluedotIPCache); free(TmpSaganBluedotHashCache); free(TmpSaganBluedotURLCache); free(TmpSaganBluedotFilenameCache); } /*************************************************************************** * Sagan_Bluedot_IP_Lookup - This does the actual Bluedot lookup. It returns * the bluedot_alertid value (0 if not found) ***************************************************************************/ /* type * * 1 == IP * 2 == Hash * 3 == URL * 4 == Filename */ unsigned char Sagan_Bluedot_Lookup(char *data, unsigned char type, int rule_position, unsigned char *ip ) { unsigned char ip_convert[MAXIPBIT] = { 0 }; memset(ip_convert, 0, MAXIPBIT); memcpy(ip_convert, ip, MAXIPBIT); char tmpurl[1024] = { 0 }; char tmpdeviceid[64] = { 0 }; CURL *curl; CURLcode res; struct curl_slist *headers = NULL; char *response=NULL; struct json_object *json_in = NULL; json_object *string_obj; const char *cat=NULL; const char *cdate_utime=NULL; const char *mdate_utime=NULL; uint64_t cdate_utime_u32; uint64_t mdate_utime_u32; char cattmp[64] = { 0 }; char *saveptr=NULL; signed char bluedot_alertid = 0; /* -128 to 127 */ int i; char tmp[64] = { 0 }; char ip_s[64] = { 0 }; char timet[20] = { 0 }; time_t t; struct tm *now=NULL; t = time(NULL); now=localtime(&t); strftime(timet, sizeof(timet), "%s", now); uint64_t epoch_time = atol(timet); /* Check IP TTL for Bluedot */ if ( bluedot_dns_global == 0 && epoch_time - config->bluedot_dns_last_lookup > config->bluedot_dns_ttl ) { if ( debug->debugbluedot ) { Sagan_Log(DEBUG, "[%s, line %d] Bluedot host TTL of %d seconds reached. Doing new lookup for '%s'.", __FILE__, __LINE__, config->bluedot_dns_ttl, config->bluedot_host); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); bluedot_dns_global = 1; i = DNS_Lookup( config->bluedot_host, tmp, sizeof(tmp) ); if ( i != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot lookup DNS for '%s'. Staying with old value of %s.", __FILE__, __LINE__, config->bluedot_host, config->bluedot_ip); } else { strlcpy(config->bluedot_ip, tmp, sizeof(config->bluedot_ip)); if ( debug->debugbluedot ) { Sagan_Log(DEBUG, "[%s, line %d] Bluedot host IP is now: %s", __FILE__, __LINE__, config->bluedot_ip); } } config->bluedot_dns_last_lookup = epoch_time; bluedot_dns_global = 0; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); } /************************************************************************/ /* Lookup types */ /************************************************************************/ /* IP Address Lookup */ if ( type == BLUEDOT_LOOKUP_IP ) { if ( is_notroutable(ip) ) { if ( debug->debugbluedot ) { Sagan_Log(DEBUG, "[%s, line %d] %s is RFC1918, link local or invalid.", __FILE__, __LINE__, data); } return(false); } for (i=0; ibluedot_ip_cache_count; i++) { /* In high volume env the BluedotIPCache might be being written to which can cause a segfault on the memcmp. We lock, even though we are reading, to keep this from happening */ pthread_mutex_lock(&SaganProcBluedotIPWorkMutex); bluedot_ip_update = 1; if (!memcmp( ip_convert, SaganBluedotIPCache[i].ip, MAXIPBIT )) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Pulled %s from Bluedot cache with category of \"%d\". [cdate: %d / mdate: %d]", __FILE__, __LINE__, data, SaganBluedotIPCache[i].alertid, SaganBluedotIPCache[i].cdate_utime, SaganBluedotIPCache[i].mdate_utime); } bluedot_alertid = SaganBluedotIPCache[i].alertid; if ( bluedot_alertid != 0 && rulestruct[rule_position].bluedot_mdate_effective_period != 0 ) { if ( ( epoch_time - SaganBluedotIPCache[i].mdate_utime ) > rulestruct[rule_position].bluedot_mdate_effective_period ) { if ( debug->debugbluedot ) { Sagan_Log(DEBUG, "[%s, line %d] From Bluedot Cache - qmdate for %s is over %d seconds. Not alerting.", __FILE__, __LINE__, data, rulestruct[rule_position].bluedot_mdate_effective_period); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_mdate_cache++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); bluedot_alertid = 0; } } else if ( bluedot_alertid != 0 && rulestruct[rule_position].bluedot_cdate_effective_period != 0 ) { if ( ( epoch_time - SaganBluedotIPCache[i].cdate_utime ) > rulestruct[rule_position].bluedot_cdate_effective_period ) { if ( debug->debugbluedot ) { Sagan_Log(DEBUG, "[%s, line %d] qcdate for %s is over %d seconds. Not alerting.", __FILE__, __LINE__, data, rulestruct[rule_position].bluedot_cdate_effective_period); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_cdate_cache++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); bluedot_alertid = 0; } } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_ip_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); bluedot_ip_update =0; pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex); return(bluedot_alertid); } bluedot_ip_update =0; pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex); } /* Check Bluedot IP Queue, make sure we aren't looking up something that is already being looked up */ for (i=0; i < bluedot_ip_queue; i++) { if ( !memcmp(ip_convert, SaganBluedotIPQueue[i].ip, MAXIPBIT )) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] %s (%u) is already being looked up. Skipping....", __FILE__, __LINE__, data, SaganBluedotIPQueue[i].ip); } return(false); } } /* If not in Bluedot IP queue, add it */ pthread_mutex_lock(&SaganProcBluedotIPWorkMutex); SaganBluedotIPQueue = (_Sagan_Bluedot_IP_Queue *) realloc(SaganBluedotIPQueue, (bluedot_ip_queue+1) * sizeof(_Sagan_Bluedot_IP_Queue)); if ( SaganBluedotIPQueue == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotIPQueue. Abort!", __FILE__, __LINE__); } memcpy(SaganBluedotIPQueue[bluedot_ip_queue].ip, ip_convert, MAXIPBIT); bluedot_ip_queue++; pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex); if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Going to query IP %s from Bluedot.", __FILE__, __LINE__, data); } snprintf(tmpurl, sizeof(tmpurl), "http://%s/%s%s%s", config->bluedot_ip, config->bluedot_uri, BLUEDOT_IP_LOOKUP_URL, data); } /* BLUEDOT_LOOKUP_IP */ if ( type == BLUEDOT_LOOKUP_HASH ) { for (i=0; ibluedot_hash_cache_count; i++) { pthread_mutex_lock(&SaganProcBluedotHashWorkMutex); bluedot_hash_update = 1; if (!strcasecmp(data, SaganBluedotHashCache[i].hash)) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Pulled file hash '%s' from Bluedot hash cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotHashCache[i].alertid); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_hash_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); pthread_mutex_unlock(&SaganProcBluedotHashWorkMutex); bluedot_hash_update = 0; return(SaganBluedotHashCache[i].alertid); } pthread_mutex_unlock(&SaganProcBluedotHashWorkMutex); bluedot_hash_update = 0; } /* Check Bluedot Hash Queue, make sure we aren't looking up something that is already being looked up */ for (i=0; i < bluedot_hash_queue; i++) { if ( !strcasecmp(data, SaganBluedotHashQueue[i].hash ) ) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] %s is already being looked up. Skipping....", __FILE__, __LINE__, data); } return(false); } } /* If not in Bluedot Hash queue, add it */ pthread_mutex_lock(&SaganProcBluedotHashWorkMutex); SaganBluedotHashQueue = (_Sagan_Bluedot_Hash_Queue *) realloc(SaganBluedotHashQueue, (bluedot_hash_queue+1) * sizeof(_Sagan_Bluedot_Hash_Queue)); if ( SaganBluedotHashQueue == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotHashQueue. Abort!", __FILE__, __LINE__); } strlcpy(SaganBluedotHashQueue[bluedot_hash_queue].hash, data, sizeof(SaganBluedotHashQueue[bluedot_hash_queue].hash)); bluedot_hash_queue++; pthread_mutex_unlock(&SaganProcBluedotHashWorkMutex); if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Going to query hash %s from Bluedot.", __FILE__, __LINE__, data); } snprintf(tmpurl, sizeof(tmpurl), "http://%s/%s%s%s", config->bluedot_ip, config->bluedot_uri, BLUEDOT_HASH_LOOKUP_URL, data); } if ( type == BLUEDOT_LOOKUP_URL ) { for (i=0; ibluedot_url_cache_count; i++) { pthread_mutex_lock(&SaganProcBluedotURLWorkMutex); bluedot_url_update = 1; if (!strcasecmp(data, SaganBluedotURLCache[i].url)) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Pulled file URL '%s' from Bluedot URL cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotURLCache[i].alertid); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_url_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); bluedot_url_update = 0; pthread_mutex_unlock(&SaganProcBluedotURLWorkMutex); return(SaganBluedotURLCache[i].alertid); } bluedot_url_update = 0; pthread_mutex_unlock(&SaganProcBluedotURLWorkMutex); } /* Check Bluedot Hash Queue, make sure we aren't looking up something that is already being looked up */ for (i=0; i < bluedot_url_queue; i++) { if ( !strcasecmp(data, SaganBluedotURLQueue[i].url ) ) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] %s is already being looked up. Skipping....", __FILE__, __LINE__, data); } return(false); } } /* If not in Bluedot URL queue, add it */ pthread_mutex_lock(&SaganProcBluedotURLWorkMutex); SaganBluedotURLQueue = (_Sagan_Bluedot_URL_Queue *) realloc(SaganBluedotURLQueue, (bluedot_url_queue+1) * sizeof(_Sagan_Bluedot_URL_Queue)); if ( SaganBluedotURLQueue == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotURLQueue. Abort!", __FILE__, __LINE__); } strlcpy(SaganBluedotURLQueue[bluedot_url_queue].url, data, sizeof(SaganBluedotURLQueue[bluedot_url_queue].url)); bluedot_url_queue++; pthread_mutex_unlock(&SaganProcBluedotURLWorkMutex); if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Going to query url %s from Bluedot.", __FILE__, __LINE__, data); } snprintf(tmpurl, sizeof(tmpurl), "http://%s/%s%s%s", config->bluedot_ip, config->bluedot_uri, BLUEDOT_URL_LOOKUP_URL, data); } if ( type == BLUEDOT_LOOKUP_FILENAME ) { for (i=0; ibluedot_filename_cache_count; i++) { pthread_mutex_lock(&SaganProcBluedotFilenameWorkMutex); bluedot_filename_update = 1; if (!strcasecmp(data, SaganBluedotFilenameCache[i].filename)) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Pulled file filename '%s' from Bluedot filename cache with category of \"%d\".", __FILE__, __LINE__, data, SaganBluedotFilenameCache[i].alertid); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_filename_cache_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); bluedot_filename_update = 0; pthread_mutex_unlock(&SaganProcBluedotFilenameWorkMutex); return(SaganBluedotFilenameCache[i].alertid); } bluedot_filename_update = 0; pthread_mutex_unlock(&SaganProcBluedotFilenameWorkMutex); } /* Check Bluedot File Queue, make sure we aren't looking up something that is already being looked up */ for (i=0; i < bluedot_filename_queue; i++) { if ( !strcasecmp(data, SaganBluedotFilenameQueue[i].filename) ) { if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] %s is already being looked up. Skipping....", __FILE__, __LINE__, data); } return(false); } } /* If not in Bluedot Filename queue, add it */ pthread_mutex_lock(&SaganProcBluedotFilenameWorkMutex); SaganBluedotFilenameQueue = (_Sagan_Bluedot_Filename_Queue *) realloc(SaganBluedotFilenameQueue, (bluedot_filename_queue+1) * sizeof(_Sagan_Bluedot_Filename_Queue)); if ( SaganBluedotFilenameQueue == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotFilenameQueue. Abort!", __FILE__, __LINE__); } strlcpy(SaganBluedotHashQueue[bluedot_filename_queue].hash, data, sizeof(SaganBluedotHashQueue[bluedot_filename_queue].hash)); bluedot_filename_queue++; pthread_mutex_unlock(&SaganProcBluedotFilenameWorkMutex); if (debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Going to query filename %s from Bluedot.", __FILE__, __LINE__, data); } snprintf(tmpurl, sizeof(tmpurl), "http://%s/%s%s%s", config->bluedot_ip, config->bluedot_uri, BLUEDOT_FILENAME_LOOKUP_URL, data); } snprintf(tmpdeviceid, sizeof(tmpdeviceid), "X-BLUEDOT-DEVICEID: %s", config->bluedot_device_id); /* Do the Bluedot API call */ curl = curl_easy_init(); if (curl) { curl_easy_setopt(curl, CURLOPT_URL, tmpurl); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback_func); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1); /* WIll send SIGALRM if not set */ headers = curl_slist_append (headers, BLUEDOT_PROCESSOR_USER_AGENT); headers = curl_slist_append (headers, tmpdeviceid); // headers = curl_slist_append (headers, "X-Bluedot-Verbose: 1"); /* For more verbose output */ curl_easy_setopt(curl, CURLOPT_HTTPHEADER , headers ); res = curl_easy_perform(curl); } curl_easy_cleanup(curl); if ( response == NULL ) { Sagan_Log(WARN, "[%s, line %d] Bluedot returned a empty \"response\".", __FILE__, __LINE__); pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_error_count++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); Sagan_Bluedot_Clean_Queue(data, type, ip); return(false); } json_in = json_tokener_parse(response); if ( type == BLUEDOT_LOOKUP_IP ) { json_object_object_get_ex(json_in, "qipcode", &string_obj); cat = json_object_get_string(string_obj); json_object_object_get_ex(json_in, "qcdate", &string_obj); cdate_utime = json_object_get_string(string_obj); if ( cdate_utime != NULL ) { snprintf(tmp, sizeof(tmp), "%s", cdate_utime); strtok_r(tmp, "\"", &saveptr); cdate_utime_u32 = atol(strtok_r(NULL, "\"", &saveptr)); } else { Sagan_Log(WARN, "Bluedot return a bad qcdate."); } json_object_object_get_ex(json_in, "qmdate", &string_obj); mdate_utime = json_object_get_string(string_obj); if ( mdate_utime != NULL ) { snprintf(tmp, sizeof(tmp), "%s", mdate_utime); strtok_r(tmp, "\"", &saveptr); mdate_utime_u32 = atol(strtok_r(NULL, "\"", &saveptr)); } else { Sagan_Log(WARN, "Bluedot return a bad qmdate."); } } else if ( type == BLUEDOT_LOOKUP_HASH ) { json_object_object_get_ex(json_in, "qhashcode", &string_obj); cat = json_object_get_string(string_obj); } else if ( type == BLUEDOT_LOOKUP_URL ) { json_object_object_get_ex(json_in, "qurlcode", &string_obj); cat = json_object_get_string(string_obj); } else if ( type == BLUEDOT_LOOKUP_FILENAME ) { json_object_object_get_ex(json_in, "qfilenamecode", &string_obj); cat = json_object_get_string(string_obj); } if ( cat == NULL ) { Sagan_Log(WARN, "Bluedot return a qipcode category."); pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_error_count++; // DEBUG <- Total error count pthread_mutex_unlock(&SaganProcBluedotWorkMutex); Sagan_Bluedot_Clean_Queue(data, type, ip); return(false); } /* strtok_r() doesn't like const char *cat */ snprintf(cattmp, sizeof(cattmp), "%s", cat); strtok_r(cattmp, "\"", &saveptr); bluedot_alertid = atoi(strtok_r(NULL, "\"", &saveptr)); if ( debug->debugbluedot) { Sagan_Log(DEBUG, "[%s, line %d] Bluedot return category \"%d\" for %s. [cdate: %d / mdate: %d]", __FILE__, __LINE__, bluedot_alertid, data, cdate_utime_u32, mdate_utime_u32); } if ( bluedot_alertid == -1 ) { Sagan_Log(WARN, "Bluedot reports an invalid API key. Lookup aborted!"); counters->bluedot_error_count++; return(false); } /************************************************************************/ /* Add entries to cache */ /************************************************************************/ /* IP Address lookup */ if ( type == BLUEDOT_LOOKUP_IP ) { pthread_mutex_lock(&SaganProcBluedotIPWorkMutex); bluedot_ip_update = 1; SaganBluedotIPCache = (_Sagan_Bluedot_IP_Cache *) realloc(SaganBluedotIPCache, (counters->bluedot_ip_cache_count+1) * sizeof(_Sagan_Bluedot_IP_Cache)); if ( SaganBluedotIPCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotIPCache. Abort!", __FILE__, __LINE__); } /* Store data into cache */ memcpy(SaganBluedotIPCache[counters->bluedot_ip_cache_count].ip, ip_convert, MAXIPBIT); SaganBluedotIPCache[counters->bluedot_ip_cache_count].cache_utime = epoch_time; /* store utime */ SaganBluedotIPCache[counters->bluedot_ip_cache_count].cdate_utime = cdate_utime_u32; SaganBluedotIPCache[counters->bluedot_ip_cache_count].mdate_utime = mdate_utime_u32; SaganBluedotIPCache[counters->bluedot_ip_cache_count].alertid = bluedot_alertid; counters->bluedot_ip_total++; counters->bluedot_ip_cache_count++; bluedot_ip_update = 0; pthread_mutex_unlock(&SaganProcBluedotIPWorkMutex); if ( bluedot_alertid != 0 && rulestruct[rule_position].bluedot_mdate_effective_period != 0 ) { if ( ( epoch_time - mdate_utime_u32 ) > rulestruct[rule_position].bluedot_mdate_effective_period ) { if ( debug->debugbluedot ) { Sagan_Log(DEBUG, "[%s, line %d] qmdate for %s is over %d seconds. Not alerting.", __FILE__, __LINE__, data, rulestruct[rule_position].bluedot_mdate_effective_period); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_mdate++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); bluedot_alertid = 0; } } else if ( bluedot_alertid != 0 && rulestruct[rule_position].bluedot_cdate_effective_period != 0 ) { if ( ( epoch_time - cdate_utime_u32 ) > rulestruct[rule_position].bluedot_cdate_effective_period ) { if ( debug->debugbluedot ) { Sagan_Log(DEBUG, "[%s, line %d] qcdate for %s is over %d seconds. Not alerting.", __FILE__, __LINE__, data, rulestruct[rule_position].bluedot_cdate_effective_period); } pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_cdate++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); bluedot_alertid = 0; } } } /* File hash lookup */ else if ( type == BLUEDOT_LOOKUP_HASH ) { pthread_mutex_lock(&SaganProcBluedotHashWorkMutex); bluedot_hash_update = 1; counters->bluedot_hash_total++; SaganBluedotHashCache = (_Sagan_Bluedot_Hash_Cache *) realloc(SaganBluedotHashCache, (counters->bluedot_hash_cache_count+1) * sizeof(_Sagan_Bluedot_Hash_Cache)); if ( SaganBluedotHashCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotHashCache. Abort!", __FILE__, __LINE__); } strlcpy(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash, data, sizeof(SaganBluedotHashCache[counters->bluedot_hash_cache_count].hash)); SaganBluedotHashCache[counters->bluedot_hash_cache_count].cache_utime = epoch_time; SaganBluedotHashCache[counters->bluedot_hash_cache_count].alertid = bluedot_alertid; counters->bluedot_hash_cache_count++; bluedot_hash_update = 0; pthread_mutex_unlock(&SaganProcBluedotHashWorkMutex); } /* URL lookup */ else if ( type == BLUEDOT_LOOKUP_URL ) { pthread_mutex_lock(&SaganProcBluedotURLWorkMutex); bluedot_url_update = 1; counters->bluedot_url_total++; SaganBluedotURLCache = (_Sagan_Bluedot_URL_Cache *) realloc(SaganBluedotURLCache, (counters->bluedot_url_cache_count+1) * sizeof(_Sagan_Bluedot_URL_Cache)); if ( SaganBluedotURLCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotURLCache. Abort!", __FILE__, __LINE__); } strlcpy(SaganBluedotURLCache[counters->bluedot_url_cache_count].url, data, sizeof(SaganBluedotURLCache[counters->bluedot_url_cache_count].url)); SaganBluedotURLCache[counters->bluedot_url_cache_count].cache_utime = epoch_time; SaganBluedotURLCache[counters->bluedot_url_cache_count].alertid = bluedot_alertid; counters->bluedot_url_cache_count++; bluedot_url_update = 0; pthread_mutex_unlock(&SaganProcBluedotURLWorkMutex); } /* Filename Lookup */ else if ( type == BLUEDOT_LOOKUP_FILENAME ) { pthread_mutex_lock(&SaganProcBluedotFilenameWorkMutex); bluedot_filename_update = 1; counters->bluedot_filename_total++; SaganBluedotFilenameCache = (_Sagan_Bluedot_Filename_Cache *) realloc(SaganBluedotFilenameCache, (counters->bluedot_filename_cache_count+1) * sizeof(_Sagan_Bluedot_Filename_Cache)); if ( SaganBluedotFilenameCache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for SaganBluedotFilenameCache. Abort!", __FILE__, __LINE__); } strlcpy(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename, data, sizeof(SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].filename)); SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].cache_utime = epoch_time; SaganBluedotFilenameCache[counters->bluedot_filename_cache_count].alertid = bluedot_alertid; counters->bluedot_filename_cache_count++; bluedot_filename_update = 0; pthread_mutex_unlock(&SaganProcBluedotFilenameWorkMutex); } Sagan_Bluedot_Clean_Queue(data, type, ip); /* Remove item for "queue" */ json_object_put(json_in); /* Clear json_in as we're done with it */ return(bluedot_alertid); } /*************************************************************************** * Sagan_Bluedot_Cat_Compare - Takes the Bluedot query results and * compares to what the rule is looking for ***************************************************************************/ int Sagan_Bluedot_Cat_Compare ( unsigned char bluedot_results, int rule_position, unsigned char type ) { int i; if ( type == BLUEDOT_LOOKUP_IP ) { for ( i = 0; i < rulestruct[rule_position].bluedot_ip_cat_count; i++ ) { if ( bluedot_results == rulestruct[rule_position].bluedot_ip_cats[i] ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_ip_positive_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(true); } } return(false); } if ( type == BLUEDOT_LOOKUP_HASH ) { for ( i = 0; i < rulestruct[rule_position].bluedot_hash_cat_count; i++ ) { if ( bluedot_results == rulestruct[rule_position].bluedot_hash_cats[i] ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_hash_positive_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(true); } } return(false); } if ( type == BLUEDOT_LOOKUP_URL ) { for ( i = 0; i < rulestruct[rule_position].bluedot_url_cat_count; i++ ) { if ( bluedot_results == rulestruct[rule_position].bluedot_url_cats[i] ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_url_positive_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(true); } } return(false); } if ( type == BLUEDOT_LOOKUP_FILENAME ) { for ( i = 0; i < rulestruct[rule_position].bluedot_filename_cat_count; i++ ) { if ( bluedot_results == rulestruct[rule_position].bluedot_filename_cats[i] ) { pthread_mutex_lock(&SaganProcBluedotWorkMutex); counters->bluedot_filename_positive_hit++; pthread_mutex_unlock(&SaganProcBluedotWorkMutex); return(true); } } return(false); } return(false); } /*************************************************************************** * Sagan_Bluedot_Lookup_All - Find _all_ IPv4 addresses in a syslog * message and preforms a Bluedot query. ***************************************************************************/ int Sagan_Bluedot_IP_Lookup_All ( char *syslog_message, int rule_position, _Sagan_Lookup_Cache_Entry *lookup_cache, int lookup_cache_size ) { int i; int j; int port = 0; char ip[MAXIP] = { 0 }; unsigned char bluedot_results; sbool bluedot_flag; for (i = 0; i < lookup_cache_size; i++) { bluedot_results = Sagan_Bluedot_Lookup(lookup_cache[i].ip, BLUEDOT_LOOKUP_IP, rule_position, lookup_cache[i].ip_bits); bluedot_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, rule_position, BLUEDOT_LOOKUP_IP ); if ( bluedot_flag == 1 ) { return(true); } } return(false); } void Sagan_Verify_Categories( char *categories, int rule_number, const char *ruleset, int linecount, unsigned char type ) { char tmp2[64]; char *tmptoken; char *saveptrrule; int i; sbool found; tmptoken = strtok_r(categories, "," , &saveptrrule); while ( tmptoken != NULL ) { strlcpy(tmp2, tmptoken, sizeof(tmp2)); Remove_Spaces(tmptoken); To_LowerC(tmptoken); found = 0; for ( i = 0; i < counters->bluedot_cat_count; i++ ) { if (!strcmp(SaganBluedotCatList[i].cat, tmptoken)) { found = 1; if ( type == BLUEDOT_LOOKUP_IP ) { if ( rulestruct[rule_number].bluedot_ip_cat_count <= BLUEDOT_MAX_CAT ) { rulestruct[rule_number].bluedot_ip_cats[rulestruct[rule_number].bluedot_ip_cat_count] = SaganBluedotCatList[i].cat_number; rulestruct[rule_number].bluedot_ip_cat_count++; } else { Sagan_Log(WARN, "[%s, line %d] To many Bluedot IP catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount); } } if ( type == BLUEDOT_LOOKUP_HASH ) { if ( rulestruct[rule_number].bluedot_hash_cat_count <= BLUEDOT_MAX_CAT ) { rulestruct[rule_number].bluedot_hash_cats[rulestruct[rule_number].bluedot_hash_cat_count] = SaganBluedotCatList[i].cat_number; rulestruct[rule_number].bluedot_hash_cat_count++; } else { Sagan_Log(WARN, "[%s, line %d] To many Bluedot hash catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount); } } if ( type == BLUEDOT_LOOKUP_URL ) { if ( rulestruct[rule_number].bluedot_url_cat_count <= BLUEDOT_MAX_CAT ) { rulestruct[rule_number].bluedot_url_cats[rulestruct[rule_number].bluedot_url_cat_count] = SaganBluedotCatList[i].cat_number; rulestruct[rule_number].bluedot_url_cat_count++; } else { Sagan_Log(WARN, "[%s, line %d] To many Bluedot URL catagories detected in %s at line %d", __FILE__, __LINE__, ruleset, linecount); } } } } if ( found == 0 ) { Sagan_Log(ERROR, "[%s, line %d] Unknown Bluedot category '%s' found in %s at line %d. Abort!", __FILE__, __LINE__, tmp2, ruleset, linecount); } tmptoken = strtok_r(NULL, "," , &saveptrrule); } } #endif sagan-1.2.0/src/processors/track-clients.h0000644000175000017500000000340613310531444017453 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Adam Hall ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-track-clients.h * * Simple pre-processors that keeps track of reporting syslog clients/agents. * This is based off the IP address the clients, not based on normalization. * If a client/agent hasn't sent a syslog/event message in X minutes, then * generate an alert. * */ #define PROCESSOR_NAME "Track_Clients" #define PROCESSOR_FACILITY "daemon" #define PROCESSOR_PRIORITY "warning" #define PROCESSOR_PRI 1 #define PROCESSOR_CLASS "None" #define PROCESSOR_REV "0" #define PROCESSOR_TAG NULL #define PROCESSOR_GENERATOR_ID 100 void Track_Clients_Thread_Init ( void ); void Track_Clients_Thread ( void ); #include "../sagan-defs.h" typedef struct _Sagan_Track_Clients_IPC _Sagan_Track_Clients_IPC; struct _Sagan_Track_Clients_IPC { unsigned char hostbits[MAXIPBIT]; long utime; int expire; sbool status; }; void Track_Clients ( char *host ); sagan-1.2.0/src/processors/engine.h0000644000175000017500000000243713310531444016160 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #define SAGAN_PROCESSOR_NAME "Sagan_Engine" #define SAGAN_PROCESSOR_FACILITY "daemon" #define SAGAN_PROCESSOR_PRIORITY "warning" #define SAGAN_PROCESSOR_PRI 1 #define SAGAN_PROCESSOR_CLASS "Sagan_Engine" #define SAGAN_PROCESSOR_REV "1" #define SAGAN_PROCESSOR_TAG NULL #define SAGAN_PROCESSOR_GENERATOR_ID 1 int Sagan_Engine ( _Sagan_Proc_Syslog *, sbool ); void Sagan_Engine_Init ( void ); sagan-1.2.0/src/processors/engine.c0000644000175000017500000024324513310531444016157 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* engine.c * * Threaded negine that looks for events & patterns based on 'Snort like' * rules. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "aetas.h" #include "meta-content.h" #include "send-alert.h" #include "xbit.h" #include "xbit-mmap.h" #include "rules.h" #include "sagan-config.h" #include "ipc.h" #include "flow.h" #include "after.h" #include "threshold.h" #include "parsers/parsers.h" #include "processors/engine.h" #include "processors/bro-intel.h" #include "processors/blacklist.h" #include "processors/dynamic-rules.h" #ifdef WITH_BLUEDOT #include "processors/bluedot.h" #endif #ifdef HAVE_LIBLOGNORM #include "liblognormalize.h" #endif #ifdef HAVE_LIBMAXMINDDB #include "geoip2.h" #endif struct _SaganCounters *counters; struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganConfig *config; struct _Sagan_IPC_Counters *counters_ipc; pthread_mutex_t CounterFollowFlowDrop=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t CountersFlowFlowTotal=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t CountersGeoIPHit=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t CounterSaganFoundMutex=PTHREAD_MUTEX_INITIALIZER; void Sagan_Engine_Init ( void ) { /* Nothing to do yet */ } int Sagan_Engine ( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, sbool dynamic_rule_flag ) { struct _Sagan_Processor_Info *processor_info_engine = NULL; processor_info_engine = malloc(sizeof(struct _Sagan_Processor_Info)); if ( processor_info_engine == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for processor_info_engine. Abort!", __FILE__, __LINE__); } memset(processor_info_engine, 0, sizeof(_Sagan_Processor_Info)); //static __thread struct _Sagan_Lookup_Cache_Entry *lookup_cache = NULL; struct _Sagan_Lookup_Cache_Entry *lookup_cache = NULL; lookup_cache = malloc(sizeof(struct _Sagan_Lookup_Cache_Entry) * MAX_PARSE_IP); if ( lookup_cache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for lookup_cache. Abort!", __FILE__, __LINE__); } memset(lookup_cache, 0, sizeof(_Sagan_Lookup_Cache_Entry)); int processor_info_engine_src_port = 0; int processor_info_engine_dst_port = 0; int processor_info_engine_proto = 0; int processor_info_engine_alertid = 0; sbool after_log_flag = false; sbool thresh_log_flag = false; int threadid = 0; int b = 0; int z = 0; //int i = 0; sbool match = false; int sagan_match = 0; /* Used to determine if all has "matched" (content, pcre, meta_content, etc) */ int rc = 0; int ovector[PCRE_OVECCOUNT]; int alter_num = 0; int meta_alter_num = 0; sbool xbit_return = 0; sbool xbit_count_return = 0; sbool alert_time_trigger = false; sbool check_flow_return = true; /* 1 = match, 0 = no match */ char *ptmp; char *tok2; char *pnormalize_selector = NULL; char parse_ip_src[MAXIP] = { 0 }; char parse_ip_dst[MAXIP] = { 0 }; char parse_md5_hash[MD5_HASH_SIZE+1] = { 0 }; char parse_sha1_hash[SHA1_HASH_SIZE+1] = { 0 }; char parse_sha256_hash[SHA256_HASH_SIZE+1] = { 0 }; sbool ip_src_flag = false; uint32_t ip_srcport_u32; unsigned char ip_src_bits[MAXIPBIT] = { 0 }; sbool ip_dst_flag = false; uint32_t ip_dstport_u32 = 0; unsigned char ip_dst_bits[MAXIPBIT] = { 0 }; char tmpbuf[128]; char s_msg[1024]; char alter_content[MAX_SYSLOGMSG]; char meta_alter_content[MAX_SYSLOGMSG]; struct timeval tp; unsigned char proto = 0; int lookup_cache_size = 0; sbool brointel_results = false; sbool blacklist_results = false; char *ip_src = NULL; char *ip_dst = NULL; char *md5_hash = NULL; char *sha1_hash = NULL; char *sha256_hash = NULL; /* These do not need to be reset each time as they are _only_ * set through normalize */ char *normalize_username = NULL; char *normalize_filename = NULL; char *normalize_http_uri = NULL; char *normalize_http_hostname = NULL; #ifdef HAVE_LIBMAXMINDDB sbool geoip2_return = false; sbool geoip2_isset = false; #endif #ifdef WITH_BLUEDOT unsigned char bluedot_results = 0; sbool bluedot_ip_flag = 0; sbool bluedot_hash_flag = 0; sbool bluedot_url_flag = 0; sbool bluedot_filename_flag = 0; #endif #ifdef HAVE_LIBLOGNORM static __thread struct _SaganNormalizeLiblognorm SaganNormalizeLiblognorm = { { 0 } }; memset((char *)&SaganNormalizeLiblognorm, 0, sizeof(struct _SaganNormalizeLiblognorm)); #endif /* This needs to be included, even if liblognorm isn't in use */ sbool liblognorm_status = 0; json_object *json_normalize = NULL; /* Search for matches */ /* First we search for 'program' and such. This way, we don't waste CPU * time with pcre/content. */ for(b=0; b < counters->rulecount; b++) { ip_src_flag = false; ip_dst_flag = false; parse_ip_src[0] = '\0'; parse_ip_dst[0] = '\0'; parse_md5_hash[0] = '\0'; parse_sha1_hash[0] = '\0'; parse_sha256_hash[0] = '\0'; ip_src = parse_ip_src; ip_dst = parse_ip_dst; md5_hash = parse_md5_hash; sha1_hash = parse_sha1_hash; sha256_hash = parse_sha256_hash; ip_dstport_u32 = 0; ip_srcport_u32 = 0; memset(ip_src_bits, 0, sizeof(ip_src_bits)); memset(ip_dst_bits, 0, sizeof(ip_dst_bits)); /* Process "normal" rules. Skip dynamic rules if it's not time to process them */ if ( rulestruct[b].type == NORMAL_RULE || ( rulestruct[b].type == DYNAMIC_RULE && dynamic_rule_flag == true ) ) { match = false; if ( strcmp(rulestruct[b].s_program, "" )) { strlcpy(tmpbuf, rulestruct[b].s_program, sizeof(tmpbuf)); ptmp = strtok_r(tmpbuf, "|", &tok2); match = true; while ( ptmp != NULL ) { if ( Wildcard(ptmp, SaganProcSyslog_LOCAL->syslog_program) == 1 ) { match = false; } ptmp = strtok_r(NULL, "|", &tok2); } } if ( strcmp(rulestruct[b].s_facility, "" )) { strlcpy(tmpbuf, rulestruct[b].s_facility, sizeof(tmpbuf)); ptmp = strtok_r(tmpbuf, "|", &tok2); match = true; while ( ptmp != NULL ) { if (!strcmp(ptmp, SaganProcSyslog_LOCAL->syslog_facility)) { match = false; } ptmp = strtok_r(NULL, "|", &tok2); } } if ( strcmp(rulestruct[b].s_syspri, "" )) { strlcpy(tmpbuf, rulestruct[b].s_syspri, sizeof(tmpbuf)); ptmp = strtok_r(tmpbuf, "|", &tok2); match = true; while ( ptmp != NULL ) { if (!strcmp(ptmp, SaganProcSyslog_LOCAL->syslog_priority)) { match = false; } ptmp = strtok_r(NULL, "|", &tok2); } } if ( strcmp(rulestruct[b].s_level, "" )) { strlcpy(tmpbuf, rulestruct[b].s_level, sizeof(tmpbuf)); ptmp = strtok_r(tmpbuf, "|", &tok2); match = true; while ( ptmp != NULL ) { if (!strcmp(ptmp, SaganProcSyslog_LOCAL->syslog_level)) { match = false; } ptmp = strtok_r(NULL, "|", &tok2); } } if ( strcmp(rulestruct[b].s_tag, "" )) { strlcpy(tmpbuf, rulestruct[b].s_tag, sizeof(tmpbuf)); ptmp = strtok_r(tmpbuf, "|", &tok2); match = true; while ( ptmp != NULL ) { if (!strcmp(ptmp, SaganProcSyslog_LOCAL->syslog_tag)) { match = false; } ptmp = strtok_r(NULL, "|", &tok2); } } /* If there has been a match above, or NULL on all, then we continue with * PCRE/content search */ /* Search via strstr (content:) */ if ( match == false ) { if ( rulestruct[b].content_count != 0 ) { for(z=0; zsyslog_message) > rulestruct[b].s_offset[z] ) { alter_num = strlen(SaganProcSyslog_LOCAL->syslog_message) - rulestruct[b].s_offset[z]; strlcpy(alter_content, SaganProcSyslog_LOCAL->syslog_message + (strlen(SaganProcSyslog_LOCAL->syslog_message) - alter_num), alter_num + 1); } else { alter_content[0] = '\0'; /* The offset is larger than the message. Set content too NULL */ } } else { strlcpy(alter_content, SaganProcSyslog_LOCAL->syslog_message, sizeof(alter_content)); } /* Content: DEPTH */ if ( rulestruct[b].s_depth[z] != 0 ) { /* We do +2 to account for alter_count[0] and whitespace at the begin of syslog message */ strlcpy(alter_content, alter_content, rulestruct[b].s_depth[z] + 2); } /* Content: DISTANCE */ if ( rulestruct[b].s_distance[z] != 0 ) { alter_num = strlen(SaganProcSyslog_LOCAL->syslog_message) - ( rulestruct[b].s_depth[z-1] + rulestruct[b].s_distance[z] + 1); strlcpy(alter_content, SaganProcSyslog_LOCAL->syslog_message + (strlen(SaganProcSyslog_LOCAL->syslog_message) - alter_num), alter_num + 1); /* Content: WITHIN */ if ( rulestruct[b].s_within[z] != 0 ) { strlcpy(alter_content, alter_content, rulestruct[b].s_within[z] + 1); } } /* If case insensitive */ if ( rulestruct[b].s_nocase[z] == 1 ) { if (rulestruct[b].content_not[z] != 1 && Sagan_stristr(alter_content, rulestruct[b].s_content[z], false)) { sagan_match++; } else { /* for content: ! */ if ( rulestruct[b].content_not[z] == 1 && !Sagan_stristr(alter_content, rulestruct[b].s_content[z], false)) sagan_match++; } } else { /* If case sensitive */ if ( rulestruct[b].content_not[z] != 1 && Sagan_strstr(alter_content, rulestruct[b].s_content[z] )) { sagan_match++; } else { /* for content: ! */ if ( rulestruct[b].content_not[z] == 1 && !Sagan_strstr(alter_content, rulestruct[b].s_content[z])) sagan_match++; } } } } /* Search via PCRE */ /* Note: We verify each "step" has succeeded before function execution. For example, * if there is a "content", but that has failed, there is no point in doing the * pcre or meta_content. */ if ( rulestruct[b].pcre_count != 0 && sagan_match == rulestruct[b].content_count ) { for(z=0; zsyslog_message, (int)strlen(SaganProcSyslog_LOCAL->syslog_message), 0, 0, ovector, PCRE_OVECCOUNT); if ( rc > 0 ) { sagan_match++; } } /* End of pcre if */ } /* Search via meta_content */ if ( rulestruct[b].meta_content_count != 0 && sagan_match == rulestruct[b].content_count + rulestruct[b].pcre_count ) { for (z=0; zsyslog_message) > rulestruct[b].meta_offset[z] ) { meta_alter_num = strlen(SaganProcSyslog_LOCAL->syslog_message) - rulestruct[b].meta_offset[z]; strlcpy(meta_alter_content, SaganProcSyslog_LOCAL->syslog_message + (strlen(SaganProcSyslog_LOCAL->syslog_message) - meta_alter_num), meta_alter_num + 1); } else { meta_alter_content[0] = '\0'; /* The offset is larger than the message. Set meta_content too NULL */ } } else { strlcpy(meta_alter_content, SaganProcSyslog_LOCAL->syslog_message, sizeof(meta_alter_content)); } /* Meta_content: DEPTH */ if ( rulestruct[b].meta_depth[z] != 0 ) { /* We do +2 to account for alter_count[0] and whitespace at the begin of syslog message */ strlcpy(meta_alter_content, meta_alter_content, rulestruct[b].meta_depth[z] + 2); } /* Meta_content: DISTANCE */ if ( rulestruct[b].meta_distance[z] != 0 ) { meta_alter_num = strlen(SaganProcSyslog_LOCAL->syslog_message) - ( rulestruct[b].meta_depth[z-1] + rulestruct[b].meta_distance[z] + 1 ); strlcpy(meta_alter_content, SaganProcSyslog_LOCAL->syslog_message + (strlen(SaganProcSyslog_LOCAL->syslog_message) - meta_alter_num), meta_alter_num + 1); /* Meta_ontent: WITHIN */ if ( rulestruct[b].meta_within[z] != 0 ) { strlcpy(meta_alter_content, meta_alter_content, rulestruct[b].meta_within[z] + 1); } } rc = Meta_Content_Search(meta_alter_content, b, z); if ( rc == 1 ) { sagan_match++; } } } } /* End of content: & pcre */ /* if you got match */ if ( sagan_match == rulestruct[b].pcre_count + rulestruct[b].content_count + rulestruct[b].meta_content_count ) { gettimeofday(&tp, 0); /* Store event time as soon as we get a match */ if ( match == false ) { #ifdef HAVE_LIBLOGNORM if ( liblognorm_status == 0 && rulestruct[b].normalize == 1 ) { /* Set that normalization has been tried work isn't repeated */ liblognorm_status = -1; json_normalize = Normalize_Liblognorm(SaganProcSyslog_LOCAL->syslog_message, &SaganNormalizeLiblognorm); if ( SaganNormalizeLiblognorm.ip_src[0] != '0' || SaganNormalizeLiblognorm.ip_dst[0] != '0' || SaganNormalizeLiblognorm.src_port != 0 || SaganNormalizeLiblognorm.dst_port != 0 || SaganNormalizeLiblognorm.hash_sha1[0] != '\0' || SaganNormalizeLiblognorm.hash_sha256[0] != '\0' || SaganNormalizeLiblognorm.hash_md5[0] != '\0' ) { liblognorm_status = 1; } /* These are _only_ set here */ if ( SaganNormalizeLiblognorm.username[0] != '\0' ) { liblognorm_status = 1; normalize_username = SaganNormalizeLiblognorm.username; } if ( config->selector_flag && SaganNormalizeLiblognorm.selector[0] != '\0' ) { liblognorm_status = 1; pnormalize_selector = SaganNormalizeLiblognorm.username; } if ( SaganNormalizeLiblognorm.http_uri[0] != '\0' ) { liblognorm_status = 1; normalize_http_uri = SaganNormalizeLiblognorm.http_uri; } if ( SaganNormalizeLiblognorm.filename[0] != '\0' ) { liblognorm_status = 1; normalize_filename = SaganNormalizeLiblognorm.filename; } } if ( liblognorm_status == 1 && rulestruct[b].normalize == 1 ) { if ( SaganNormalizeLiblognorm.ip_src[0] != '0') { ip_src_flag = true; ip_src = SaganNormalizeLiblognorm.ip_src; if ( !strcmp(ip_src, "127.0.0.1") || !strcmp(ip_src, "::1" ) || !strcmp(ip_src, "::ffff:127.0.0.1" ) ) { ip_src = SaganProcSyslog_LOCAL->syslog_host; ip_src_flag = false; } else { IP2Bit(ip_src, ip_src_bits); } } if ( SaganNormalizeLiblognorm.ip_dst[0] != '0' ) { ip_dst_flag = true; ip_dst = SaganNormalizeLiblognorm.ip_dst; if ( !strcmp(ip_dst, "127.0.0.1") || !strcmp(ip_dst, "::1" ) || !strcmp(ip_dst, "::ffff:127.0.0.1" ) ) { ip_dst = SaganProcSyslog_LOCAL->syslog_host; ip_dst_flag = false; } else { IP2Bit(ip_dst, ip_dst_bits); } } if ( SaganNormalizeLiblognorm.src_port != 0 ) { ip_srcport_u32 = SaganNormalizeLiblognorm.src_port; } if ( SaganNormalizeLiblognorm.dst_port != 0 ) { ip_dstport_u32 = SaganNormalizeLiblognorm.dst_port; } if ( SaganNormalizeLiblognorm.hash_md5[0] != '\0' ) { md5_hash = SaganNormalizeLiblognorm.hash_md5; } if ( SaganNormalizeLiblognorm.hash_sha1[0] != '\0' ) { sha1_hash = SaganNormalizeLiblognorm.hash_sha1; } if ( SaganNormalizeLiblognorm.hash_sha256[0] != '\0' ) { sha256_hash = SaganNormalizeLiblognorm.hash_sha256; } } #endif /* Normalization should always over ride parse_src_ip/parse_dst_ip/parse_port, * _unless_ liblognorm fails and both are in a rule or liblognorm failed to get src or dst */ /* parse_src_ip: {position} - Parse_IP build a cache table for IPs, ports, etc. This way, we only parse the syslog string one time regardless of the rule options! */ if ( rulestruct[b].s_find_src_ip == 1 || rulestruct[b].s_find_src_ip == 1 || rulestruct[b].blacklist_ipaddr_all == 1 || rulestruct[b].s_find_proto == 1 || #ifdef WITH_BLUEDOT rulestruct[b].bluedot_ipaddr_type == 4 || #endif rulestruct[b].brointel_ipaddr_all == 1 ) { lookup_cache_size = Parse_IP(SaganProcSyslog_LOCAL->syslog_message, lookup_cache ); } if ( ip_src_flag == false && rulestruct[b].s_find_src_ip == true ) { if ( lookup_cache[rulestruct[b].s_find_src_pos-1].status == 1 ) { memcpy(parse_ip_src, lookup_cache[rulestruct[b].s_find_src_pos-1].ip, MAXIP ); memcpy(ip_src_bits, lookup_cache[rulestruct[b].s_find_src_pos-1].ip_bits, MAXIPBIT); ip_src = parse_ip_src; if ( !strcmp(ip_src, "127.0.0.1") || !strcmp(ip_src, "::1" ) || !strcmp(ip_src, "::ffff:127.0.0.1" ) ) { ip_src = SaganProcSyslog_LOCAL->syslog_host; ip_src_flag = false; } ip_srcport_u32 = lookup_cache[rulestruct[b].s_find_src_pos-1].port; proto = lookup_cache[0].proto; ip_src_flag = true; } } /* parse_dst_ip: {postion} */ if ( ip_dst_flag == false && rulestruct[b].s_find_dst_ip == true ) { if ( lookup_cache[rulestruct[b].s_find_dst_pos-1].status == 1 ) { memcpy(parse_ip_dst, lookup_cache[rulestruct[b].s_find_dst_pos-1].ip, MAXIP ); memcpy(ip_dst_bits, lookup_cache[rulestruct[b].s_find_src_pos-1].ip_bits, MAXIPBIT); ip_dst = parse_ip_dst; if ( !strcmp(ip_dst, "127.0.0.1") || !strcmp(ip_dst, "::1" ) || !strcmp(ip_dst, "::ffff:127.0.0.1" ) ) { ip_dst = SaganProcSyslog_LOCAL->syslog_host; ip_dst_flag = false; } ip_dstport_u32 = lookup_cache[rulestruct[b].s_find_dst_pos-1].port; proto = lookup_cache[0].proto; ip_dst_flag = true; } } /* parse_hash: md5 */ if ( parse_md5_hash[0] == '\0' && rulestruct[b].s_find_hash_type == PARSE_HASH_MD5 ) { Parse_Hash(SaganProcSyslog_LOCAL->syslog_message, PARSE_HASH_MD5, parse_md5_hash, sizeof(parse_md5_hash)); md5_hash = parse_md5_hash; } else if ( parse_sha1_hash[0] == '\0' && rulestruct[b].s_find_hash_type == PARSE_HASH_SHA1 ) { Parse_Hash(SaganProcSyslog_LOCAL->syslog_message, PARSE_HASH_SHA1, parse_sha256_hash, sizeof(parse_sha1_hash)); sha1_hash = parse_sha1_hash; } else if ( parse_sha256_hash[0] == '\0' && rulestruct[b].s_find_hash_type == PARSE_HASH_SHA256 ) { Parse_Hash(SaganProcSyslog_LOCAL->syslog_message, PARSE_HASH_SHA256, parse_sha256_hash, sizeof(parse_sha256_hash)); sha256_hash = parse_sha256_hash; } /* DEBUG else if ( sha256_hash[0] == '\0' && rulestruct[b].s_find_hash_type == PARSE_HASH_ALL ) { Parse_Hash(SaganProcSyslog_LOCAL->syslog_message, PARSE_HASH_SHA256, sha256_hash, sizeof(sha256_hash)); sha256_hash = parse_sha256_hash; } */ /* If the rule calls for proto searching, we do it now */ if ( rulestruct[b].s_find_proto_program == true ) { proto = Parse_Proto_Program(SaganProcSyslog_LOCAL->syslog_program); } /* If proto is not searched or has failed, default to whatever the rule told us to use */ if ( ip_src_flag == false ) { if (!strcmp(SaganProcSyslog_LOCAL->syslog_host, "127.0.0.1") || !strcmp(SaganProcSyslog_LOCAL->syslog_host, "::1") || !strcmp(SaganProcSyslog_LOCAL->syslog_host, "::ffff:127.0.0.1") ) { ip_src = config->sagan_host; } else { ip_src = SaganProcSyslog_LOCAL->syslog_host; } IP2Bit(ip_src, ip_src_bits); } if ( ip_dst_flag == false ) { ip_dst = config->sagan_host; IP2Bit(ip_dst, ip_dst_bits); } /* No source port was normalized, Use the rules default */ if ( ip_srcport_u32 == 0 ) { ip_srcport_u32=rulestruct[b].default_src_port; } /* No destination port was normalzied. Use the rules default */ if ( ip_dstport_u32 == 0 ) { ip_dstport_u32=rulestruct[b].default_dst_port; } /* No protocol was normalized. Use the rules default */ if ( proto == 0 ) { proto = rulestruct[b].default_proto; } strlcpy(s_msg, rulestruct[b].s_msg, sizeof(s_msg)); /* Check for flow of rule - has_flow is set as rule loading. It 1, then the rule has some sort of flow. It 0, rule is set any:any/any:any */ if ( rulestruct[b].has_flow == 1 ) { check_flow_return = Check_Flow( b, proto, ip_src_bits, ip_srcport_u32, ip_dst_bits, ip_dstport_u32); if(check_flow_return == false) { pthread_mutex_lock(&CounterFollowFlowDrop); counters->follow_flow_drop++; pthread_mutex_unlock(&CounterFollowFlowDrop); } pthread_mutex_lock(&CountersFlowFlowTotal); counters->follow_flow_total++; pthread_mutex_unlock(&CountersFlowFlowTotal); } /**************************************************************************** * Xbit - ISSET || ISNOTSET ****************************************************************************/ if ( rulestruct[b].xbit_flag ) { if ( rulestruct[b].xbit_condition_count ) { xbit_return = Xbit_Condition(b, ip_src, ip_dst, ip_srcport_u32, ip_dstport_u32, pnormalize_selector); } if ( rulestruct[b].xbit_count_flag ) { xbit_count_return = Xbit_Count(b, ip_src, ip_dst, pnormalize_selector); } } /**************************************************************************** * Country code ****************************************************************************/ #ifdef HAVE_LIBMAXMINDDB if ( rulestruct[b].geoip2_flag ) { if ( ip_src_flag == true && rulestruct[b].geoip2_src_or_dst == 1 ) { geoip2_return = GeoIP2_Lookup_Country(ip_src, ip_src_bits, b ); } else if ( ip_dst_flag == true && rulestruct[b].geoip2_src_or_dst == 1 ) { geoip2_return = GeoIP2_Lookup_Country(ip_dst, ip_dst_bits, b ); } if ( geoip2_return == true ) { /* If country IS NOT {my value} return 1 */ if ( rulestruct[b].geoip2_type == 1 ) /* isnot */ { if ( geoip2_return == 1 ) { geoip2_isset = false; } else { geoip2_isset = true; pthread_mutex_lock(&CountersGeoIPHit); counters->geoip2_hit++; pthread_mutex_unlock(&CountersGeoIPHit); } } /* If country IS {my value} return 1 */ else if ( rulestruct[b].geoip2_type == 2 ) /* is */ { if ( geoip2_return == 1 ) { geoip2_isset = true; pthread_mutex_lock(&CountersGeoIPHit); counters->geoip2_hit++; pthread_mutex_unlock(&CountersGeoIPHit); } else { geoip2_isset = false; } } } } #endif /**************************************************************************** * Time based alerting ****************************************************************************/ if ( rulestruct[b].alert_time_flag ) { alert_time_trigger = false; if ( Check_Time(b) ) { alert_time_trigger = true; } } /**************************************************************************** * Blacklist ****************************************************************************/ if ( rulestruct[b].blacklist_flag ) { blacklist_results = false; if ( rulestruct[b].blacklist_ipaddr_src && ip_src_flag ) { blacklist_results = Sagan_Blacklist_IPADDR( ip_src_bits ); } if ( blacklist_results == false && rulestruct[b].blacklist_ipaddr_dst && ip_dst_flag ) { blacklist_results = Sagan_Blacklist_IPADDR( ip_dst_bits ); } if ( blacklist_results == false && rulestruct[b].blacklist_ipaddr_all ) { blacklist_results = Sagan_Blacklist_IPADDR_All(SaganProcSyslog_LOCAL->syslog_message, lookup_cache, lookup_cache_size); } if ( blacklist_results == false && rulestruct[b].blacklist_ipaddr_both && ip_src_flag && ip_dst_flag ) { if ( Sagan_Blacklist_IPADDR( ip_src_bits ) || Sagan_Blacklist_IPADDR( ip_dst_bits ) ) { blacklist_results = true; } } } #ifdef WITH_BLUEDOT if ( config->bluedot_flag ) { if ( rulestruct[b].bluedot_ipaddr_type ) { bluedot_results = 0; /* 1 == src, 2 == dst, 3 == both, 4 == all */ if ( rulestruct[b].bluedot_ipaddr_type == 1 && ip_src_flag ) { bluedot_results = Sagan_Bluedot_Lookup(ip_src, BLUEDOT_LOOKUP_IP, b, ip_src_bits); bluedot_ip_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_IP); } if ( rulestruct[b].bluedot_ipaddr_type == 2 && ip_dst_flag ) { bluedot_results = Sagan_Bluedot_Lookup(ip_dst, BLUEDOT_LOOKUP_IP, b, ip_dst_bits); bluedot_ip_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_IP); } if ( rulestruct[b].bluedot_ipaddr_type == 3 && ip_src_flag && ip_dst_flag ) { bluedot_results = Sagan_Bluedot_Lookup(ip_src, BLUEDOT_LOOKUP_IP, b, ip_src_bits ); bluedot_ip_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_IP); /* If the source isn't found, then check the dst */ if ( bluedot_ip_flag != 0 ) { bluedot_results = Sagan_Bluedot_Lookup(ip_dst, BLUEDOT_LOOKUP_IP, b, ip_dst_bits); bluedot_ip_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_IP); } } if ( lookup_cache_size > 0 && rulestruct[b].bluedot_ipaddr_type == 4 ) { bluedot_ip_flag = Sagan_Bluedot_IP_Lookup_All(SaganProcSyslog_LOCAL->syslog_message, b, lookup_cache, lookup_cache_size ); } } if ( rulestruct[b].bluedot_file_hash && ( md5_hash[0] != '\0' || sha256_hash[0] != '\0' || sha256_hash[0] != '\0') ) { if ( md5_hash[0] != '\0') { bluedot_results = Sagan_Bluedot_Lookup( md5_hash, BLUEDOT_LOOKUP_HASH, b, NULL); bluedot_hash_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_HASH); } if ( sha256_hash[0] != '\0' ) { bluedot_results = Sagan_Bluedot_Lookup( sha256_hash, BLUEDOT_LOOKUP_HASH, b, NULL); bluedot_hash_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_HASH); } if ( sha256_hash[0] != '\0') { bluedot_results = Sagan_Bluedot_Lookup( sha256_hash, BLUEDOT_LOOKUP_HASH, b, NULL); bluedot_hash_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_HASH); } } if ( rulestruct[b].bluedot_url && normalize_http_uri != NULL ) { bluedot_results = Sagan_Bluedot_Lookup( normalize_http_uri, BLUEDOT_LOOKUP_URL, b, NULL); bluedot_url_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_URL); } if ( rulestruct[b].bluedot_filename && normalize_filename != NULL ) { bluedot_results = Sagan_Bluedot_Lookup( normalize_filename, BLUEDOT_LOOKUP_FILENAME, b, NULL); bluedot_filename_flag = Sagan_Bluedot_Cat_Compare( bluedot_results, b, BLUEDOT_LOOKUP_FILENAME); } /* Do cleanup at the end in case any "hits" above refresh the cache. This why we don't * "delete" an entry only to re-add it! */ Sagan_Bluedot_Check_Cache_Time(); } #endif /**************************************************************************** * Bro Intel ****************************************************************************/ if ( rulestruct[b].brointel_flag ) { brointel_results = false; if ( rulestruct[b].brointel_ipaddr_src && ip_src_flag ) { brointel_results = Sagan_BroIntel_IPADDR( ip_src_bits, ip_src ); } if ( brointel_results == false && rulestruct[b].brointel_ipaddr_dst && ip_dst_flag ) { brointel_results = Sagan_BroIntel_IPADDR( ip_dst_bits, ip_dst ); } if ( brointel_results == false && rulestruct[b].brointel_ipaddr_all ) { brointel_results = Sagan_BroIntel_IPADDR_All ( SaganProcSyslog_LOCAL->syslog_message, lookup_cache, MAX_PARSE_IP); } if ( brointel_results == false && rulestruct[b].brointel_ipaddr_both && ip_src_flag && ip_dst_flag ) { if ( Sagan_BroIntel_IPADDR( ip_src_bits, ip_src ) || Sagan_BroIntel_IPADDR( ip_dst_bits, ip_dst ) ) { brointel_results = true; } } if ( brointel_results == false && rulestruct[b].brointel_domain ) { brointel_results = Sagan_BroIntel_DOMAIN(SaganProcSyslog_LOCAL->syslog_message); } if ( brointel_results == false && rulestruct[b].brointel_file_hash ) { brointel_results = Sagan_BroIntel_FILE_HASH(SaganProcSyslog_LOCAL->syslog_message); } if ( brointel_results == false && rulestruct[b].brointel_url ) { brointel_results = Sagan_BroIntel_URL(SaganProcSyslog_LOCAL->syslog_message); } if ( brointel_results == false && rulestruct[b].brointel_software ) { brointel_results = Sagan_BroIntel_SOFTWARE(SaganProcSyslog_LOCAL->syslog_message); } if ( brointel_results == false && rulestruct[b].brointel_user_name ) { brointel_results = Sagan_BroIntel_USER_NAME(SaganProcSyslog_LOCAL->syslog_message); } if ( brointel_results == false && rulestruct[b].brointel_file_name ) { brointel_results = Sagan_BroIntel_FILE_NAME(SaganProcSyslog_LOCAL->syslog_message); } if ( brointel_results == false && rulestruct[b].brointel_cert_hash ) { brointel_results = Sagan_BroIntel_CERT_HASH(SaganProcSyslog_LOCAL->syslog_message); } } /****************************************************************************/ /* Populate the SaganEvent array with the information needed. This info */ /* will be passed to the threads. No need to populate it _if_ we're in a */ /* threshold state. */ /****************************************************************************/ if ( check_flow_return == true ) { /* DEBUG: Had rulestruct[b].xbit_flag */ if ( rulestruct[b].xbit_flag == false || ( rulestruct[b].xbit_set_count && rulestruct[b].xbit_condition_count == 0 ) || ( rulestruct[b].xbit_set_count && rulestruct[b].xbit_condition_count && xbit_return ) || ( rulestruct[b].xbit_set_count == false && rulestruct[b].xbit_condition_count && xbit_return )) { if ( rulestruct[b].xbit_count_flag == false || xbit_count_return == true ) { if ( rulestruct[b].alert_time_flag == false || alert_time_trigger == true ) { #ifdef HAVE_LIBMAXMINDDB if ( rulestruct[b].geoip2_flag == false || geoip2_isset == true ) { #endif if ( rulestruct[b].blacklist_flag == false || blacklist_results == true ) { if ( rulestruct[b].brointel_flag == false || brointel_results == true ) { #ifdef WITH_BLUEDOT if ( config->bluedot_flag == false || rulestruct[b].bluedot_file_hash == false || ( rulestruct[b].bluedot_file_hash == true && bluedot_hash_flag == true )) { if ( config->bluedot_flag == false || rulestruct[b].bluedot_filename == false || ( rulestruct[b].bluedot_filename == true && bluedot_filename_flag == true )) { if ( config->bluedot_flag == false || rulestruct[b].bluedot_url == false || ( rulestruct[b].bluedot_url == true && bluedot_url_flag == true )) { if ( config->bluedot_flag == false || rulestruct[b].bluedot_ipaddr_type == false || ( rulestruct[b].bluedot_ipaddr_type != 0 && bluedot_ip_flag == true )) { #endif /* After */ after_log_flag = false; if ( rulestruct[b].after_method != 0 ) { switch(rulestruct[b].after_method) { case(AFTER_BY_SRC): after_log_flag = After_By_Src(b, ip_src, ip_src_bits, pnormalize_selector, SaganProcSyslog_LOCAL->syslog_message ); break; case(AFTER_BY_DST): after_log_flag = After_By_Dst(b, ip_dst, ip_dst_bits, pnormalize_selector, SaganProcSyslog_LOCAL->syslog_message ); break; case(AFTER_BY_SRCPORT): after_log_flag = After_By_SrcPort(b, ip_srcport_u32, pnormalize_selector); break; case(AFTER_BY_DSTPORT): after_log_flag = After_By_DstPort(b, ip_dstport_u32, pnormalize_selector); break; case(AFTER_BY_USERNAME): if ( normalize_username != NULL ) { after_log_flag = After_By_Username(b, normalize_username, pnormalize_selector, SaganProcSyslog_LOCAL->syslog_message ); } } /*switch */ } /* rulestruct[b].after_method != 0 */ thresh_log_flag = false; if ( rulestruct[b].threshold_type != 0 && after_log_flag == false ) { switch( rulestruct[b].threshold_method ) { case(THRESH_BY_SRC): thresh_log_flag = Thresh_By_Src(b, ip_src, ip_src_bits, pnormalize_selector, SaganProcSyslog_LOCAL->syslog_message ); break; case(THRESH_BY_DST): thresh_log_flag = Thresh_By_Dst(b, ip_dst, ip_dst_bits, pnormalize_selector, SaganProcSyslog_LOCAL->syslog_message ); break; case(THRESH_BY_USERNAME): if ( normalize_username != NULL ) { thresh_log_flag = Thresh_By_Username(b, normalize_username, pnormalize_selector, SaganProcSyslog_LOCAL->syslog_message ); } break; case(THRESH_BY_SRCPORT): thresh_log_flag = Thresh_By_SrcPort(b, ip_srcport_u32, pnormalize_selector); case(THRESH_BY_DSTPORT): thresh_log_flag = Thresh_By_DstPort(b, ip_dstport_u32, pnormalize_selector); break; } /* switch */ } /* if */ pthread_mutex_lock(&CounterSaganFoundMutex); counters->saganfound++; pthread_mutex_unlock(&CounterSaganFoundMutex); /* Check for thesholding & "after" */ if ( thresh_log_flag == false && after_log_flag == false ) { if ( debug->debugengine ) { Sagan_Log(DEBUG, "[%s, line %d] **[Trigger]*********************************", __FILE__, __LINE__); Sagan_Log(DEBUG, "[%s, line %d] Program: %s | Facility: %s | Priority: %s | Level: %s | Tag: %s", __FILE__, __LINE__, SaganProcSyslog_LOCAL->syslog_program, SaganProcSyslog_LOCAL->syslog_facility, SaganProcSyslog_LOCAL->syslog_priority, SaganProcSyslog_LOCAL->syslog_level, SaganProcSyslog_LOCAL->syslog_tag); Sagan_Log(DEBUG, "[%s, line %d] Threshold flag: %d | After flag: %d | Xbit Flag: %d | Xbit status: %d", __FILE__, __LINE__, thresh_log_flag, after_log_flag, rulestruct[b].xbit_flag, xbit_return); Sagan_Log(DEBUG, "[%s, line %d] Triggering Message: %s", __FILE__, __LINE__, SaganProcSyslog_LOCAL->syslog_message); } if ( rulestruct[b].xbit_flag && rulestruct[b].xbit_set_count ) { Xbit_Set(b, ip_src, ip_dst, ip_srcport_u32, ip_dstport_u32, pnormalize_selector, SaganProcSyslog_LOCAL); } threadid++; if ( threadid >= MAX_THREADS ) { threadid=0; } processor_info_engine->processor_name = s_msg; processor_info_engine->processor_generator_id = SAGAN_PROCESSOR_GENERATOR_ID; processor_info_engine->processor_facility = SaganProcSyslog_LOCAL->syslog_facility; processor_info_engine->processor_priority = SaganProcSyslog_LOCAL->syslog_level; processor_info_engine->processor_pri = rulestruct[b].s_pri; processor_info_engine->processor_class = rulestruct[b].s_classtype; processor_info_engine->processor_tag = SaganProcSyslog_LOCAL->syslog_tag; processor_info_engine->processor_rev = rulestruct[b].s_rev; processor_info_engine_dst_port = ip_dstport_u32; processor_info_engine_src_port = ip_srcport_u32; processor_info_engine_proto = proto; processor_info_engine_alertid = atoi(rulestruct[b].s_sid); if ( rulestruct[b].xbit_flag == false || rulestruct[b].xbit_noalert == 0 ) { if ( rulestruct[b].type == NORMAL_RULE ) { Send_Alert(SaganProcSyslog_LOCAL, liblognorm_status == 1 && rulestruct[b].normalize == 1 ? json_normalize : NULL, processor_info_engine, ip_src, ip_dst, normalize_http_uri, normalize_http_hostname, processor_info_engine_proto, processor_info_engine_alertid, processor_info_engine_src_port, processor_info_engine_dst_port, b, tp ); } else { Sagan_Dynamic_Rules(SaganProcSyslog_LOCAL, b, processor_info_engine, ip_src, ip_dst); } } } /* Threshold / After */ #ifdef WITH_BLUEDOT } /* Bluedot */ } } } #endif } /* Bro Intel */ } /* Blacklist */ #ifdef HAVE_LIBMAXMINDDB } /* GeoIP2 */ #endif } /* Time based alerts */ } /* Xbit count */ } /* Xbit */ } /* Check Rule Flow */ } /* End of match */ } /* End of pcre match */ #ifdef HAVE_LIBMAXMINDDB geoip2_isset = false; #endif match = false; /* Reset match! */ sagan_match=0; /* Reset pcre/meta_content/content match! */ rc=0; /* Return code */ xbit_return=0; /* Xbit reset */ check_flow_return = true; /* Rule flow direction reset */ } /* If normal or dynamic rule */ } /* End for for loop */ free(processor_info_engine); free(lookup_cache); #ifdef HAVE_LIBLOGNORM if ( json_normalize != NULL ) { json_object_put(json_normalize); json_normalize = NULL; } #endif return(0); } sagan-1.2.0/src/processors/perfmon.h0000644000175000017500000000201413310531444016350 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ void Sagan_Perfmonitor_Handler( void ); void Sagan_Perfmonitor_Open( void ); void Sagan_Perfmonitor_Close( void ); sagan-1.2.0/src/processors/bro-intel.h0000644000175000017500000000637013310531444016606 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-bro-intel.c * * This allows Sagan to read in Bro Intel files, like those from Critical * Stack (https://intel.criticalstack.com). * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #define BROINTEL_PROCESSOR_NAME "Sagan_BroIntel" #define BROINTEL_PROCESSOR_FACILITY "daemon" #define BROINTEL_PROCESSOR_PRIORITY "warning" #define BROINTEL_PROCESSOR_PRI 1 #define BROINTEL_PROCESSOR_CLASS "BroIntel" #define BROINTEL_PROCESSOR_REV "1" #define BROINTEL_PROCESSOR_TAG NULL #define BROINTEL_PROCESSOR_GENERATOR_ID 1003 typedef struct _Sagan_BroIntel_Intel_Addr _Sagan_BroIntel_Intel_Addr; struct _Sagan_BroIntel_Intel_Addr { unsigned char bits_ip[MAXIPBIT]; }; typedef struct _Sagan_BroIntel_Intel_Domain _Sagan_BroIntel_Intel_Domain; struct _Sagan_BroIntel_Intel_Domain { char domain[255]; }; typedef struct _Sagan_BroIntel_Intel_File_Hash _Sagan_BroIntel_Intel_File_Hash; struct _Sagan_BroIntel_Intel_File_Hash { char hash[64]; }; typedef struct _Sagan_BroIntel_Intel_URL _Sagan_BroIntel_Intel_URL; struct _Sagan_BroIntel_Intel_URL { char url[10240]; }; typedef struct _Sagan_BroIntel_Intel_Software _Sagan_BroIntel_Intel_Software; struct _Sagan_BroIntel_Intel_Software { char software[128]; }; typedef struct _Sagan_BroIntel_Intel_Email _Sagan_BroIntel_Intel_Email; struct _Sagan_BroIntel_Intel_Email { char email[128]; }; typedef struct _Sagan_BroIntel_Intel_User_Name _Sagan_BroIntel_Intel_User_Name; struct _Sagan_BroIntel_Intel_User_Name { char username[64]; }; typedef struct _Sagan_BroIntel_Intel_File_Name _Sagan_BroIntel_Intel_File_Name; struct _Sagan_BroIntel_Intel_File_Name { char file_name[128]; }; typedef struct _Sagan_BroIntel_Intel_Cert_Hash _Sagan_BroIntel_Intel_Cert_Hash; struct _Sagan_BroIntel_Intel_Cert_Hash { char cert_hash[64]; }; void Sagan_BroIntel_Init(void); void Sagan_BroIntel_Load_File(void); sbool Sagan_BroIntel_IPADDR ( unsigned char *, char *ipaddr ); sbool Sagan_BroIntel_IPADDR_All ( char *, _Sagan_Lookup_Cache_Entry *, size_t); sbool Sagan_BroIntel_DOMAIN ( char * ); sbool Sagan_BroIntel_FILE_HASH ( char * ); sbool Sagan_BroIntel_URL ( char * ); sbool Sagan_BroIntel_SOFTWARE( char * ); sbool Sagan_BroIntel_EMAIL( char * ); sbool Sagan_BroIntel_USER_NAME ( char * ); sbool Sagan_BroIntel_FILE_NAME ( char * ); sbool Sagan_BroIntel_CERT_HASH ( char * ); sagan-1.2.0/src/processors/dynamic-rules.c0000644000175000017500000001342013310531444017454 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* dynamic-load.c * * This loads rule sets dynamically based off 'dynamic' rules. The idea is * for Sagan to detect logs it might not be monitoring and automatically * enable and/or warn the operator. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "rules.h" #include "sagan-config.h" #include "send-alert.h" #include "processors/dynamic-rules.h" struct _SaganConfig *config; struct _Rule_Struct *rulestruct; struct _Rules_Loaded *rules_loaded; struct _SaganCounters *counters; sbool reload_rules; pthread_mutex_t SaganRulesLoadedMutex; pthread_mutex_t CounterDynamicGenericMutex=PTHREAD_MUTEX_INITIALIZER; int Sagan_Dynamic_Rules ( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, int rule_position, _Sagan_Processor_Info *processor_info_engine, char *ip_src, char *ip_dst ) { int i; struct timeval tp; /* We don't want the array to be altered while we are working with it */ pthread_mutex_lock(&SaganRulesLoadedMutex); reload_rules = 1; for (i=0; irules_loaded_count; i++) { /* If the rule set is loaded (or in our array), nothing else needs to be done */ if (!strcmp(rulestruct[rule_position].dynamic_ruleset, rules_loaded[i].ruleset)) { /* Rule was already loaded. Release mutex and continue as normal */ pthread_mutex_unlock(&SaganRulesLoadedMutex); return(0); } } /* Since rule was not loaded, add it to our rule list */ rules_loaded = (_Rules_Loaded *) realloc(rules_loaded, (counters->rules_loaded_count+1) * sizeof(_Rules_Loaded)); if ( rules_loaded == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for rules_loaded. Abort!", __FILE__, __LINE__); } strlcpy(rules_loaded[counters->rules_loaded_count].ruleset, rulestruct[rule_position].dynamic_ruleset, sizeof(rules_loaded[counters->rules_loaded_count].ruleset)); pthread_mutex_lock(&CounterDynamicGenericMutex); counters->rules_loaded_count++; pthread_mutex_unlock(&CounterDynamicGenericMutex); /* Done here, release so others can process */ reload_rules = 0; pthread_mutex_unlock(&SaganRulesLoadedMutex); /*****************************/ /* Load rules, log and alert */ /*****************************/ if ( config->dynamic_load_type == 0 ) { Sagan_Log(NORMAL, "Detected dynamic signature '%s'. Dynamically loading '%s'.", rulestruct[rule_position].s_msg, rulestruct[rule_position].dynamic_ruleset); gettimeofday(&tp, 0); /* Process the alert _before_ loading rule set! Otherwise, mem will mismatch */ Send_Alert(SaganProcSyslog_LOCAL, NULL, processor_info_engine, ip_src, ip_dst, "", "", config->sagan_proto, atoi(rulestruct[rule_position].s_sid), config->sagan_port, config->sagan_port, rule_position, tp ); /* Lock rules so other threads don't try to use it while we alter/load new rules */ pthread_mutex_lock(&SaganRulesLoadedMutex); reload_rules = 1; Load_Rules(rulestruct[rule_position].dynamic_ruleset); reload_rules = 0; pthread_mutex_unlock(&SaganRulesLoadedMutex); } /************/ /* Log only */ /************/ else if ( config->dynamic_load_type == 1 ) { Sagan_Log(NORMAL, "Detected dynamic signature '%s'. Sagan would automatically load '%s' but the 'dynamic_load' processor is set to 'log_only'.", rulestruct[rule_position].s_msg, rulestruct[rule_position].dynamic_ruleset); } /**************/ /* Alert only */ /**************/ else if ( config->dynamic_load_type == 2 ) { Sagan_Log(NORMAL, "Detected dynamic signature '%s'. Sagan would automatically load '%s' but the 'dynamic_load' processor is set to 'alert'.", rulestruct[rule_position].s_msg, rulestruct[rule_position].dynamic_ruleset); gettimeofday(&tp, 0); Send_Alert(SaganProcSyslog_LOCAL, NULL, processor_info_engine, ip_src, ip_dst, "", "", config->sagan_proto, atoi(rulestruct[rule_position].s_sid), config->sagan_port, config->sagan_port, rule_position, tp ); } return(0); } sagan-1.2.0/src/processors/perfmon.c0000644000175000017500000003623713310531444016361 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* perfmon.c * * This write out statistics to a CSV type file so often (user defined). If * enabled, this thread never exits * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #ifdef HAVE_SYS_PRCTL_H #include #endif #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "lockfile.h" #include "processors/perfmon.h" struct _SaganConfig *config; struct _SaganCounters *counters; struct _Sagan_IPC_Counters *counters_ipc; /***************************************************************************** * Sagan_Perfmonitor_Handler - This becomes the thread to write out * preformance monitoring data. *****************************************************************************/ void Sagan_Perfmonitor_Handler( void ) { (void)SetThreadName("SaganPerfmon"); unsigned long total=0; unsigned long seconds=0; char curtime_utime[64] = { 0 }; time_t t; struct tm *now; t = time(NULL); now=localtime(&t); strftime(curtime_utime, sizeof(curtime_utime), "%s", now); uint64_t last_sagantotal = 0; uint64_t last_saganfound = 0; uint64_t last_alert_total = 0; uint64_t last_after_total = 0; uint64_t last_threshold_total = 0; uint64_t last_sagan_processor_drop = 0; uint64_t last_ignore_count = 0; #ifdef HAVE_LIBMAXMINDDB uint64_t last_geoip2_lookup = 0; uint64_t last_geoip2_hit = 0; uint64_t last_geoip2_miss = 0; #endif #ifdef WITH_BLUEDOT uint64_t last_bluedot_ip_cache_hit = 0; uint64_t last_bluedot_ip_positive_hit = 0; uint64_t last_bluedot_hash_cache_hit = 0; uint64_t last_bluedot_hash_positive_hit = 0; uint64_t last_bluedot_url_cache_hit = 0; uint64_t last_bluedot_url_positive_hit = 0; uint64_t last_bluedot_filename_cache_hit = 0; uint64_t last_bluedot_filename_positive_hit = 0; uint64_t last_bluedot_error_count = 0; unsigned long bluedot_ip_total; unsigned long bluedot_url_total; unsigned long bluedot_hash_total; unsigned long bluedot_filename_total; #endif #ifdef HAVE_LIBESMTP uint64_t last_esmtp_count_success = 0; uint64_t last_esmtp_count_failed = 0; #endif uint64_t last_blacklist_hit_count = 0; uint64_t last_sagan_output_drop = 0; uint64_t last_dns_miss_count = 0; while (1) { sleep(config->perfmonitor_time); t = time(NULL); now=localtime(&t); strftime(curtime_utime, sizeof(curtime_utime), "%s", now); seconds = atol(curtime_utime) - atol(config->sagan_startutime); if ( config->perfmonitor_flag ) { fprintf(config->perfmonitor_file_stream, "%s,", curtime_utime), fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->sagantotal - last_sagantotal); last_sagantotal = counters->sagantotal; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->saganfound - last_saganfound); last_saganfound = counters->saganfound; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->alert_total - last_alert_total); last_alert_total = counters->alert_total; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->after_total - last_after_total); last_after_total = counters->after_total; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->threshold_total - last_threshold_total); last_threshold_total = counters->threshold_total; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->sagan_processor_drop - last_sagan_processor_drop); last_sagan_processor_drop = counters->sagan_processor_drop; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->ignore_count - last_ignore_count); last_ignore_count = counters->ignore_count; total = counters->sagantotal / seconds; fprintf(config->perfmonitor_file_stream, "%lu,", total); #ifdef HAVE_LIBMAXMINDDB fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->geoip2_lookup - last_geoip2_lookup); last_geoip2_lookup = counters->geoip2_lookup; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->geoip2_hit - last_geoip2_hit); last_geoip2_hit = counters->geoip2_hit; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->geoip2_miss - last_geoip2_miss); last_geoip2_miss = counters->geoip2_miss; #endif #ifndef HAVE_LIBMAXMINDDB fprintf(config->perfmonitor_file_stream, "0,0,0,"); #endif /* DEBUG: IS THE BELOW RIGHT? TWO counters->sagan_processor_drop REFERENCES */ fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->sagan_processor_drop - last_sagan_processor_drop); last_sagan_processor_drop = counters->sagan_processor_drop; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->blacklist_hit_count - last_blacklist_hit_count); last_blacklist_hit_count = counters->blacklist_hit_count; /* DEBUG: CONSTANT? */ // fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters_ipc->track_clients_client_count); // fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters_ipc->track_clients_down); fprintf(config->perfmonitor_file_stream, "%d,", counters_ipc->track_clients_client_count); fprintf(config->perfmonitor_file_stream, "%d,", counters_ipc->track_clients_down); fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->sagan_output_drop - last_sagan_output_drop); last_sagan_output_drop = counters->sagan_output_drop; #ifdef HAVE_LIBESMTP if ( config->sagan_esmtp_flag ) { fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->esmtp_count_success - last_esmtp_count_success); last_esmtp_count_success = counters->esmtp_count_success; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->esmtp_count_failed - last_esmtp_count_failed); last_esmtp_count_failed = counters->esmtp_count_failed; } else { fprintf(config->perfmonitor_file_stream, "0,0,"); } #endif #ifndef HAVE_LIBESMTP fprintf(config->perfmonitor_file_stream, "0,0,"); #endif fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->dns_cache_count); fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->dns_miss_count - last_dns_miss_count); last_dns_miss_count = counters->dns_miss_count; #ifdef WITH_BLUEDOT if ( config->bluedot_flag ) { /* IP Reputation */ fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_ip_cache_count); fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_ip_cache_hit - last_bluedot_ip_cache_hit); last_bluedot_ip_cache_hit = counters->bluedot_ip_cache_count; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_ip_positive_hit - last_bluedot_ip_positive_hit); last_bluedot_ip_positive_hit = counters->bluedot_ip_positive_hit; bluedot_ip_total = counters->bluedot_ip_total / seconds; fprintf(config->perfmonitor_file_stream, "%lu,", bluedot_ip_total); /* Hash */ fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_hash_cache_count); fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_hash_cache_hit - last_bluedot_hash_cache_hit); last_bluedot_ip_cache_hit = counters->bluedot_ip_cache_count; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_hash_positive_hit - last_bluedot_hash_positive_hit); last_bluedot_hash_positive_hit = counters->bluedot_hash_positive_hit; bluedot_hash_total = counters->bluedot_hash_total / seconds; fprintf(config->perfmonitor_file_stream, "%lu,", total); /* URL */ fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_url_cache_count); fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_url_cache_hit - last_bluedot_url_cache_hit); last_bluedot_ip_cache_hit = counters->bluedot_ip_cache_count; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_url_positive_hit - last_bluedot_url_positive_hit); last_bluedot_url_positive_hit = counters->bluedot_url_positive_hit; bluedot_url_total = counters->bluedot_url_total / seconds; fprintf(config->perfmonitor_file_stream, "%lu,", bluedot_url_total); /* Filename */ fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_filename_cache_count); fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_filename_cache_hit - last_bluedot_filename_cache_hit); last_bluedot_ip_cache_hit = counters->bluedot_ip_cache_count; fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_filename_positive_hit - last_bluedot_filename_positive_hit); last_bluedot_filename_positive_hit = counters->bluedot_filename_positive_hit; bluedot_filename_total = counters->bluedot_filename_total / seconds; fprintf(config->perfmonitor_file_stream, "%lu,", bluedot_filename_total); /* Last comma here! */ /* Error count */ fprintf(config->perfmonitor_file_stream, "%" PRIu64 ",", counters->bluedot_error_count - last_bluedot_error_count); last_bluedot_error_count = counters->bluedot_error_count; fprintf(config->perfmonitor_file_stream, "%lu", bluedot_ip_total + bluedot_hash_total + bluedot_url_total + bluedot_filename_total); } else { fprintf(config->perfmonitor_file_stream, "0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0"); } #endif #ifndef WITH_BLUEDOT fprintf(config->perfmonitor_file_stream, "0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0"); #endif fprintf(config->perfmonitor_file_stream, "\n"); fflush(config->perfmonitor_file_stream); } } } /***************************************************************************** * Sagan_Perfmonitor_Close - Closes performance monitoring file. *****************************************************************************/ void Sagan_Perfmonitor_Close(void) { char curtime[64] = { 0 }; time_t t; struct tm *now; t = time(NULL); now=localtime(&t); strftime(curtime, sizeof(curtime), "%m/%d/%Y %H:%M:%S", now); fprintf(config->perfmonitor_file_stream, "################################ Perfmon end: pid=%d at=%s ###################################\n", getpid(), curtime); fflush(config->perfmonitor_file_stream); fclose(config->perfmonitor_file_stream); } /***************************************************************************** * Sagan_Perfmonitor_Open - Open's performance monitoring file. *****************************************************************************/ void Sagan_Perfmonitor_Open(void) { char curtime[64] = { 0 }; time_t t; struct tm *now; t = time(NULL); now=localtime(&t); strftime(curtime, sizeof(curtime), "%m/%d/%Y %H:%M:%S", now); if (( config->perfmonitor_file_stream = fopen(config->perfmonitor_file_name, "a" )) == NULL ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Can't open %s - %s!", __FILE__, __LINE__, config->perfmonitor_file_name, strerror(errno)); } fprintf(config->perfmonitor_file_stream, "################################ Perfmon start: pid=%d at=%s ###################################\n", getpid(), curtime); fprintf(config->perfmonitor_file_stream, "# engine.utime,engine.total,engine.sig_match.total,engine.alerts.total,engine.after.total,engine.threshold.total, engine.drop.total,engine.ignored.total,engine.eps,geoip2.lookup.total,geoip2.hits,geoip2.misses,processor.drop.total,processor.blacklist.hits,processor.tracker.total,processor.tracker.down,output.drop.total,processor.esmtp.success,processor.esmtp.failed,dns.total,dns.miss,processor.bluedot_ip_cache_count,processor.bluedot_ip_cache_hit,processor.bluedot_ip_positive_hit,processor.bluedot_ip_qps,processor.bluedot_hash_cache_count,processor.bluedot_hash_cache_hit,processor.bluedot_hash_positive_hit,processor.bluedot_hash_qps,processor.bluedot_url_cache_count,processor.bluedot_url_cache_hit,processor.bluedot_url_positive_hit,processor.bluedot_url_qps,processor.bluedot_filename_cache_count,processor.bluedot_filename_cache_hit,processor.bluedot_filename_positive_hit,processor.bluedot_filename_qps,processor.bluedot_error_count,processor.bluedot_total_qps\n"); fflush(config->perfmonitor_file_stream); } sagan-1.2.0/src/signal-handler.c0000644000175000017500000004116113310531444015371 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* signal.c * * This runs as a thread for signal processing. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_SYS_PRCTL_H #include #endif #include "version.h" #include "sagan.h" #include "sagan-defs.h" #include "xbit-mmap.h" #include "sagan-config.h" #include "config-yaml.h" #include "lockfile.h" #include "signal-handler.h" #include "stats.h" #include "gen-msg.h" #include "classifications.h" #include "processors/perfmon.h" #include "rules.h" #include "ignore-list.h" #include "flow.h" #include "processors/blacklist.h" #include "processors/track-clients.h" #include "processors/bro-intel.h" #ifdef HAVE_LIBLOGNORM #include "liblognormalize.h" #include int liblognorm_count; #endif #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) #include "output-plugins/unified2.h" sbool sagan_unified2_flag; #endif #ifdef HAVE_LIBMAXMINDDB #include #include "geoip2.h" #endif struct _SaganCounters *counters; struct _SaganDebug *debug; struct _SaganConfig *config; struct _Rule_Struct *rulestruct; struct _Rules_Loaded *rules_loaded; struct _Class_Struct *classstruct; struct _Sagan_Processor_Generator *generator; struct _Sagan_Blacklist *SaganBlacklist; struct _Sagan_Track_Clients *SaganTrackClients; struct _SaganVar *var; struct _Sagan_Ignorelist *SaganIgnorelist; struct _Sagan_BroIntel_Intel_Addr *Sagan_BroIntel_Intel_Addr; struct _Sagan_BroIntel_Intel_Domain *Sagan_BroIntel_Intel_Domain; struct _Sagan_BroIntel_Intel_File_Hash *Sagan_BroIntel_Intel_File_Hash; struct _Sagan_BroIntel_Intel_URL *Sagan_BroIntel_Intel_URL; struct _Sagan_BroIntel_Intel_Software *Sagan_BroIntel_Intel_Software; struct _Sagan_BroIntel_Intel_Email *Sagan_BroIntel_Intel_Email; struct _Sagan_BroIntel_Intel_User_Name *Sagan_BroIntel_Intel_User_Name; struct _Sagan_BroIntel_Intel_File_Name *Sagan_BroIntel_Intel_File_Name; struct _Sagan_BroIntel_Intel_Cert_Hash *Sagan_BroIntel_Intel_Cert_Hash; pthread_mutex_t SaganReloadMutex = PTHREAD_MUTEX_INITIALIZER; pthread_cond_t SaganReloadCond = PTHREAD_COND_INITIALIZER; pthread_mutex_t SaganRulesLoadedMutex; void Sig_Handler( void ) { (void)SetThreadName("SaganSignal"); sigset_t signal_set; int sig; sbool orig_perfmon_value = 0; #ifdef HAVE_LIBPCAP sbool orig_plog_value = 0; #endif for(;;) { /* wait for any and all signals */ sigfillset( &signal_set ); sigwait( &signal_set, &sig ); switch( sig ) { /* exit */ case SIGQUIT: case SIGINT: case SIGTERM: case SIGSEGV: case SIGABRT: Sagan_Log(NORMAL, "\n\n[Received signal %d. Sagan version %s shutting down]-------\n", sig, VERSION); Statistics(); #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) if ( sagan_unified2_flag ) { Unified2CleanExit(); } #endif #ifdef HAVE_LIBMAXMINDDB MMDB_close(&config->geoip2); #endif if ( config->eve_flag == true ) { fflush(config->eve_stream); fclose(config->eve_stream); } if ( config->alert_flag == true ) { fflush(config->sagan_alert_stream); fclose(config->sagan_alert_stream); /* Close Sagan alert file */ } if ( config->fast_flag == true ) { fflush(config->sagan_fast_stream); fclose(config->sagan_fast_stream); } fflush(config->sagan_log_stream); /* Close the sagan.log */ fclose(config->sagan_log_stream); /* IPC Shared Memory */ File_Unlock(config->shm_counters); if ( close(config->shm_counters) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC counters! [%s]", __FILE__, __LINE__, strerror(errno)); } File_Unlock(config->shm_xbit); if ( close(config->shm_xbit) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC xbit! [%s]", __FILE__, __LINE__, strerror(errno)); } File_Unlock(config->shm_thresh_by_src); if ( close(config->shm_thresh_by_src) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC thresh_by_src! [%s]", __FILE__, __LINE__, strerror(errno)); } File_Unlock(config->shm_thresh_by_dst); if ( close(config->shm_thresh_by_dst) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC thresh_by_dst! [%s]", __FILE__, __LINE__, strerror(errno)); } File_Unlock(config->shm_thresh_by_username); if ( close(config->shm_thresh_by_username) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC thresh_by_username! [%s]", __FILE__, __LINE__, strerror(errno)); } File_Unlock(config->shm_after_by_src); if ( close(config->shm_after_by_src) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC after_by_src! [%s]", __FILE__, __LINE__, strerror(errno)); } File_Unlock(config->shm_after_by_dst); if ( close(config->shm_after_by_dst) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC after_by_dst! [%s]", __FILE__, __LINE__, strerror(errno)); } File_Unlock(config->shm_after_by_username); if ( close(config->shm_after_by_username) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC after_by_username! [%s]", __FILE__, __LINE__, strerror(errno)); } if ( config->sagan_track_clients_flag ) { File_Unlock(config->shm_track_clients); if ( close(config->shm_track_clients) != 0 ) { Sagan_Log(WARN, "[%s, line %d] Cannot close IPC _Sagan_Track_Clients! [%s]", __FILE__, __LINE__, strerror(errno)); } } if ( config->perfmonitor_flag ) { Sagan_Perfmonitor_Close(); } Remove_Lock_File(); sleep(1); /* Let things settle */ exit(0); break; case SIGHUP: config->sagan_reload = 1; /* Only this thread can alter this */ pthread_mutex_lock(&SaganReloadMutex); Sagan_Log(NORMAL, "[Reloading Sagan version %s.]-------", VERSION); /* * Close and re-open log files. This is for logrotate and such * 04/14/2015 - Champ Clark III (cclark@quadrantsec.com) */ Open_Log_File(REOPEN, ALL_LOGS); /******************/ /* Reset counters */ /******************/ counters->refcount=0; counters->classcount=0; counters->rulecount=0; counters->ruletotal=0; counters->genmapcount=0; counters->rules_loaded_count=0; counters->var_count=0; memset(rules_loaded, 0, sizeof(_Rules_Loaded)); memset(rulestruct, 0, sizeof(_Rule_Struct)); memset(classstruct, 0, sizeof(_Class_Struct)); memset(generator, 0, sizeof(_Sagan_Processor_Generator)); memset(var, 0, sizeof(_SaganVar)); /**********************************/ /* Disabled and reset processors. */ /**********************************/ /* Note: Processors that run as there own thread (perfmon, plog) cannot be * loaded via SIGHUP. They must be loaded at run time. Once they are loaded, * they can be disabled/re-enabled. */ /* Single Threaded processors */ if ( config->perfmonitor_flag == 1 && orig_perfmon_value == 0 ) { Sagan_Perfmonitor_Close(); orig_perfmon_value = 1; } config->perfmonitor_flag = 0; #ifdef HAVE_LIBPCAP if ( config->plog_flag ) { orig_plog_value = 1; } config->plog_flag = 0; #endif /* Multi Threaded processors */ config->blacklist_flag = 0; if ( config->blacklist_flag ) { free(SaganBlacklist); } config->blacklist_flag = 0; if ( config->brointel_flag ) { free(Sagan_BroIntel_Intel_Addr); free(Sagan_BroIntel_Intel_Domain); free(Sagan_BroIntel_Intel_File_Hash); free(Sagan_BroIntel_Intel_URL); free(Sagan_BroIntel_Intel_Software); free(Sagan_BroIntel_Intel_Email); free(Sagan_BroIntel_Intel_User_Name); free(Sagan_BroIntel_Intel_File_Name); free(Sagan_BroIntel_Intel_Cert_Hash); counters->brointel_addr_count = 0; counters->brointel_domain_count = 0; counters->brointel_file_hash_count = 0; counters->brointel_url_count = 0; counters->brointel_software_count = 0; counters->brointel_email_count = 0; counters->brointel_user_name_count = 0; counters->brointel_file_name_count = 0; counters->brointel_cert_hash_count = 0; counters->brointel_dups = 0; } config->brointel_flag = 0; if ( config->sagan_track_clients_flag ) { free(SaganTrackClients); } /* Output formats */ config->sagan_external_output_flag = 0; #ifdef WITH_SYSLOG config->sagan_syslog_flag = 0; #endif #ifdef HAVE_LIBESMTP config->sagan_esmtp_flag = 0; #endif #ifdef WITH_SNORTSAM config->sagan_fwsam_flag = 0; #endif /* Non-output / Processors */ if ( config->sagan_droplist_flag ) { config->sagan_droplist_flag = 0; free(SaganIgnorelist); } /************************************************************/ /* Re-load primary configuration (rules/classifictions/etc) */ /************************************************************/ pthread_mutex_lock(&SaganRulesLoadedMutex); Load_YAML_Config(config->sagan_config); /* <- RELOAD */ pthread_mutex_unlock(&SaganRulesLoadedMutex); /************************************************************/ /* Re-load primary configuration (rules/classifictions/etc) */ /************************************************************/ if ( config->perfmonitor_flag == 1 ) { if ( orig_perfmon_value == 1 ) { Sagan_Perfmonitor_Open(); } else { Sagan_Log(WARN, "** 'perfmonitor' must be loaded at runtime! NOT loading 'perfmonitor'!"); config->perfmonitor_flag = 0; } } #ifdef HAVE_LIBPCAP if ( config->plog_flag == 1 ) { if ( orig_plog_value == 1 ) { config->plog_flag = 1; } else { Sagan_Log(WARN, "** 'plog' must be loaded at runtime! NOT loading 'plog'!"); config->plog_flag = 0; } } #endif /* Load Blacklist data */ if ( config->blacklist_flag ) { counters->blacklist_count=0; Sagan_Blacklist_Init(); Sagan_Blacklist_Load(); } if ( config->brointel_flag ) { Sagan_BroIntel_Init(); Sagan_BroIntel_Load_File(); } if ( config->sagan_track_clients_flag ) { Sagan_Log(NORMAL, "Reset Sagan Track Client."); } /* Non output / processors */ if ( config->sagan_droplist_flag ) { Load_Ignore_List(); Sagan_Log(NORMAL, "Loaded %d ignore/drop list item(s).", counters->droplist_count); } #ifdef HAVE_LIBMAXMINDDB Sagan_Log(NORMAL, "Reloading GeoIP2 data."); Open_GeoIP2_Database(); #endif pthread_cond_signal(&SaganReloadCond); pthread_mutex_unlock(&SaganReloadMutex); config->sagan_reload = 0; Sagan_Log(NORMAL, "Configuration reloaded."); break; /* Signals to ignore */ case 17: /* Child process has exited. */ case 28: /* Terminal 'resize'/alarm. */ break; case SIGUSR1: Statistics(); break; default: Sagan_Log(NORMAL, "[Received signal %d. Sagan doesn't know how to deal with]", sig); } } } sagan-1.2.0/src/parsers/0000755000175000017500000000000013310531444014011 5ustar champchampsagan-1.2.0/src/parsers/proto.c0000644000175000017500000000653113310531444015325 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* This routine search the syslog message and/or program for clues about * what protocol generated an event. For more information, see the * protocol-map.c and protocol.map files. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include "sagan-defs.h" #include "sagan.h" #include "version.h" #include "parsers/parsers.h" #include "protocol-map.h" struct _SaganConfig *config; struct _SaganCounters *counters; struct _Sagan_Protocol_Map_Message *map_message; struct _Sagan_Protocol_Map_Program *map_program; /**************************************************************************** * Parse_Proto - Searches for simple clues from the message about what * protocl might have generated this event ****************************************************************************/ /* DEPERCIATED: Parse_IP now handles all of this int Parse_Proto( char *msg ) { int i; for (i = 0; i < counters->mapcount_message; i++) { if ( map_message[i].nocase == 1 ) { if (Sagan_stristr(msg, map_message[i].search, true)) { return(map_message[i].proto); } } else { if (Sagan_strstr(msg, map_message[i].search)) { return(map_message[i].proto); } } } return(0); } */ /**************************************************************************** * Parse_Proto_Program - Attempts to determine the protocol that generate * the event by the program that generate it. ****************************************************************************/ int Parse_Proto_Program( char *program ) { int i; for (i = 0; i < counters->mapcount_program; i++) { if ( map_program[i].nocase == 1 ) { if (Sagan_stristr(program, map_program[i].program, true)) { return(map_program[i].proto); } } else { if (Sagan_strstr(program, map_program[i].program)) { return(map_program[i].proto); } } } return(0); } sagan-1.2.0/src/parsers/parsers.h0000644000175000017500000000257313310531444015650 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include "parsers/strstr-asm/strstr-hook.h" int Parse_IP( char *syslog_message, struct _Sagan_Lookup_Cache_Entry *lookup_cache ); int Parse_Src_Port( char * ); int Parse_Dst_Port( char * ); int Parse_Proto( char * ); int Parse_Proto_Program( char * ); void Parse_Hash( char *, int, char *str, size_t size ); void Parse_Hash_Cleanup(char *, char *str, size_t size ); /* IP Lookup cache */ sagan-1.2.0/src/parsers/port.c0000644000175000017500000002225713310531444015151 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* port.c * * A simple method of finding a port in a syslog message. An example message * might be "Invalid connection from 12.145.241.50 on port 22". This code * would pull the port "22". This is part of the "parse_port_simple" * Sagan rules flag. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "version.h" #include "sagan-config.h" #include "parsers/parsers.h" struct _SaganConfig *config; int Parse_Src_Port (char *msg) { int port; char *portstring=NULL; char *saveptr1=NULL; char *saveptr2=NULL; char *str=NULL; char *token=NULL; char *tmpport=NULL; int i; struct sockaddr_in sa; int result; port = config->sagan_port; char tmpmsg[MAX_SYSLOGMSG]; snprintf(tmpmsg, sizeof(tmpmsg), "%s", msg); To_UpperC(tmpmsg); /* See if the word " port" is in the string */ if ( Sagan_strstr(tmpmsg, " PORT ")) { portstring = strtok_r(tmpmsg, " ", &saveptr1); for ( i = 0 , str = portstring; ; i++ ) { token = strtok_r(NULL, " ", &saveptr1); if ( token == NULL ) break; /* tokenize by " ", grab string after "port". */ if (!strcmp(token, "PORT")) { tmpport = strtok_r(NULL, " ", &saveptr1); if (tmpport == NULL) break; /* if it's a number, set it. If not, default */ if (Is_Numeric(tmpport)) { port=atoi(tmpport); return(port); } else { /* drop last char. Sometimes port ends in port "#." */ tmpport[strlen(tmpport) - 1] = '\0'; if (Is_Numeric(tmpport)) { port=atoi(tmpport); return(port); } } } } } snprintf(tmpmsg, sizeof(tmpmsg), "%s", msg); To_UpperC(tmpmsg); /* See if the word " spt" (source port) is in the string */ /* We accept " spt[any char except space][a port number]" */ if ( Sagan_strstr(tmpmsg, " SPT")) { portstring = strtok_r(tmpmsg, " ", &saveptr1); for ( i = 0, str = portstring; ; i++ ) { token = strtok_r(NULL, " ", &saveptr1); if ( token == NULL ) break; /* tokenize by " ", grab string after "spt". */ if (!strncmp(token, "SPT", 3)) { if (token[3] == '\0') break; /* if it's a number, set it. If not, default */ if (Is_Numeric(token + 4)) { port=atoi(token + 4); } } } } snprintf(tmpmsg, sizeof(tmpmsg), "%s", msg); To_UpperC(tmpmsg); if ( Sagan_strstr(tmpmsg, ":")) { portstring = strtok_r(tmpmsg, ":", &saveptr1); token = strtok_r(portstring, " ", &saveptr2); for ( i = 0, str = portstring; ; i++ ) { token = strtok_r(NULL, " ", &saveptr2); if ( token == NULL ) break; result = Is_IP(token); /* Found IP, get the port */ if ( result != 0 ) { /* IP:PORT */ portstring = strtok_r(NULL, ":", &saveptr1); if (Is_Numeric(portstring)) { port=atoi(portstring); return(port); } else { /* IP:PORT string or IP::PORT */ token = strtok_r(portstring, " ", &saveptr1); if (Is_Numeric(token)) { port=atoi(portstring); return(port); } } } } } snprintf(tmpmsg, sizeof(tmpmsg), "%s", msg); To_UpperC(tmpmsg); if ( Sagan_strstr(tmpmsg, "#")) { portstring = strtok_r(tmpmsg, "#", &saveptr1); token = strtok_r(portstring, " ", &saveptr2); for ( i = 0, str = portstring; ; i++ ) { token = strtok_r(NULL, " ", &saveptr2); if ( token == NULL ) break; result = inet_pton(AF_INET, token, &(sa.sin_addr)); /* Found IP, get the port */ if ( result != 0 ) { /* IP#PORT */ portstring = strtok_r(NULL, "#", &saveptr1); if (Is_Numeric(portstring)) { port=atoi(portstring); return(port); } else { /* IP:PORT string or IP##PORT */ token = strtok_r(portstring, " ", &saveptr1); if (Is_Numeric(token)) { port=atoi(token); return(port); } else { token[strlen(token) - 1] = '\0'; if (Is_Numeric(token)) { port=atoi(token); return(port); } } } } } } return(port); } int Parse_Dst_Port (char *msg) { int port; char *portstring=NULL; char *saveptr1=NULL; char *str=NULL; char *token=NULL; int i; port = config->sagan_port; char tmpmsg[MAX_SYSLOGMSG]; snprintf(tmpmsg, sizeof(tmpmsg), "%s", msg); To_UpperC(tmpmsg); /* See if the word " dpt" (destination port) is in the string */ /* We accept " dpt[any char except space][a port number]" */ if ( Sagan_strstr(tmpmsg, " DPT")) { portstring = strtok_r(tmpmsg, " ", &saveptr1); for ( i = 0 , str = portstring; ; i++ ) { token = strtok_r(NULL, " ", &saveptr1); if ( token == NULL ) break; /* tokenize by " ", grab string after "dpt". */ if (!strncmp(token, "DPT", 3)) { if (token[3] == '\0') break; /* if it's a number, set it. If not, default */ if (Is_Numeric(token + 4)) { port=atoi(token + 4); } } } } return(port); } sagan-1.2.0/src/parsers/ip.c0000644000175000017500000011225713310531444014575 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; withstr even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* ip.c * * Simple method of "finding" the "real" IP address from a syslog message. This * works with OpenSSH and messages of that nature. An example message might be: * "Invalid login from 12.145.241.50". This will pull the 12.145.241.50. This * is part of the "parse_src_ip/parse_src_dst" Sagan rules flag. * * 2018/05/17 - Added a new "cache" system so Sagan doesn't have to repeatedly * parse logs. Support IPv6 and will attempt to pull the port and protocol * if avaliable. * * What this detects: * * IPv4 * ----------------------------------------------------------------------- * * 192.168.2.1 # Stand alone IP * 192.168.2.1. # Trailing period. * [192.168.2.1] # Or anything like "192.168.2.1", etc * 192.168.2.1:1234 * 192.168.2.1#1234 * 192.168.2.1 port 1234 * 192.168.2.1 source port 1234 * 192.168.2.1 source port: 1234 # Windows style. * 192.168.2.1 destination port 1234 * 192.168.2.1 desitnation port: 1234 # Windows style. * 192.168.2.1 client port: 1234 # Windows style * 192.168.2.1 client port 1234 * inet#192.168.2.1 * * IPv6 * ----------------------------------------------------------------------- * * fe80::b614:89ff:fe11:5e24 # Stand alone IPv6 * fe80::b614:89ff:fe11:5e24. # Trailing period. * fe80::b614:89ff:fe11:5e24#1234 * inet#fe80::b614:89ff:fe11:5e24 * [fe80::b614:89ff:fe11:5e24]:80 # Traditional style. * fe80::b614:89ff:fe11:5e24 Client Port: 1234 # Windows * fe80::b614:89ff:fe11:5e24 client port 1234 * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "version.h" #include "parsers/parsers.h" struct _SaganConfig *config; struct _SaganDebug *debug; int Parse_IP( char *syslog_message, struct _Sagan_Lookup_Cache_Entry *lookup_cache ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Start Function.", __FUNCTION__, pthread_self() ); } struct sockaddr_in sa; int current_position = 0; char mod_string[MAX_SYSLOGMSG] = { 0 }; char tmp_token[64] = { 0 }; char *ptr1 = NULL; char *ptr2 = NULL; char *ptr3 = NULL; char *ptr4 = NULL; char *ip_1 = NULL; char *ip_2 = NULL; char port_test[6] = { 0 }; int port_test_int = 0; sbool valid = false ; int i=0; int b=0; int num_colons = 0; int num_dots = 0; int num_hashes = 0; int port = config->sagan_port; for (i=0; idebugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Modified string: %s", __FUNCTION__, pthread_self(), mod_string); } ptr1 = strtok_r(mod_string, " ", &ptr2); while ( ptr1 != NULL ) { num_colons = 0; num_dots = 0; num_hashes = 0; if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Token: '%s'", __FUNCTION__, pthread_self(), ptr1 ); } /* Get counts of colons, hashes, dots. */ for (i=0; idebugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Colons: %d, Dots: %d, Hashes: %d", __FUNCTION__, pthread_self(), num_colons, num_dots, num_hashes ); } if ( !strcasecmp(ptr1, "tcp" ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Protocal TCP detected.", __FUNCTION__, pthread_self() ); } lookup_cache[0].proto = 6; } else if ( !strcasecmp(ptr1, "udp" ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Protocal UDP detected.", __FUNCTION__, pthread_self() ); } lookup_cache[0].proto = 17; } else if ( !strcasecmp(ptr1, "icmp" ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Protocal ICMP detected.", __FUNCTION__, pthread_self() ); } lookup_cache[0].proto = 1; } /* Needs to have proper IPv6 or IPv4 encoding. num_dots > 4 is for IP with trailing period. */ if ( ( num_colons < 2 && num_dots < 3 ) || ( num_dots > 4 ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] '%s' can't be an IPv4 or IPv6.", __FUNCTION__, pthread_self(), ptr1 ); } ptr1 = strtok_r(NULL, " ", &ptr2); /* move to next token */ continue; } /* Stand alone IPv4 address */ if ( num_dots == 3 && num_colons == 0 ) { valid = inet_pton(AF_INET, ptr1, &(sa.sin_addr)); if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified stand alone IPv4 address '%s' position %d **", __FUNCTION__, pthread_self(), ptr1, current_position ); } /* Grab the IP */ memcpy(lookup_cache[current_position].ip, ptr1, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ptr1, lookup_cache[current_position].ip_bits); /* Preserve the array */ memcpy(tmp_token, ptr2, sizeof(tmp_token)); ptr4 = tmp_token; ptr3 = strtok_r(NULL, " ", &ptr4); /* Look for "192.168.1.1 port 1234" */ if ( ptr3 != NULL && strcasestr(ptr3, "port") ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%d] Identified the word 'port'", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL ) { port = atoi(ptr3); if ( port == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port; } } } /* Look for "192.168.1.1 source port: 1234" or "192.168.1.1 source port 1234" */ else if ( ptr3 != NULL && ( strcasestr(ptr3, "source") || strcasestr(ptr3, "destination" ) ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified 'source' or 'destination'", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL && strcasestr(ptr3, "port" ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified 'port'.", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL ) { port = atoi(ptr3); if ( port == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port; } } } } /* Look's for 192.168.1.1 client port 1234 */ else if ( ptr3 != NULL && strcasestr(ptr3, "client") ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified 'client'", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL && strcasestr(ptr3, "port" ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified 'port'.", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL ) { port = atoi(ptr3); if ( port == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port; } } } } lookup_cache[current_position].status = 1; current_position++; /* If we've run to the end, we're done */ if ( current_position > MAX_PARSE_IP ) { break; } } } /* Stand alone IPv4 with trailing period */ if ( num_dots == 4 && ptr1[ strlen(ptr1)-1 ] == '.' ) { /* Erase the period */ ptr1[ strlen(ptr1)-1 ] = '\0'; valid = inet_pton(AF_INET, ptr1, &(sa.sin_addr)); if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified stand alone IPv4 address '%s' with trailing period. **", __FUNCTION__, pthread_self(), ptr1 ); } memcpy(lookup_cache[current_position].ip, ptr1, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ptr1, lookup_cache[current_position].ip_bits); lookup_cache[current_position].port = config->sagan_port; lookup_cache[current_position].status = 1; current_position++; if ( current_position > MAX_PARSE_IP ) { break; } } } /* IPv4 with 192.168.2.1:12345 or inet:192.168.2.1 */ if ( num_colons == 1 && num_dots == 3) { /* test both sides */ ip_1 = strtok_r(ptr1, ":", &ip_2); if ( ip_1 != NULL ) { valid = inet_pton(AF_INET, ip_1, &(sa.sin_addr)); } if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified IPv4:PORT address. **", __FUNCTION__, pthread_self() ); } memcpy(lookup_cache[current_position].ip, ip_1, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ip_1, lookup_cache[current_position].ip_bits); /* In many cases, the port is after the : */ port = atoi(ip_2); if ( port == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port; } lookup_cache[current_position].status = 1; current_position++; if ( current_position > MAX_PARSE_IP ) { break; } } if ( ip_2 != NULL ) { valid = inet_pton(AF_INET, ip_2, &(sa.sin_addr)); } if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified INTERFACE:IPv4 **", __FUNCTION__, pthread_self() ); } memcpy(lookup_cache[current_position].ip, ip_2, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ip_2, lookup_cache[current_position].ip_bits); lookup_cache[current_position].port = config->sagan_port; lookup_cache[current_position].status = 1; current_position++; if ( current_position > MAX_PARSE_IP ) { break; } } } /* Handle 192.168.2.1#12345 or inet#192.168.2.1 */ if ( num_hashes == 1 && num_dots == 3) { /* test both sides */ ip_1 = strtok_r(ptr1, "#", &ip_2); if ( ip_1 != NULL ) { valid = inet_pton(AF_INET, ip_1, &(sa.sin_addr)); } if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified IPv4#PORT **", __FUNCTION__, pthread_self() ); } memcpy(lookup_cache[current_position].ip, ip_1, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ip_1, lookup_cache[current_position].ip_bits); /* In many cases, the port is after the : */ port = atoi(ip_2); if ( port == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port; } lookup_cache[current_position].status = 1; current_position++; /* If we've run to the end, we're done */ if ( current_position > MAX_PARSE_IP ) { break; } } if ( ip_2 != NULL ) { valid = inet_pton(AF_INET, ip_2, &(sa.sin_addr)); } if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified INTERFACE#PORT **", __FUNCTION__, pthread_self() ); } memcpy(lookup_cache[current_position].ip, ip_2, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ip_2, lookup_cache[current_position].ip_bits); lookup_cache[current_position].port = config->sagan_port; lookup_cache[current_position].status = 1; current_position++; /* If we've run to the end, we're done */ if ( current_position > MAX_PARSE_IP ) { break; } } } /* Do we even want to part IPv6? */ if ( config->parse_ip_ipv6 == true ) { /* Stand alone IPv6 */ if ( num_colons > 2 ) { valid = inet_pton(AF_INET6, ptr1, &(sa.sin_addr)); if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified stand alone IPv6 address '%s' **", __FUNCTION__, pthread_self(), ptr1 ); } memcpy(lookup_cache[current_position].ip, ptr1, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ptr1, lookup_cache[current_position].ip_bits); /* This converts ::ffff:192.168.1.1 to regular IPv4 (192.168.1.1) */ if ( config->parse_ip_ipv4_mapped_ipv6 == false ) { if ( ptr1[0] == ':' && ptr1[1] == ':' && ( ptr1[2] == 'f' || ptr1[2] == 'F' ) && ( ptr1[3] == 'f' || ptr1[3] == 'F' ) && ( ptr1[4] == 'f' || ptr1[4] == 'F' ) && ( ptr1[5] == 'f' || ptr1[5] == 'F' ) && ptr1[6] == ':' ) { b = strlen(ptr1); for (i = 7; b > i; i++) { lookup_cache[current_position].ip[i-7] = ptr1[i]; lookup_cache[current_position].ip[i-6] = '\0'; } memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ptr1, lookup_cache[current_position].ip_bits); } } /* Look for "fe80::b614:89ff:fe11:5e24 port 1234" */ memcpy(tmp_token, ptr2, sizeof(tmp_token)); ptr4 = tmp_token; ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL && strcasestr(ptr3, "port") ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified the word 'port'", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL ) { port = atoi(ptr3); if ( port == 0 ) { lookup_cache[current_position].port = port; } else { lookup_cache[current_position].port = config->sagan_port; } } } /* Look for "fe80::b614:89ff:fe11:5e24 source port: 1234" or "fe80::b614:89ff:fe11:5e24 source port 1234" */ else if ( ptr3 != NULL && ( strcasestr(ptr3, "source") || strcasestr(ptr3, "destination" ) ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified the word 'source' or 'destination'", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL && strcasestr(ptr3, "port" ) ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified the word 'port'", __FUNCTION__, pthread_self() ); } ptr3 = strtok_r(NULL, " ", &ptr4); if ( ptr3 != NULL ) { port = atoi(ptr3); if ( port == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port; } } } } /* IPv6 [fe80::b614:89ff:fe11:5e24]:443 */ else if ( ptr3 != NULL && ptr3[0] == ':' ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] Identified possible [IPv6]:PORT", __FUNCTION__, pthread_self() ); } for ( i = 1; i < strlen(ptr3); i++ ) { port_test[i-1] = ptr3[i]; } port_test_int = atoi(port_test); if ( port_test_int == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port_test_int; } } lookup_cache[current_position].status = 1; current_position++; if ( current_position > MAX_PARSE_IP ) { break; } } } /* Stand alone IPv6 with trailing period */ if ( num_colons > 2 && ptr1[ strlen(ptr1)-1 ] == '.' ) { /* Erase the period */ ptr1[ strlen(ptr1)-1 ] = '\0'; valid = inet_pton(AF_INET6, ptr1, &(sa.sin_addr)); if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified stand alone IPv6 '%s' with trailing period. **", __FUNCTION__, pthread_self(), ptr1 ); } memcpy(lookup_cache[current_position].ip, ptr1, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ptr1, lookup_cache[current_position].ip_bits); /* This converts ::ffff:192.168.1.1 to regular IPv4 (192.168.1.1) */ if ( config->parse_ip_ipv4_mapped_ipv6 == false ) { if ( ptr1[0] == ':' && ptr1[1] == ':' && ( ptr1[2] == 'f' || ptr1[2] == 'F' ) && ( ptr1[3] == 'f' || ptr1[3] == 'F' ) && ( ptr1[4] == 'f' || ptr1[4] == 'F' ) && ( ptr1[5] == 'f' || ptr1[5] == 'F' ) && ptr1[6] == ':' ) { b = strlen(ptr1); for (i = 7; b > i; i++) { lookup_cache[current_position].ip[i-7] = ptr1[i]; lookup_cache[current_position].ip[i-6] = '\0'; } memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ptr1, lookup_cache[current_position].ip_bits); } } lookup_cache[current_position].port = config->sagan_port; lookup_cache[current_position].status = 1; current_position++; if ( current_position > MAX_PARSE_IP ) { break; } } } /* Handle IPv6 fe80::b614:89ff:fe11:5e24#12345 or inet#fe80::b614:89ff:fe11:5e24 */ if ( num_hashes == 1 && num_colons > 2 ) { /* test both sides */ ip_1 = strtok_r(ptr1, "#", &ip_2); if ( ip_1 != NULL ) { valid = inet_pton(AF_INET6, ip_1, &(sa.sin_addr)); } if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified IPv6#PORT **", __FUNCTION__, pthread_self() ); } memcpy(lookup_cache[current_position].ip, ip_1, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ip_1, lookup_cache[current_position].ip_bits); /* In many cases, the port is after the : */ port = atoi(ip_2); if ( port == 0 ) { lookup_cache[current_position].port = config->sagan_port; } else { lookup_cache[current_position].port = port; } lookup_cache[current_position].status = 1; current_position++; /* If we've run to the end, we're done */ if ( current_position > MAX_PARSE_IP ) { break; } } if ( ip_2 != NULL ) { valid = inet_pton(AF_INET6, ip_2, &(sa.sin_addr)); } if ( valid == 1 ) { if ( debug->debugparse_ip ) { Sagan_Log(DEBUG, "[%s:%lu] ** Identified INTERFACE#IPv6 **", __FUNCTION__, pthread_self() ); } memcpy(lookup_cache[current_position].ip, ip_2, MAXIP); memset(lookup_cache[current_position].ip_bits, 0, MAXIPBIT); IP2Bit(ip_2, lookup_cache[current_position].ip_bits); lookup_cache[current_position].port = config->sagan_port; lookup_cache[current_position].status = 1; current_position++; /* If we've run to the end, we're done */ if ( current_position > MAX_PARSE_IP ) { break; } } } } /* If config->parse_ip_ipv6 */ ptr1 = strtok_r(NULL, " ", &ptr2); } for ( i = 0; i < current_position; i++) { lookup_cache[current_position].status = 0; } if ( debug->debugparse_ip ) { if ( current_position > 0 ) { Sagan_Log(DEBUG, "[%lld:%d] --[Lookup Cache Array]----", pthread_self(), current_position ); for (i = 0; i < current_position; i++) { Sagan_Log(DEBUG, "-- ARRAY: Position: %d, Status: %d, IP: %s, Port: %d", i, lookup_cache[i].status, lookup_cache[i].ip, lookup_cache[i].port); } } } return(current_position); } sagan-1.2.0/src/parsers/strstr-asm/0000755000175000017500000000000013310531444016130 5ustar champchampsagan-1.2.0/src/parsers/strstr-asm/strstr-hook.h0000644000175000017500000000273713310531444020611 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-strstr-hook.c * * This "hooks" in the "Sagan_strstr" function for CPUs supporting SSE2. * This code is based on work by Ondra B�lk and the glibc projects. * * His code/original post can be found at: * * http://comments.gmane.org/gmane.comp.lib.glibc.alpha/34531 * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_SSE2 #ifndef WITH_SYSSTRSTR int __strstr_sse2_unaligned(); int __strstr_sse42(); #endif #endif char *Sagan_strstr(const char *, const char *); char *Sagan_stristr(const char *, const char *, sbool); sagan-1.2.0/src/parsers/strstr-asm/strstr_sse2.S0000644000175000017500000001716113310531444020557 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* strstr_sse2.S * * This "hooks" in the "Sagan_strstr" function for CPUs supporting SSE2. * This code is based on work by Ondra B�lk and the glibc projects. * * His code/original post can be found at: * * http://comments.gmane.org/gmane.comp.lib.glibc.alpha/34531 * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifndef WITH_SYSSTRSTR /* If NOT using system built in strstr */ #ifdef HAVE_SSE2 #ifndef ALIGN # define ALIGN(n) .p2align n #endif .text .globl __strstr_sse2_unaligned .type __strstr_sse2_unaligned, @function __strstr_sse2_unaligned: .LFB0: .cfi_startproc movzbl (%rsi), %eax testb %al, %al je .Lempty movzbl 1(%rsi), %edx testb %dl, %dl je .Lstrchr movd %eax, %xmm1 movd %edx, %xmm2 movq %rdi, %rax andl $4095, %eax punpcklbw %xmm1, %xmm1 cmpq $4031, %rax punpcklbw %xmm2, %xmm2 punpcklwd %xmm1, %xmm1 punpcklwd %xmm2, %xmm2 pshufd $0, %xmm1, %xmm1 pshufd $0, %xmm2, %xmm2 ja .Lcross_page movdqu (%rdi), %xmm3 pxor %xmm5, %xmm5 movdqu 1(%rdi), %xmm4 movdqa %xmm3, %xmm6 pcmpeqb %xmm1, %xmm3 pcmpeqb %xmm2, %xmm4 movdqu 16(%rdi), %xmm0 pcmpeqb %xmm5, %xmm6 pminub %xmm4, %xmm3 movdqa %xmm3, %xmm4 movdqu 17(%rdi), %xmm3 pcmpeqb %xmm0, %xmm5 pcmpeqb %xmm2, %xmm3 por %xmm6, %xmm4 pcmpeqb %xmm1, %xmm0 pminub %xmm3, %xmm0 por %xmm5, %xmm0 pmovmskb %xmm4, %r8d pmovmskb %xmm0, %eax salq $16, %rax orq %rax, %r8 je .Lnext_32_bytes .Lnext_pair_index: bsf %r8, %rax addq %rdi, %rax cmpb $0, (%rax) je .Lzero1 movzbl 2(%rsi), %edx testb %dl, %dl je .Lfound1 cmpb 2(%rax), %dl jne .Lnext_pair xorl %edx, %edx jmp .Lpair_loop_start ALIGN (4) .Lstrchr: movzbl %al, %esi jmp strchr@PLT ALIGN (4) .Lpair_loop: addq $1, %rdx cmpb 2(%rax,%rdx), %cl jne .Lnext_pair .Lpair_loop_start: movzbl 3(%rsi,%rdx), %ecx testb %cl, %cl jne .Lpair_loop .Lfound1: ret .Lzero1: xorl %eax, %eax ret ALIGN (4) .Lnext_pair: leaq -1(%r8), %rax andq %rax, %r8 jne .Lnext_pair_index ALIGN (4) .Lnext_32_bytes: movdqu 32(%rdi), %xmm3 pxor %xmm5, %xmm5 movdqu 33(%rdi), %xmm4 movdqa %xmm3, %xmm6 pcmpeqb %xmm1, %xmm3 pcmpeqb %xmm2, %xmm4 movdqu 48(%rdi), %xmm0 pcmpeqb %xmm5, %xmm6 pminub %xmm4, %xmm3 movdqa %xmm3, %xmm4 movdqu 49(%rdi), %xmm3 pcmpeqb %xmm0, %xmm5 pcmpeqb %xmm2, %xmm3 por %xmm6, %xmm4 pcmpeqb %xmm1, %xmm0 pminub %xmm3, %xmm0 por %xmm5, %xmm0 pmovmskb %xmm4, %eax salq $32, %rax pmovmskb %xmm0, %r8d salq $48, %r8 orq %rax, %r8 je .Lloop_header .Lnext_pair2_index: bsfq %r8, %rax addq %rdi, %rax cmpb $0, (%rax) je .Lzero2 movzbl 2(%rsi), %edx testb %dl, %dl je .Lfound2 cmpb 2(%rax), %dl jne .Lnext_pair2 xorl %edx, %edx jmp .Lpair_loop2_start ALIGN (4) .Lpair_loop2: addq $1, %rdx cmpb 2(%rax,%rdx), %cl jne .Lnext_pair2 .Lpair_loop2_start: movzbl 3(%rsi,%rdx), %ecx testb %cl, %cl jne .Lpair_loop2 .Lfound2: ret .Lzero2: xorl %eax, %eax ret .Lempty: mov %rdi, %rax ret ALIGN (4) .Lnext_pair2: leaq -1(%r8), %rax andq %rax, %r8 jne .Lnext_pair2_index .Lloop_header: movq $-512, %r11 movq %rdi, %r9 pxor %xmm7, %xmm7 andq $-64, %rdi ALIGN (4) .Lloop: movdqa 64(%rdi), %xmm3 movdqu 63(%rdi), %xmm6 movdqa %xmm3, %xmm0 pxor %xmm2, %xmm3 pxor %xmm1, %xmm6 movdqa 80(%rdi), %xmm10 por %xmm3, %xmm6 pminub %xmm10, %xmm0 movdqu 79(%rdi), %xmm3 pxor %xmm2, %xmm10 pxor %xmm1, %xmm3 movdqa 96(%rdi), %xmm9 por %xmm10, %xmm3 pminub %xmm9, %xmm0 pxor %xmm2, %xmm9 movdqa 112(%rdi), %xmm8 addq $64, %rdi pminub %xmm6, %xmm3 movdqu 31(%rdi), %xmm4 pminub %xmm8, %xmm0 pxor %xmm2, %xmm8 pxor %xmm1, %xmm4 por %xmm9, %xmm4 pminub %xmm4, %xmm3 movdqu 47(%rdi), %xmm5 pxor %xmm1, %xmm5 por %xmm8, %xmm5 pminub %xmm5, %xmm3 pminub %xmm3, %xmm0 pcmpeqb %xmm7, %xmm0 pmovmskb %xmm0, %eax testl %eax, %eax je .Lloop pminub (%rdi), %xmm6 pminub 32(%rdi),%xmm4 pminub 48(%rdi),%xmm5 pcmpeqb %xmm7, %xmm6 pcmpeqb %xmm7, %xmm5 pmovmskb %xmm6, %edx movdqa 16(%rdi), %xmm8 pcmpeqb %xmm7, %xmm4 movdqu 15(%rdi), %xmm0 pmovmskb %xmm5, %r8d movdqa %xmm8, %xmm3 pmovmskb %xmm4, %ecx pcmpeqb %xmm1,%xmm0 pcmpeqb %xmm2,%xmm3 salq $32, %rcx pcmpeqb %xmm7,%xmm8 salq $48, %r8 pminub %xmm0,%xmm3 orq %rcx, %rdx por %xmm3,%xmm8 orq %rdx, %r8 pmovmskb %xmm8, %eax salq $16, %rax orq %rax, %r8 .Lnext_pair_index3: bsfq %r8, %rcx addq %rdi, %rcx cmpb $0, (%rcx) je .Lzero xorl %eax, %eax movzbl 2(%rsi), %edx testb %dl, %dl je .Lsuccess3 cmpb 1(%rcx), %dl jne .Lnext_pair3 jmp .Lpair_loop_start3 ALIGN (4) .Lpair_loop3: addq $1, %rax cmpb 1(%rcx,%rax), %dl jne .Lnext_pair3 .Lpair_loop_start3: movzbl 3(%rsi,%rax), %edx testb %dl, %dl jne .Lpair_loop3 .Lsuccess3: lea -1(%rcx), %rax ret ALIGN (4) .Lnext_pair3: addq %rax, %r11 movq %rdi, %rax subq %r9, %rax cmpq %r11, %rax jl .Lswitch_strstr leaq -1(%r8), %rax andq %rax, %r8 jne .Lnext_pair_index3 jmp .Lloop ALIGN (4) .Lswitch_strstr: movq %rdi, %rdi jmp strstr@PLT ALIGN (4) .Lcross_page: movq %rdi, %rax pxor %xmm0, %xmm0 andq $-64, %rax movdqa (%rax), %xmm3 movdqu -1(%rax), %xmm4 movdqa %xmm3, %xmm8 movdqa 16(%rax), %xmm5 pcmpeqb %xmm1, %xmm4 pcmpeqb %xmm0, %xmm8 pcmpeqb %xmm2, %xmm3 movdqa %xmm5, %xmm7 pminub %xmm4, %xmm3 movdqu 15(%rax), %xmm4 pcmpeqb %xmm0, %xmm7 por %xmm3, %xmm8 movdqa %xmm5, %xmm3 movdqa 32(%rax), %xmm5 pcmpeqb %xmm1, %xmm4 pcmpeqb %xmm2, %xmm3 movdqa %xmm5, %xmm6 pmovmskb %xmm8, %ecx pminub %xmm4, %xmm3 movdqu 31(%rax), %xmm4 por %xmm3, %xmm7 movdqa %xmm5, %xmm3 pcmpeqb %xmm0, %xmm6 movdqa 48(%rax), %xmm5 pcmpeqb %xmm1, %xmm4 pmovmskb %xmm7, %r8d pcmpeqb %xmm2, %xmm3 pcmpeqb %xmm5, %xmm0 pminub %xmm4, %xmm3 movdqu 47(%rax), %xmm4 por %xmm3, %xmm6 movdqa %xmm5, %xmm3 salq $16, %r8 pcmpeqb %xmm1, %xmm4 pcmpeqb %xmm2, %xmm3 pmovmskb %xmm6, %r10d pminub %xmm4, %xmm3 por %xmm3, %xmm0 salq $32, %r10 orq %r10, %r8 orq %rcx, %r8 movl %edi, %ecx pmovmskb %xmm0, %edx subl %eax, %ecx salq $48, %rdx orq %rdx, %r8 shrq %cl, %r8 je .Lloop_header .Lnext_pair_index4: bsfq %r8, %rax addq %rdi, %rax cmpb $0, (%rax) je .Lzero cmpq %rax,%rdi je .Lnext_pair4 movzbl 2(%rsi), %edx testb %dl, %dl je .Lfound3 cmpb 1(%rax), %dl jne .Lnext_pair4 xorl %edx, %edx jmp .Lpair_loop_start4 ALIGN (4) .Lpair_loop4: addq $1, %rdx cmpb 1(%rax,%rdx), %cl jne .Lnext_pair4 .Lpair_loop_start4: movzbl 3(%rsi,%rdx), %ecx testb %cl, %cl jne .Lpair_loop4 .Lfound3: subq $1, %rax ret ALIGN (4) .Lnext_pair4: leaq -1(%r8), %rax andq %rax, %r8 jne .Lnext_pair_index4 jmp .Lloop_header ALIGN (4) .Lfound: rep ret ALIGN (4) .Lzero: xorl %eax, %eax ret .cfi_endproc .LFE0: .size __strstr_sse2_unaligned, .-__strstr_sse2_unaligned .ident "Sagan builtin strstr_sse2_unligned function" .section .note.GNU-stack,"",@progbits #endif #endif sagan-1.2.0/src/parsers/strstr-asm/strstr-hook.c0000644000175000017500000000663413310531444020604 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-strstr-hook.c * * This "hooks" in the "Sagan_strstr" function for CPUs supporting SSE2. * This code is based on work by Ondra Bílk and the glibc projects. * * His code/original post can be found at: * * http://comments.gmane.org/gmane.comp.lib.glibc.alpha/34531 * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include "sagan.h" #include "sagan-defs.h" #include "parsers/strstr-asm/strstr-hook.h" #ifndef WITH_SYSSTRSTR /* If NOT using system built in strstr */ #if defined(HAVE_SSE2) && SIZEOF_SIZE_T == 8 /* And our CPU supports SSE2 & is the CPU 64 bit */ static void* function_func[]= { __strstr_sse2_unaligned, __strstr_sse42, NULL}; /* This function takes advantage of CPUs with SSE2 */ char *Sagan_strstr(const char *_x,const char *_y) { char *x= (char*) _x, *y=(char*)_y; char* (*fn)(char *,char *) = function_func[0]; char * p=fn(x,y); return p; } #else /* * Non-SSE2 CPUs get to use the pure C function. This code is based * off Dale Moore mine3a. Information can be found at: * * http://computer-programming-forum.com/47-c-language/69de641587bbb919.htm * */ char *Sagan_strstr(const char *_x, const char *_y) { size_t len = strlen (_y); if (!*_y) return (char *) _x; for (;;) { if (!(_x = strchr (_x, *_y))) return NULL; if (!strncmp (_x, _y, len)) return (char *) _x; _x++; } } #endif /* This works similar to "strcasestr". The "needle" (_y) is assumed to * already be converted to lowercase if "needle_lower" is FALSE. * * 0/FALSE == Don't convert needle * 1/TRUE == Convert needle */ char *Sagan_stristr(const char *_x, const char *_y, sbool needle_lower ) { char *p = NULL; char haystack_string[MAX_SYSLOGMSG] = { 0 }; char needle_string[512] = { 0 }; strlcpy(haystack_string, _x, sizeof(haystack_string)); To_LowerC(haystack_string); strlcpy(needle_string, _y, sizeof(needle_string)); if ( needle_lower ) { To_LowerC(needle_string); } p = Sagan_strstr( haystack_string, needle_string); return p; } #else /**************************************************************************** * To use the system standard strstr() ****************************************************************************/ char *Sagan_strstr(const char *_x, const char *_y) { return (strstr(_x, _y)); } char *Sagan_stristr(const char *_x, const char *_y, sbool needle_lower ) { return (strcasestr(_x, _y)); } #endif sagan-1.2.0/src/parsers/strstr-asm/strstr_sse4_2.S0000644000175000017500000002753413310531444021007 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* strstr_sse4_2.S * * This "hooks" in the "Sagan_strstr" function for CPUs supporting SSE2. * This code is based on work by Ondra B�lk and the glibc projects. * * His code/original post can be found at: * * http://comments.gmane.org/gmane.comp.lib.glibc.alpha/34531 * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifndef WITH_SYSSTRSTR /* If NOT using system built in strstr */ #ifdef HAVE_SSE2 # sse4_2 __strstr_sse42 black .file "strstr.c" .section .text.sse4.2,"ax",@progbits .p2align 4,,15 .globl __strstr_sse42 .type __strstr_sse42, @function __strstr_sse42: .LFB638: .cfi_startproc movzbl (%rsi), %edx movq %rdi, %r10 testb %dl, %dl je .L118 movzbl (%rdi), %eax testb %al, %al je .L117 cmpb $0, 1(%rdi) je .L123 movq %rdi, %rax andl $4095, %eax cmpl $4080, %eax jg .L124 .L6: movdqu (%r10), %xmm1 .L7: cmpb $0, 1(%rsi) jne .L125 pxor %xmm2, %xmm2 pinsrb $0, (%rsi), %xmm2 .L11: pcmpistri $12, %xmm1, %xmm2 movl $0, %eax movl $0, %r8d movdqa %xmm2, %xmm4 setc %al sets %r8b sete %dl testl %eax, %r8d movl %ecx, %edi movzbl %dl, %edx je .L12 pxor %xmm1, %xmm1 movslq %ecx, %rax movdqa %xmm2, %xmm3 addq %rax, %r10 pcmpeqb %xmm1, %xmm3 pmovmskb %xmm3, %r9d #APP # 222 "strstr.c" 1 bsfl %r9d, %r9d # 0 "" 2 #NO_APP addl %r9d, %edi cmpl $16, %edi jle .L118 movq %r10, %rax andl $4095, %eax cmpl $4080, %eax jg .L126 .L13: movdqu (%r10), %xmm1 .L14: pcmpistri $12, %xmm1, %xmm4 movslq %ecx, %rdi setc %al sets %r8b sete %dl addl %edi, %r9d movzbl %al, %eax cmpl $16, %r9d movzbl %r8b, %r8d movzbl %dl, %edx jg .L12 addq %rdi, %r10 jmp .L118 .p2align 4,,10 .p2align 3 .L12: testl %r8d, %r8d jne .L15 pushq %r15 .cfi_def_cfa_offset 16 .cfi_offset 15, -16 leaq 16(%rsi), %r11 movq %rsi, %rdi xorl %r9d, %r9d pxor %xmm4, %xmm4 pushq %r14 .cfi_def_cfa_offset 24 .cfi_offset 14, -24 movl $3, %r14d pushq %r13 .cfi_def_cfa_offset 32 .cfi_offset 13, -32 movq %rsi, %r13 andl $15, %r13d pushq %r12 .cfi_def_cfa_offset 40 .cfi_offset 12, -40 subq %r13, %rdi movq %r11, %r12 andl $15, %r12d pushq %rbp .cfi_def_cfa_offset 48 .cfi_offset 6, -48 movl %r11d, %ebp andl $4095, %ebp pushq %rbx .cfi_def_cfa_offset 56 .cfi_offset 3, -56 movl %esi, %ebx andl $4095, %ebx movq %rdi, -32(%rsp) movq %r11, %rdi movb %r13b, -10(%rsp) subq %r12, %rdi testl %eax, %eax movb %r12b, -9(%rsp) movq %rdi, -24(%rsp) je .L26 .p2align 4,,10 .p2align 3 .L132: testl %ecx, %ecx jne .L27 testl %edx, %edx jne .L2 cmpl $4080, %ebp leaq 16(%r10), %rax jg .L127 .L28: movdqu (%r11), %xmm2 .L29: movq %r11, %rdx .L30: movq %rax, %rcx andl $4095, %ecx cmpl $4080, %ecx jg .L128 .L31: movdqu (%rax), %xmm3 .L32: pcmpistri $12, %xmm3, %xmm2 sete %r8b movl %ecx, %edi sets %cl movzbl %r8b, %r8d movl %edi, %r15d movzbl %cl, %ecx orl %r8d, %r15d orl %ecx, %r15d jne .L33 .p2align 4,,10 .p2align 3 .L90: addq $16, %rdx addq $16, %rax movq %rdx, %rcx andl $4095, %ecx cmpl $4080, %ecx jg .L129 .L34: movdqu (%rdx), %xmm2 .L35: movq %rax, %rcx andl $4095, %ecx cmpl $4080, %ecx jg .L130 .L36: movdqu (%rax), %xmm3 .L37: pcmpistri $12, %xmm3, %xmm2 sete %r8b sets %dil movl %ecx, %r15d movzbl %r8b, %r8d movzbl %dil, %edi orl %r8d, %r15d orl %edi, %r15d je .L90 movl %edi, %eax movl %ecx, %edi movl %eax, %ecx .L33: testl %edi, %edi sete %al movzbl %al, %edx testl %ecx, %edx jne .L2 testl %r8d, %r8d je .L39 testl %ecx, %ecx je .L5 pcmpeqb %xmm4, %xmm2 pcmpeqb %xmm4, %xmm3 pmovmskb %xmm2, %edx pmovmskb %xmm3, %eax #APP # 350 "strstr.c" 1 bsfl %edx, %edx # 0 "" 2 # 352 "strstr.c" 1 bsfl %eax, %eax # 0 "" 2 #NO_APP cmpl %eax, %edx jge .L5 .L40: cmpl $4080, %ebx jg .L131 .L41: movdqu (%rsi), %xmm2 .L42: testl %r9d, %r9d jne .L43 movdqa %xmm2, %xmm0 movb $16, %r9b movdqa %xmm2, %xmm1 punpcklbw %xmm2, %xmm0 psrldq $1, %xmm1 punpcklbw %xmm0, %xmm0 pshufd $0, %xmm0, %xmm0 pcmpeqb %xmm1, %xmm0 pmovmskb %xmm0, %eax #APP # 144 "strstr.c" 1 bsfl %eax, %edx # 0 "" 2 #NO_APP testl %eax, %eax je .L43 cmpl $32767, %eax movb $1, %r9b je .L43 leal 1(%rdx), %r9d testl %edx, %edx cmove %r14d, %r9d .p2align 4,,10 .p2align 3 .L43: cmpl %edi, %r9d cmovle %r9d, %edi movslq %edi, %rdi addq %rdi, %r10 cmpb $0, (%r10) je .L5 movq %r10, %rax andl $4095, %eax cmpl $4080, %eax jg .L121 .L24: movdqu (%r10), %xmm1 .L25: pcmpistri $12, %xmm1, %xmm2 setc %al sete %dl movzbl %al, %eax movzbl %dl, %edx testl %eax, %eax jne .L132 .L26: testl %edx, %edx jne .L5 addq $16, %r10 movq %r10, %rax andl $4095, %eax cmpl $4080, %eax jle .L24 .L121: movq %r10, %rcx movq %r10, %rax andl $15, %ecx subq %rcx, %rax movdqu (%rax), %xmm0 movdqa %xmm0, %xmm1 pcmpeqb %xmm4, %xmm1 pmovmskb %xmm1, %eax sarl %cl, %eax testl %eax, %eax je .L24 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm1 pshufb %xmm1, %xmm0 movdqa %xmm0, %xmm1 jmp .L25 .p2align 4,,10 .p2align 3 .L15: .cfi_def_cfa_offset 8 .cfi_restore 3 .cfi_restore 6 .cfi_restore 12 .cfi_restore 13 .cfi_restore 14 .cfi_restore 15 testl %edx, %edx pxor %xmm2, %xmm2 je .L89 jmp .L22 .p2align 4,,10 .p2align 3 .L113: testl %edx, %edx jne .L22 .L89: movslq %ecx, %rcx addq %rcx, %r10 movq %r10, %rax andl $4095, %eax cmpl $4080, %eax jg .L133 .L17: movdqu (%r10), %xmm1 .L18: pcmpistri $12, %xmm1, %xmm4 movl $0, %edx setc %al sete %dl xorl %esi, %esi testl %ecx, %ecx movzbl %al, %eax sete %sil testl %eax, %esi je .L113 xorl %ecx, %ecx .L19: addq %rcx, %r10 .L118: movq %r10, %rax ret .p2align 4,,10 .p2align 3 .L27: .cfi_def_cfa_offset 56 .cfi_offset 3, -56 .cfi_offset 6, -48 .cfi_offset 12, -40 .cfi_offset 13, -32 .cfi_offset 14, -24 .cfi_offset 15, -16 movslq %ecx, %rax movq %rsi, %rdx addq %r10, %rax movq %rax, %r10 jmp .L30 .p2align 4,,10 .p2align 3 .L39: testb %al, %al je .L40 .L2: popq %rbx .cfi_restore 3 .cfi_def_cfa_offset 48 popq %rbp .cfi_restore 6 .cfi_def_cfa_offset 40 popq %r12 .cfi_restore 12 .cfi_def_cfa_offset 32 popq %r13 .cfi_restore 13 .cfi_def_cfa_offset 24 popq %r14 .cfi_restore 14 .cfi_def_cfa_offset 16 movq %r10, %rax popq %r15 .cfi_restore 15 .cfi_def_cfa_offset 8 ret .L125: movq %rsi, %rax andl $4095, %eax cmpl $4080, %eax jg .L134 .L9: movdqu (%rsi), %xmm2 jmp .L11 .L5: .cfi_def_cfa_offset 56 .cfi_offset 3, -56 .cfi_offset 6, -48 .cfi_offset 12, -40 .cfi_offset 13, -32 .cfi_offset 14, -24 .cfi_offset 15, -16 popq %rbx .cfi_restore 3 .cfi_def_cfa_offset 48 popq %rbp .cfi_restore 6 .cfi_def_cfa_offset 40 popq %r12 .cfi_restore 12 .cfi_def_cfa_offset 32 popq %r13 .cfi_restore 13 .cfi_def_cfa_offset 24 xorl %r10d, %r10d popq %r14 .cfi_restore 14 .cfi_def_cfa_offset 16 movq %r10, %rax popq %r15 .cfi_restore 15 .cfi_def_cfa_offset 8 ret .L22: testl %eax, %eax movslq %ecx, %rcx jne .L19 .L117: xorl %r10d, %r10d jmp .L118 .p2align 4,,10 .p2align 3 .L129: .cfi_def_cfa_offset 56 .cfi_offset 3, -56 .cfi_offset 6, -48 .cfi_offset 12, -40 .cfi_offset 13, -32 .cfi_offset 14, -24 .cfi_offset 15, -16 movq %rdx, %rcx movq %rdx, %rdi andl $15, %ecx subq %rcx, %rdi movdqu (%rdi), %xmm0 movdqa %xmm0, %xmm1 pcmpeqb %xmm4, %xmm1 pmovmskb %xmm1, %edi sarl %cl, %edi testl %edi, %edi je .L34 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm1 pshufb %xmm1, %xmm0 movdqa %xmm0, %xmm2 jmp .L35 .L130: movq %rax, %rcx movq %rax, %rdi andl $15, %ecx subq %rcx, %rdi movdqu (%rdi), %xmm0 movdqa %xmm0, %xmm1 pcmpeqb %xmm4, %xmm1 pmovmskb %xmm1, %edi sarl %cl, %edi testl %edi, %edi je .L36 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm1 pshufb %xmm1, %xmm0 movdqa %xmm0, %xmm3 jmp .L37 .L126: .cfi_def_cfa_offset 8 .cfi_restore 3 .cfi_restore 6 .cfi_restore 12 .cfi_restore 13 .cfi_restore 14 .cfi_restore 15 movq %r10, %rcx movq %r10, %rax andl $15, %ecx subq %rcx, %rax movdqu (%rax), %xmm3 pcmpeqb %xmm3, %xmm1 pmovmskb %xmm1, %eax sarl %cl, %eax testl %eax, %eax je .L13 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm1 pshufb %xmm1, %xmm3 movdqa %xmm3, %xmm1 jmp .L14 .L127: .cfi_def_cfa_offset 56 .cfi_offset 3, -56 .cfi_offset 6, -48 .cfi_offset 12, -40 .cfi_offset 13, -32 .cfi_offset 14, -24 .cfi_offset 15, -16 movq -24(%rsp), %rdx movzbl -9(%rsp), %ecx movdqu (%rdx), %xmm0 movdqa %xmm0, %xmm1 pcmpeqb %xmm4, %xmm1 pmovmskb %xmm1, %edx sarl %cl, %edx testl %edx, %edx je .L28 movq %r12, %rdx addq ___m128i_shift_right@GOTPCREL(%rip), %rdx movdqu (%rdx), %xmm1 pshufb %xmm1, %xmm0 movdqa %xmm0, %xmm2 jmp .L29 .L128: movq %rax, %rcx movq %rax, %rdi andl $15, %ecx subq %rcx, %rdi movdqu (%rdi), %xmm0 movdqa %xmm0, %xmm1 pcmpeqb %xmm4, %xmm1 pmovmskb %xmm1, %edi sarl %cl, %edi testl %edi, %edi je .L31 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm1 pshufb %xmm1, %xmm0 movdqa %xmm0, %xmm3 jmp .L32 .L131: movq -32(%rsp), %rax movzbl -10(%rsp), %ecx movdqu (%rax), %xmm0 movdqa %xmm0, %xmm1 pcmpeqb %xmm4, %xmm1 pmovmskb %xmm1, %eax sarl %cl, %eax testl %eax, %eax je .L41 movq %r13, %rax addq ___m128i_shift_right@GOTPCREL(%rip), %rax movdqu (%rax), %xmm1 pshufb %xmm1, %xmm0 movdqa %xmm0, %xmm2 jmp .L42 .L124: .cfi_def_cfa_offset 8 .cfi_restore 3 .cfi_restore 6 .cfi_restore 12 .cfi_restore 13 .cfi_restore 14 .cfi_restore 15 movq %rdi, %rcx movq %rdi, %rax andl $15, %ecx pxor %xmm0, %xmm0 subq %rcx, %rax movdqu (%rax), %xmm1 pcmpeqb %xmm1, %xmm0 pmovmskb %xmm0, %eax sarl %cl, %eax testl %eax, %eax je .L6 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm0 pshufb %xmm0, %xmm1 jmp .L7 .L123: cmpb $0, 1(%rsi) jne .L117 cmpb %al, %dl jne .L117 .p2align 4,,5 jmp .L118 .L134: movq %rsi, %rcx movq %rsi, %rax andl $15, %ecx pxor %xmm0, %xmm0 subq %rcx, %rax movdqu (%rax), %xmm2 pcmpeqb %xmm2, %xmm0 pmovmskb %xmm0, %eax sarl %cl, %eax testl %eax, %eax je .L9 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm0 pshufb %xmm0, %xmm2 jmp .L11 .L133: movq %r10, %rcx movq %r10, %rax andl $15, %ecx subq %rcx, %rax movdqu (%rax), %xmm1 movdqa %xmm1, %xmm3 pcmpeqb %xmm2, %xmm3 pmovmskb %xmm3, %eax sarl %cl, %eax testl %eax, %eax je .L17 addq ___m128i_shift_right@GOTPCREL(%rip), %rcx movdqu (%rcx), %xmm3 pshufb %xmm3, %xmm1 jmp .L18 .cfi_endproc .LFE638: .size __strstr_sse42, .-__strstr_sse42 .file "varshift.c" .globl ___m128i_shift_right .section .rodata .align 16 .type ___m128i_shift_right, @object .size ___m128i_shift_right, 31 ___m128i_shift_right: .byte 0 .byte 1 .byte 2 .byte 3 .byte 4 .byte 5 .byte 6 .byte 7 .byte 8 .byte 9 .byte 10 .byte 11 .byte 12 .byte 13 .byte 14 .byte 15 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .byte -1 .ident "Sagan builtin __strstr_sse42 function" .section .note.GNU-stack,"",@progbits .ident "Sagan builtin __strstr_sse42 function" .section .note.GNU-stack,"",@progbits #endif #endif sagan-1.2.0/src/parsers/strstr-asm/.dirstamp0000644000175000017500000000000013310531444017742 0ustar champchampsagan-1.2.0/src/parsers/hash.c0000644000175000017500000001202513310531444015100 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* * hash.c */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "version.h" #include "sagan-config.h" #include "parsers/parsers.h" struct _SaganConfig *config; void Parse_Hash(char *syslog_message, int type, char *str, size_t size) { char mod_string[MAX_SYSLOGMSG]; char *ptmp=NULL; char *tok=NULL; char tmp[SHA256_HASH_SIZE+1]; int i; /* Remove anything we dont want */ for (i=0; i ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* aetas.c * * This is for time based alerting. This allows rules to have specific * times/days to trigger or otherwise be ignored. * * Orignally by Champ Clark III. * Largely re-written by Champ Clark III & Adam Hall (ahall@quadrantsec.com) * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include "sagan.h" #include "aetas.h" #include "rules.h" struct _Rule_Struct *rulestruct; int Check_Time(int rule_number) { char ct[64] = { 0 }; char buf[80] = { 0 }; int day_current; time_t now; struct tm ts; /* For current utime */ time_t t; struct tm *now_utime; sbool next_day = 0; sbool off_day = 0; char current_time_tmp[5]; char hour_tmp[3]; char minute_tmp[3]; int current_time; /* Get current utime / and day of the week */ t = time(NULL); now_utime=localtime(&t); strftime(ct, sizeof(ct), "%s", now_utime); day_current = localtime(&t)->tm_wday; time(&now); ts = *localtime(&now); strftime(hour_tmp, sizeof(buf), "%H", &ts); strftime(minute_tmp, sizeof(buf), "%M", &ts); snprintf(current_time_tmp, sizeof(current_time_tmp), "%s%s", hour_tmp, minute_tmp); current_time = atoi(current_time_tmp); strftime(buf, sizeof(buf), "%d", &ts); /* We check if rule extends to a new day */ if ( rulestruct[rule_number].aetas_start > rulestruct[rule_number].aetas_end ) { next_day = 1; } /* We check if current day is not one of our days */ if ( ! Check_Day(rulestruct[rule_number].alert_days, day_current ) ) { off_day = 1; } /* We check that we are in the current day || that the previous day is one of our days and the rule goes over to a new day */ if ( Check_Day(rulestruct[rule_number].alert_days, day_current ) || ( Check_Day(rulestruct[rule_number].alert_days, day_current - 1) && next_day == 1) ) { /* We check if rule is in current day and does not extend to a new day */ if ( next_day == 0 && off_day == 0) { if ( current_time >= rulestruct[rule_number].aetas_start && current_time <= rulestruct[rule_number].aetas_end ) { return(true); } } /* We check if rule extends to a new day and that we are in a current day */ if ( next_day == 1 && off_day == 0 ) { if ( current_time >= rulestruct[rule_number].aetas_start || current_time <= rulestruct[rule_number].aetas_end ) { return(true); } } /* We check if rule is on an off day but the rule rolled into the day */ if ( next_day == 1 && off_day == 1 ) { if ( current_time <= rulestruct[rule_number].aetas_end ) { return(true); } } } return(false); } /****************************************************************************/ /* Check_Day - Returns days if found in the "day" bitmask */ /****************************************************************************/ int Check_Day(unsigned char day, int day_current) { if ( day_current == 0 ) { if (( day & SUNDAY ) == SUNDAY ) { return(true); } } if ( day_current == 1 ) { if (( day & MONDAY ) == MONDAY ) { return(true); } } if ( day_current == 2 ) { if (( day & TUESDAY ) == TUESDAY ) { return(true); } } if ( day_current == 3 ) { if (( day & WEDNESDAY ) == WEDNESDAY ) { return(true); } } if ( day_current == 4 ) { if (( day & THURSDAY ) == THURSDAY ) { return(true); } } if ( day_current == 5 ) { if (( day & FRIDAY ) == FRIDAY ) { return(true); } } if ( day_current == 6 ) { if (( day & SATURDAY ) == SATURDAY ) { return(true); } } return(false); } sagan-1.2.0/src/util-strlcpy.c0000644000175000017500000000367013310531444015157 0ustar champchamp/* strlcpy * * Provided by the OpenBSD team. This file is here for systems that * do not support the strlcpy call. * */ /* $OpenBSD: strlcpy.c,v 1.11 2006/05/05 15:27:38 millert Exp $ */ /* * Copyright (c) 1998 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifndef HAVE_STRLCPY #include #include /* * Copy src to string dst of size siz. At most siz-1 characters * will be copied. Always NUL terminates (unless siz == 0). * Returns strlen(src); if retval >= siz, truncation occurred. */ size_t strlcpy(char *dst, const char *src, size_t siz) { char *d = dst; const char *s = src; size_t n = siz; /* Copy as many bytes as will fit */ if (n != 0) { while (--n != 0) { if ((*d++ = *s++) == '\0') break; } } /* Not enough room in dst, add NUL and traverse rest of src */ if (n == 0) { if (siz != 0) *d = '\0'; /* NUL-terminate dst */ while (*s++) ; } return(s - src - 1); /* count does not include NUL */ } #endif sagan-1.2.0/src/geoip2.c0000644000175000017500000001331713310531444013670 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* geoip2.c * * Functions that handle GeoIP2 lookup's via the Maxmind database. For more * information, please see: * * https://www.maxmind.com/en/geoip2-country-database (For free/pay databases) * http://dev.maxmind.com/geoip/geoip2/geolite2/ (free database) * * You _must_ use the GeoIP2 database and not the legacy GeoIP databases! * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBMAXMINDDB #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "rules.h" #include "geoip2.h" #include "sagan-config.h" struct _SaganConfig *config; struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganCounters *counters; pthread_mutex_t CountGeoIP2MissMutex=PTHREAD_MUTEX_INITIALIZER; void Open_GeoIP2_Database( void ) { int status; /* * The GeoIP library gives a really vague error when it cannot load * the GeoIP database. We give the user more information here so * that they might fix the issue. This also serves as a test when * Sagan is reloading (SIGHUP) - Champ Clark III (04/20/2015) */ status = access(config->geoip2_country_file, R_OK); if ( status != 0 ) { Sagan_Log(WARN, "Cannot open '%s' [%s]!", config->geoip2_country_file, strerror(errno)); Sagan_Log(WARN, "Make sure the GeoIP database '%s' is readable by '%s'.", config->geoip2_country_file, config->sagan_runas); Sagan_Log(ERROR, "Sagan is NOT loading the GeoIP database data! Abort!"); } status = MMDB_open(config->geoip2_country_file, MMDB_MODE_MMAP, &config->geoip2); if ( status != 0 ) { Sagan_Log(ERROR, "Error loading Maxmind GeoIP2 data (%s). Are you trying to load an older, non-GeoIP2 database?", config->geoip2_country_file); } } /***************************************************************************** * GeoIP2_Lookup_Country - Looks up the country and determines if * it is in/out of HOME_COUNTRY ****************************************************************************/ int GeoIP2_Lookup_Country( char *ipaddr, unsigned char *ip_bits, int rule_position ) { int gai_error; int mmdb_error; int res; char *ptmp = NULL; char *tok = NULL; char country[2]; char tmp[1024]; if ( is_notroutable(ip_bits) ) { if (debug->debuggeoip2) { Sagan_Log(DEBUG, "[%s, line %d] IP address %s is not routable. Skipping GeoIP2 lookup.", __FILE__, __LINE__, ipaddr); } return(false); } MMDB_lookup_result_s result = MMDB_lookup_string(&config->geoip2, ipaddr, &gai_error, &mmdb_error); MMDB_entry_data_s entry_data; res = MMDB_get_value(&result.entry, &entry_data, "country", "iso_code", NULL); if (res != MMDB_SUCCESS) { pthread_mutex_lock(&CountGeoIP2MissMutex); counters->geoip2_miss++; pthread_mutex_unlock(&CountGeoIP2MissMutex); Sagan_Log(WARN, "Country code MMDB_get_value failure (%s) for %s.", MMDB_strerror(res), ipaddr); return(false); } if (!entry_data.has_data || entry_data.type != MMDB_DATA_TYPE_UTF8_STRING) { pthread_mutex_lock(&CountGeoIP2MissMutex); counters->geoip2_miss++; pthread_mutex_unlock(&CountGeoIP2MissMutex); if ( debug->debuggeoip2 ) { Sagan_Log(DEBUG, "Country code for %s not found in GeoIP2 DB", ipaddr); } return(false); } strlcpy(country, entry_data.utf8_string, 3); strlcpy(tmp, rulestruct[rule_position].geoip2_country_codes, sizeof(tmp)); if (debug->debuggeoip2) { Sagan_Log(DEBUG, "GeoIP Lookup IP : %s", ipaddr); Sagan_Log(DEBUG, "Country Codes : |%s|", rulestruct[rule_position].geoip2_country_codes); Sagan_Log(DEBUG, "Found in GeoIP DB: %s", country); } ptmp = strtok_r(tmp, ",", &tok); while (ptmp != NULL ) { if (debug->debuggeoip2) { Sagan_Log(DEBUG, "GeoIP2 rule string parsing %s|%s", ptmp, country); } if (!strcmp(ptmp, country)) { if (debug->debuggeoip2) { Sagan_Log(DEBUG, "GeoIP Status: Found in user defined values [%s].", country); } return(true); /* GeoIP was found / there was a hit */ } ptmp = strtok_r(NULL, ",", &tok); } if (debug->debuggeoip2) Sagan_Log(DEBUG, "GeoIP Status: Not found in user defined values."); return(false); } #endif sagan-1.2.0/src/sagan.c0000644000175000017500000014626313310531444013603 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan.c * * This is the main "thread" and engine that looks for events & patterns * based on 'snort like' rule sets. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "version.h" #include "credits.h" #include "xbit-mmap.h" #include "processor.h" #include "sagan-config.h" #include "config-yaml.h" #include "ignore-list.h" #include "key.h" #include "lockfile.h" #include "signal-handler.h" #include "usage.h" #include "stats.h" #include "ipc.h" #include "parsers/parsers.h" #ifdef HAVE_SYS_PRCTL_H #include #endif #ifdef HAVE_LIBPCAP #include "plog.h" #endif #include "processors/engine.h" #include "processors/blacklist.h" #include "processors/track-clients.h" #include "processors/perfmon.h" #include "processors/bro-intel.h" #ifdef HAVE_LIBLOGNORM #include "liblognormalize.h" #endif #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) #include "output-plugins/unified2.h" #endif #define OVECCOUNT 30 struct _SaganCounters *counters; struct _Rule_Struct *rulestruct; struct _SaganConfig *config; struct _SaganDebug *debug; #ifdef WITH_BLUEDOT #include #include "processors/bluedot.h" #endif #ifdef HAVE_LIBHIREDIS #include #include "redis.h" #endif struct _Sagan_Proc_Syslog *SaganProcSyslog = NULL; int proc_msgslot = 0; int proc_running = 0; unsigned char dynamic_rule_flag = 0; sbool reload_rules = false; pthread_cond_t SaganProcDoWork=PTHREAD_COND_INITIALIZER; pthread_mutex_t SaganProcWorkMutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganMalformedCounter=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganRulesLoadedMutex=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t SaganDynamicFlag=PTHREAD_MUTEX_INITIALIZER; /* ######################################################################## * Start of main() thread * ######################################################################## */ int main(int argc, char **argv) { (void)SetThreadName("SaganMain"); const struct option long_options[] = { { "help", no_argument, NULL, 'h' }, { "debug", required_argument, NULL, 'd' }, { "daemon", no_argument, NULL, 'D' }, { "user", required_argument, NULL, 'u' }, { "chroot", required_argument, NULL, 'c' }, { "credits", no_argument, NULL, 'C' }, { "config", required_argument, NULL, 'f' }, { "log", required_argument, NULL, 'l' }, { "file", required_argument, NULL, 'F' }, { "quiet", no_argument, NULL, 'Q' }, {0, 0, 0, 0} }; static const char *short_options = "l:f:u:F:d:c:pDhCQ"; int option_index = 0; /****************************************************************************/ /* libpcap/PLOG (syslog sniffer) local variables */ /****************************************************************************/ #ifdef HAVE_LIBPCAP pthread_t pcap_thread; pthread_attr_t thread_pcap_attr; pthread_attr_init(&thread_pcap_attr); pthread_attr_setdetachstate(&thread_pcap_attr, PTHREAD_CREATE_DETACHED); #endif /****************************************************************************/ /* Redis local variables */ /****************************************************************************/ #ifdef HAVE_LIBHIREDIS char redis_reply[5]; char redis_command[300]; #endif /****************************************************************************/ /* Perfmonitor local variables */ /****************************************************************************/ pthread_t perfmonitor_thread; pthread_attr_t thread_perfmonitor_attr; pthread_attr_init(&thread_perfmonitor_attr); pthread_attr_setdetachstate(&thread_perfmonitor_attr, PTHREAD_CREATE_DETACHED); /****************************************************************************/ /* Various local variables */ /****************************************************************************/ /* Block all signals, we create a signal handling thread */ sigset_t signal_set; pthread_t sig_thread; sigfillset( &signal_set ); pthread_sigmask( SIG_BLOCK, &signal_set, NULL ); /* Key board handler (displays stats, etc */ pthread_t key_thread; pthread_attr_t key_thread_attr; pthread_attr_init(&key_thread_attr); pthread_attr_setdetachstate(&key_thread_attr, PTHREAD_CREATE_DETACHED); /* client_tracker_report_handler thread */ pthread_t ct_report_thread; pthread_attr_t ct_report_thread_attr; pthread_attr_init(&ct_report_thread_attr); pthread_attr_setdetachstate(&ct_report_thread_attr, PTHREAD_CREATE_DETACHED); char src_dns_lookup[20] = { 0 }; sbool dns_flag = false; sbool fifoerr = false; char *syslog_host=NULL; char *syslog_facility=NULL; char *syslog_priority=NULL; char *syslog_level=NULL; char *syslog_tag=NULL; char *syslog_date=NULL; char *syslog_time=NULL; char *syslog_program=NULL; char *syslog_msg=NULL; char *psyslogstring = NULL; char syslogstring[MAX_SYSLOGMSG]; signed char c; int rc=0; int i; int dynamic_line_count = 0; time_t t; struct tm *run; sbool debugflag = false; /* Allocate memory for global struct _SaganDebug */ debug = malloc(sizeof(_SaganDebug)); if ( debug == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for debug. Abort!", __FILE__, __LINE__); } memset(debug, 0, sizeof(_SaganDebug)); /* Allocate memroy for global struct _SaganConfig */ config = malloc(sizeof(_SaganConfig)); if ( config == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for config. Abort!", __FILE__, __LINE__); } memset(config, 0, sizeof(_SaganConfig)); struct _SaganDNSCache *dnscache; dnscache = malloc(sizeof(_SaganDNSCache)); if ( dnscache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for dnscache. Abort!", __FILE__, __LINE__); } memset(dnscache, 0, sizeof(_SaganDNSCache)); counters = malloc(sizeof(_SaganCounters)); if ( counters == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for counters. Abort!", __FILE__, __LINE__); } memset(counters, 0, sizeof(_SaganCounters)); t = time(NULL); run=localtime(&t); strftime(config->sagan_startutime, sizeof(config->sagan_startutime), "%s", run); strlcpy(config->sagan_config, CONFIG_FILE_PATH, sizeof(config->sagan_config)); config->sagan_fifo[0] = '\0'; /* Set this here. This could be a file via comamnd line or FIFO via configuration file */ /* We set the config->sagan_log_filepath to the system default. It'll be fopen'ed shortly - 06/03/2011 - Champ Clark III */ strlcpy(config->sagan_log_filepath, SAGANLOG, sizeof(config->sagan_log_filepath)); config->sagan_runas = RUNAS; /* "systemd" wants to start Sagan in the foreground, but doesn't know what to * do with stdin/stdout. Hence, CPU goes to 100%. This detects our terminal * type ( >/dev/null quiet = true; } /* Get command line arg's */ while ((c = getopt_long(argc, argv, short_options, long_options, &option_index)) != -1) { switch(c) { if (c == -1) break; case 'h': Usage(); exit(0); break; case 'Q': config->quiet = true; break; case 'C': Credits(); exit(0); break; case 'd': if (Sagan_strstr(optarg, "malformed")) { debug->debugmalformed = true; debugflag = true; } if (Sagan_strstr(optarg, "parse_ip")) { debug->debugparse_ip = true; debugflag = true; } if (Sagan_strstr(optarg, "limits")) { debug->debuglimits = true; debugflag = true; } if (Sagan_strstr(optarg, "syslog")) { debug->debugsyslog = true; debugflag = true; } if (Sagan_strstr(optarg, "load")) { debug->debugload = true; debugflag = true; } if (Sagan_strstr(optarg, "fwsam")) { debug->debugfwsam = true; debugflag = true; } if (Sagan_strstr(optarg, "external")) { debug->debugexternal = true; debugflag = true; } if (Sagan_strstr(optarg, "threads")) { debug->debugthreads = true; debugflag = true; } if (Sagan_strstr(optarg, "xbit")) { debug->debugxbit = true; debugflag = true; } if (Sagan_strstr(optarg, "engine")) { debug->debugengine = true; debugflag = true; } if (Sagan_strstr(optarg, "brointel")) { debug->debugbrointel = true; debugflag = true; } if (Sagan_strstr(optarg, "ipc")) { debug->debugipc = true; debugflag = true; } if (Sagan_strstr(optarg, "json")) { debug->debugjson = true; debugflag = true; } #ifdef HAVE_LIBMAXMINDDB if (Sagan_strstr(optarg, "geoip2")) { debug->debuggeoip2 = true; debugflag = true; } #endif #ifdef HAVE_LIBLOGNORM if (Sagan_strstr(optarg, "normalize" )) { debug->debugnormalize = true; debugflag = true; } #endif #ifdef HAVE_LIBESMTP if (Sagan_strstr(optarg, "smtp")) { debug->debugesmtp = true; debugflag = true; } #endif #ifdef HAVE_LIBPCAP if (Sagan_strstr(optarg, "plog")) { debug->debugplog = true; debugflag = true; } #endif #ifdef WITH_BLUEDOT if (Sagan_strstr(optarg, "bluedot")) { debug->debugbluedot = true; debugflag = true; } #endif #ifdef HAVE_LIBHIREDIS if (Sagan_strstr(optarg, "redis")) { debug->debugredis = true; debugflag = true; } #endif /* If option is unknown */ if ( debugflag == false ) { fprintf(stderr, "Unknown debug option %s!\n", optarg); exit(1); } break; case 'D': config->daemonize = true; break; case 'u': config->sagan_runas=optarg; break; case 'c': Chroot(optarg); break; case 'F': config->sagan_is_file = true; strlcpy(config->sagan_fifo,optarg,sizeof(config->sagan_fifo) - 1); break; case 'f': strlcpy(config->sagan_config,optarg,sizeof(config->sagan_config) - 1); break; case 'l': strlcpy(config->sagan_log_filepath,optarg,sizeof(config->sagan_log_filepath) - 1); break; default: fprintf(stderr, "Invalid argument! See below for command line switches.\n"); Usage(); exit(0); break; } } Open_Log_File(OPEN, SAGAN_LOG); /* Become a daemon if requested */ if ( config->daemonize ) { Sagan_Log(NORMAL, "Becoming a daemon!"); pid_t pid = 0; pid = fork(); if ( pid == 0 ) { /* Child */ if ( setsid() == -1 ) { Sagan_Log(ERROR, "[%s, line %d] Failed creating new session while daemonizing", __FILE__, __LINE__); exit(1); } pid = fork(); if ( pid == 0 ) { /* Grandchild, the actual daemon */ if ( chdir("/") == -1 ) { Sagan_Log(ERROR, "[%s, line %d] Failed changing directory to / after daemonizing [errno %d]", __FILE__, __LINE__, errno); exit(1); } /* Close and re-open stdin, stdout, and stderr, so as to to release anyone waiting on them. */ close(0); close(1); close(2); if ( open("/dev/null", O_RDONLY) == -1 ) { Sagan_Log(ERROR, "[%s, line %d] Failed reopening stdin after daemonizing [errno %d]", __FILE__, __LINE__, errno); } if ( open("/dev/null", O_WRONLY) == -1 ) { Sagan_Log(ERROR, "[%s, line %d] Failed reopening stdout after daemonizing [errno %d]", __FILE__, __LINE__, errno); } if ( open("/dev/null", O_RDWR) == -1 ) { Sagan_Log(ERROR, "[%s, line %d] Failed reopening stderr after daemonizing [errno %d]", __FILE__, __LINE__, errno); } } else if ( pid < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed second fork while daemonizing", __FILE__, __LINE__); exit(1); } else { exit(0); } } else if ( pid < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Failed first fork while daemonizing", __FILE__, __LINE__); exit(1); } else { /* Wait for child to exit */ waitpid(pid, NULL, 0); exit(0); } } /* Create the signal handlers thread _after_ the fork() so it can properly * handly signals - Champ Clark III - 06/13/2011 */ rc = pthread_create( &sig_thread, NULL, (void *)Sig_Handler, NULL ); if ( rc != 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Error creating signal handler thread. [error: %d]", __FILE__, __LINE__, rc); } #ifdef PCRE_HAVE_JIT /* We test if pages will support RWX before loading rules. If it doesn't due to the OS, we want to disable PCRE JIT now. This prevents confusing warnings of PCRE JIT during rule load */ config->pcre_jit = true; if (PageSupportsRWX() == false) { Sagan_Log(WARN, "The operating system doens't allow RWX pages. Disabling PCRE JIT."); config->pcre_jit = false; } #endif pthread_mutex_lock(&SaganRulesLoadedMutex); Load_YAML_Config(config->sagan_config); pthread_mutex_unlock(&SaganRulesLoadedMutex); Sagan_Engine_Init(); SaganProcSyslog = malloc(config->max_processor_threads * sizeof(struct _Sagan_Proc_Syslog)); if ( SaganProcSyslog == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for SaganProcSyslog. Abort!", __FILE__, __LINE__); } memset(SaganProcSyslog, 0, sizeof(struct _Sagan_Proc_Syslog)); pthread_t processor_id[config->max_processor_threads]; pthread_attr_t thread_processor_attr; pthread_attr_init(&thread_processor_attr); pthread_attr_setdetachstate(&thread_processor_attr, PTHREAD_CREATE_DETACHED); #ifdef HAVE_LIBHIREDIS /* Redis "writer" threads */ pthread_t redis_writer_processor_id[config->redis_max_writer_threads]; pthread_attr_t redis_writer_thread_processor_attr; pthread_attr_init(&redis_writer_thread_processor_attr); pthread_attr_setdetachstate(&redis_writer_thread_processor_attr, PTHREAD_CREATE_DETACHED); #endif Sagan_Log(NORMAL, "Configuration file %s loaded and %d rules loaded.", config->sagan_config, counters->rulecount); Sagan_Log(NORMAL, "Out of %d rules, %d xbit(s) are in use.", counters->rulecount, counters->xbit_total_counter); Sagan_Log(NORMAL, "Out of %d rules, %d dynamic rule(s) are loaded.", counters->rulecount, counters->dynamic_rule_count); #ifdef PCRE_HAVE_JIT if ( config->pcre_jit ) { Sagan_Log(NORMAL, "PCRE JIT is enabled."); } #endif Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "Sagan version %s is firing up on '%s'!", VERSION, config->sagan_sensor_name); Sagan_Log(NORMAL, ""); #ifdef HAVE_LIBPCAP /* Spawn a thread to 'sniff' syslog traffic (sagan-plog.c). This redirects syslog traffic to the /dev/log socket. This needs "root" access, so we drop priv's after this thread is started */ if ( config->plog_flag ) { rc = pthread_create( &pcap_thread, NULL, (void *)Plog_Handler, NULL ); if ( rc != 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Error creating libpcap handler thread [error: %d].", __FILE__, __LINE__, rc); } sleep(1); /* Sleep to avoid race between main() and plog thread plog thread needs "root" rights before sagan_droppriv(). In some cases main() run sagan_droppriv() before thread can complete - Champ Clark - 07/20/2011 */ } #endif Droppriv(); /* Become the Sagan user */ Sagan_Log(NORMAL, "---------------------------------------------------------------------------"); IPC_Init(); if ( config->perfmonitor_flag ) { Sagan_Perfmonitor_Open(); rc = pthread_create( &perfmonitor_thread, NULL, (void *)Sagan_Perfmonitor_Handler, NULL ); if ( rc != 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Error creating Perfmonitor thread [error: %d].", __FILE__, __LINE__, rc); } } /* Open sagan alert file */ Open_Log_File(OPEN, ALERT_LOG); /**************************************************************************** * Display processor information as we load ****************************************************************************/ /* Sagan_Track_Clients processor ********************************************/ if ( config->sagan_track_clients_flag ) { Track_Clients_Thread_Init(); /* We run a thread for client_tracker_report */ rc = pthread_create( &ct_report_thread, NULL, (void *)Track_Clients_Thread, NULL ); if ( rc != 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Error creating client_tracker_report_client thread. [error: %d]", __FILE__, __LINE__, rc); } if ( config->pp_sagan_track_clients ) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "Client Tracking Processor: %d minute(s)", config->pp_sagan_track_clients); } } /* Sagan Blacklist IP processor *********************************************/ if ( config->blacklist_flag ) { Sagan_Blacklist_Init(); Sagan_Blacklist_Load(); } #ifdef WITH_BLUEDOT if ( config->bluedot_flag ) { curl_global_init(CURL_GLOBAL_ALL); /* Lookup Bluedot IP so we don't explode DNS :) */ rc = DNS_Lookup( config->bluedot_host, config->bluedot_ip, sizeof(config->bluedot_ip) ); /* Record epoch so we can determine TTL */ config->bluedot_dns_last_lookup = atol(config->sagan_startutime); if ( rc != 0 ) { Sagan_Log(ERROR, "Cannot look up IP address for '%s'. Abort!", config->bluedot_host ); } Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "Bluedot IP: %s", config->bluedot_ip); Sagan_Log(NORMAL, "Bluedot URL: http://%s/%s", config->bluedot_ip, config->bluedot_uri); Sagan_Log(NORMAL, "Bluedot Device ID: %s", config->bluedot_device_id); Sagan_Log(NORMAL, "Bluedot Categories File: %s", config->bluedot_cat); Sagan_Log(NORMAL, "Bluedot Cache Timeout: %d minutes.", config->bluedot_timeout / 60); Sagan_Log(NORMAL, "Bluedot loaded %d categories.", counters->bluedot_cat_count); } #endif /* Sagan Bro Intel processor *******************************************/ if ( config->brointel_flag ) { Sagan_Log(NORMAL, ""); Sagan_BroIntel_Init(); Sagan_BroIntel_Load_File(); Sagan_Log(NORMAL, "Bro Intel::ADDR Loaded: %d", counters->brointel_addr_count); Sagan_Log(NORMAL, "Bro Intel::DOMAIN Loaded: %d", counters->brointel_domain_count); Sagan_Log(NORMAL, "Bro Intel::FILE_HASH Loaded: %d", counters->brointel_file_hash_count); Sagan_Log(NORMAL, "Bro Intel::URL Loaded: %d", counters->brointel_url_count); Sagan_Log(NORMAL, "Bro Intel::SOFTWARE Loaded: %d", counters->brointel_software_count); Sagan_Log(NORMAL, "Bro Intel::EMAIL Loaded: %d", counters->brointel_email_count); Sagan_Log(NORMAL, "Bro Intel::USER_NAME Loaded: %d", counters->brointel_user_name_count); Sagan_Log(NORMAL, "Bro Intel::FILE_NAME Loaded: %d", counters->brointel_file_name_count); Sagan_Log(NORMAL, "Bro Intel::CERT_HASH Loaded: %d", counters->brointel_cert_hash_count); Sagan_Log(NORMAL, "Bro Intel Duplicates Detected: %d", counters->brointel_dups); } /*************************************************************************** * Output plugins ***************************************************************************/ #ifdef HAVE_LIBESMTP if ( config->sagan_esmtp_flag ) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "E-Mail will be sent from: %s", config->sagan_esmtp_from); Sagan_Log(NORMAL, "SMTP server is set to: %s", config->sagan_esmtp_server); } #endif #ifdef WITH_SNORTSAM if ( config->sagan_fwsam_flag ) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "Snortsam output plug in enabled."); } #endif if ( config->sagan_external_output_flag ) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "External program to be called: %s", config->sagan_external_command); } /* Unified2 ****************************************************************/ #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) if ( config->sagan_unified2_flag ) { Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "Unified2 file: %s", config->unified2_filepath); Sagan_Log(NORMAL, "Unified2 limit: %dM", config->unified2_limit / 1024 / 1024 ); Unified2InitFile(); } #endif /*************************************************************************** * Non-Processor/Output option ***************************************************************************/ /* What to "ignore" ********************************************************/ if ( config->sagan_droplist_flag ) { Load_Ignore_List(); Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "Loaded %d ignore/drop list item(s).", counters->droplist_count); } /*************************************************************************** * Continue with normal startup! ***************************************************************************/ Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, " ,-._,-. -*> Sagan! <*-"); Sagan_Log(NORMAL, " \\/)\"(\\/ Version %s", VERSION); Sagan_Log(NORMAL, " (_o_) Champ Clark III & The Quadrant InfoSec Team [quadrantsec.com]"); Sagan_Log(NORMAL, " / \\/) Copyright (C) 2009-2018 Quadrant Information Security, et al."); Sagan_Log(NORMAL, " (|| ||) Using PCRE version: %s", pcre_version()); Sagan_Log(NORMAL, " oo-oo Sagan is processing events....."); Sagan_Log(NORMAL, ""); /* We don't want the Key_Handler() if we're in daemon mode! */ if (!config->daemonize ) { if (!config->quiet) { rc = pthread_create( &key_thread, NULL, (void *)Key_Handler, NULL ); if ( rc != 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Error creating Key_Handler() thread. [error: %d]", __FILE__, __LINE__, rc); } } } /* We do this after forking so init scripts can complete */ /* Check lock file _after_ thread. If you don't it'll retreive the wrong pid * and incorrectly believe there is a stale lock file if --daemon */ CheckLockFile(); #ifdef HAVE_LIBHIREDIS /* Right now, Redis is only used for xbit storage */ if ( config->redis_flag && config->xbit_storage == XBIT_STORAGE_REDIS ) { Redis_Writer_Init(); Redis_Reader_Connect(); if ( config->redis_password[0] != '\0' ) { snprintf(redis_command, sizeof(redis_command), "AUTH %s", config->redis_password); Redis_Reader(redis_command, redis_reply, sizeof(redis_reply)); if (!strcmp(redis_reply, "OK")) { Sagan_Log(NORMAL, "Authentication success for 'reader' to Redis server at %s:%d.", config->redis_server, config->redis_port); } else { Remove_Lock_File(); Sagan_Log(ERROR, "Authentication failure for 'reader' to Redis server at %s:%d. Abort!", config->redis_server, config->redis_port); } } strlcpy(redis_command, "PING", sizeof(redis_command)); Redis_Reader(redis_command, redis_reply, sizeof(redis_reply)); if (!strcmp(redis_reply, "PONG")) { Sagan_Log(NORMAL, "Got 'reader' PONG from Redis at %s:%d.", config->redis_server, config->redis_port); } Sagan_Log(NORMAL, ""); } #endif Sagan_Log(NORMAL, "Spawning %d Processor Threads.", config->max_processor_threads); for (i = 0; i < config->max_processor_threads; i++) { rc = pthread_create ( &processor_id[i], &thread_processor_attr, (void *)Processor, NULL ); if ( rc != 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "Could not pthread_create() for I/O processors [error: %d]", rc); } } #ifdef HAVE_LIBHIREDIS if ( config->redis_flag && config->xbit_storage == XBIT_STORAGE_REDIS ) { Sagan_Log(NORMAL, "Spawning %d Redis Writer Threads.", config->redis_max_writer_threads); for (i = 0; i < config->redis_max_writer_threads; i++) { rc = pthread_create ( &redis_writer_processor_id[i], &redis_writer_thread_processor_attr, (void *)Redis_Writer, NULL ); if ( rc != 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "Could not pthread_create() for I/O redis writers [error: %d]", rc); } } } #endif Sagan_Log(NORMAL, ""); if ( !config->sagan_is_file ) { Sagan_Log(NORMAL, "Attempting to open syslog FIFO (%s).", config->sagan_fifo); } else { Sagan_Log(NORMAL, "Attempting to open syslog FILE (%s).", config->sagan_fifo); } while(true) { FILE *fd; if (( fd = fopen(config->sagan_fifo, "r" )) == NULL ) { if ( config->sagan_is_file == false ) { /* try to create it */ Sagan_Log(NORMAL, "Fifo not found, creating it (%s).", config->sagan_fifo); if (mkfifo(config->sagan_fifo, 0700) == -1) { Sagan_Log(ERROR, "Could not create FIFO '%s'. Abort!", config->sagan_fifo); } fd = fopen(config->sagan_fifo, "r"); if ( fd == NULL ) { Sagan_Log(ERROR, "Error opening %s. Abort!", config->sagan_fifo); } } else { Sagan_Log(ERROR, "Could not open file '%s'. Abort!", config->sagan_fifo); } } if ( config->sagan_is_file == false ) { Sagan_Log(NORMAL, "Successfully opened FIFO (%s).", config->sagan_fifo); #if defined(HAVE_GETPIPE_SZ) && defined(HAVE_SETPIPE_SZ) Set_Pipe_Size(fd); #endif } else { Sagan_Log(NORMAL, "Successfully opened FILE (%s) and processing events.....", config->sagan_fifo); } while(fd != NULL) { while(fgets(syslogstring, sizeof(syslogstring), fd) != NULL) { psyslogstring = syslogstring; /* If the FIFO was in a error state, let user know the FIFO writer has resumed */ if ( fifoerr == true ) { Sagan_Log(NORMAL, "FIFO writer has restarted. Processing events."); #if defined(HAVE_GETPIPE_SZ) && defined(HAVE_SETPIPE_SZ) Set_Pipe_Size(fd); #endif fifoerr = false; } counters->sagantotal++; /* If Dynamic rules are loaded, keep track of line count */ if ( config->dynamic_load_flag == true ) { dynamic_line_count++; } syslog_host = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; /* If we're using DNS (and we shouldn't be!), we start DNS checks and lookups * here. We cache both good and bad lookups to not over load our DNS server(s). * The only way DNS cache can be cleared is to restart Sagan */ if (config->syslog_src_lookup ) { if ( !Is_IP(syslog_host) ) /* Is inbound a valid IP? */ { dns_flag = false; for(i=0; i <= counters->dns_cache_count ; i++) /* Check cache first */ { if (!strcmp( dnscache[i].hostname, syslog_host)) { syslog_host = dnscache[i].src_ip; dns_flag = true; } } /* If entry was not found in cache, look it up */ if ( dns_flag == false ) { /* Do a DNS lookup */ rc = DNS_Lookup(syslog_host, src_dns_lookup, sizeof(src_dns_lookup)); /* Invalid lookups get the config->sagan_host value */ if ( rc == -1 ) { strlcpy(src_dns_lookup, config->sagan_host, sizeof(src_dns_lookup)); counters->dns_miss_count++; } /* Add entry to DNS Cache */ dnscache = (_SaganDNSCache *) realloc(dnscache, (counters->dns_cache_count+1) * sizeof(_SaganDNSCache)); if ( dnscache == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for dnscache. Abort!", __FILE__, __LINE__); } strlcpy(dnscache[counters->dns_cache_count].hostname, syslog_host, sizeof(dnscache[counters->dns_cache_count].hostname)); strlcpy(dnscache[counters->dns_cache_count].src_ip, src_dns_lookup, sizeof(dnscache[counters->dns_cache_count].src_ip)); counters->dns_cache_count++; syslog_host = src_dns_lookup; } } } else { /* We check to see if values from our FIFO are valid. If we aren't doing DNS related * stuff (above), we start basic check with the syslog_host */ if (syslog_host == NULL || !Is_IP(syslog_host) ) { syslog_host = config->sagan_host; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_host++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'host': '%s' (replaced with %s)", syslog_host, config->sagan_host); } } } /* We now check the rest of the values */ syslog_facility = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; if ( syslog_facility == NULL ) { syslog_facility = "SAGAN: FACILITY ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_facility++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'facility'"); } } syslog_priority = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; if ( syslog_priority == NULL ) { syslog_priority = "SAGAN: PRIORITY ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_priority++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'priority'"); } } syslog_level = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; if ( syslog_level == NULL ) { syslog_level = "SAGAN: LEVEL ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_level++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'level'"); } } syslog_tag = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; if ( syslog_tag == NULL ) { syslog_tag = "SAGAN: TAG ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_tag++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'tag'"); } } syslog_date = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; if ( syslog_date == NULL ) { syslog_date = "SAGAN: DATE ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_date++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'date'"); } } syslog_time = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; if ( syslog_time == NULL ) { syslog_time = "SAGAN: TIME ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_time++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'time'"); } } syslog_program = psyslogstring != NULL ? strsep(&psyslogstring, "|") : NULL; if ( syslog_program == NULL ) { syslog_program = "SAGAN: PROGRAM ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_program++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'program'"); } } syslog_msg = psyslogstring != NULL ? strsep(&psyslogstring, "") : NULL; /* In case the message has | in it, we delimit on "" */ if ( syslog_msg == NULL ) { syslog_msg = "SAGAN: MESSAGE ERROR"; pthread_mutex_lock(&SaganMalformedCounter); counters->malformed_message++; pthread_mutex_unlock(&SaganMalformedCounter); if ( debug->debugmalformed ) { Sagan_Log(DEBUG, "Sagan received a malformed 'message' [Syslog Host: %s]", syslog_host); } /* If the message is lost, all is lost. Typically, you don't lose part of the message, * it's more likely to lose all - Champ Clark III 11/17/2011 */ counters->sagan_log_drop++; } /* Strip any \n or \r from the syslog_msg */ if ( strcspn ( syslog_msg, "\n" ) < strlen(syslog_msg) ) { syslog_msg[strcspn ( syslog_msg, "\n" )] = '\0'; } if ( proc_msgslot < config->max_processor_threads ) { pthread_mutex_lock(&SaganProcWorkMutex); strlcpy(SaganProcSyslog[proc_msgslot].syslog_host, syslog_host, sizeof(SaganProcSyslog[proc_msgslot].syslog_host)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_facility, syslog_facility, sizeof(SaganProcSyslog[proc_msgslot].syslog_facility)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_priority, syslog_priority, sizeof(SaganProcSyslog[proc_msgslot].syslog_priority)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_level, syslog_level, sizeof(SaganProcSyslog[proc_msgslot].syslog_level)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_tag, syslog_tag, sizeof(SaganProcSyslog[proc_msgslot].syslog_tag)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_date, syslog_date, sizeof(SaganProcSyslog[proc_msgslot].syslog_date)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_time, syslog_time, sizeof(SaganProcSyslog[proc_msgslot].syslog_time)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_program, syslog_program, sizeof(SaganProcSyslog[proc_msgslot].syslog_program)); strlcpy(SaganProcSyslog[proc_msgslot].syslog_message, syslog_msg, sizeof(SaganProcSyslog[proc_msgslot].syslog_message)); if ( config->dynamic_load_flag == true && ( dynamic_line_count >= config->dynamic_load_sample_rate ) ) { pthread_mutex_lock(&SaganDynamicFlag); dynamic_rule_flag = DYNAMIC_RULE; pthread_mutex_unlock(&SaganDynamicFlag); dynamic_line_count = 0; } /* Thread holds here if rule load is in progress */ if ( config->dynamic_load_flag == true ) { pthread_mutex_lock(&SaganRulesLoadedMutex); reload_rules = true; pthread_mutex_unlock(&SaganRulesLoadedMutex); } proc_msgslot++; pthread_cond_signal(&SaganProcDoWork); pthread_mutex_unlock(&SaganProcWorkMutex); } else { counters->worker_thread_exhaustion++; counters->sagan_log_drop++; } if (debug->debugthreads) { Sagan_Log(DEBUG, "[%s, line %d] Current \"proc_msgslot\": %d", __FILE__, __LINE__, proc_msgslot); } if (debug->debugsyslog) { Sagan_Log(DEBUG, "[%s, line %d] **[RAW Syslog]*********************************", __FILE__, __LINE__); Sagan_Log(DEBUG, "[%s, line %d] Host: %s | Program: %s | Facility: %s | Priority: %s | Level: %s | Tag: %s", __FILE__, __LINE__, syslog_host, syslog_program, syslog_facility, syslog_priority, syslog_level, syslog_tag); Sagan_Log(DEBUG, "[%s, line %d] Raw message: %s", __FILE__, __LINE__, syslog_msg); } } /* while(fgets) */ /* fgets() has returned a error, likely due to the FIFO writer leaving */ /* RMEOVE LOCK */ if ( fifoerr == false ) { if ( config->sagan_is_file != 0 ) { Sagan_Log(NORMAL, "EOF reached. Waiting for threads to catch up...."); Sagan_Log(NORMAL, ""); while(proc_msgslot != 0 || proc_running != 0) { Sagan_Log(NORMAL, "Waiting on %d/%d threads....", proc_msgslot, proc_running); sleep(1); } fclose(fd); Statistics(); Remove_Lock_File(); Sagan_Log(NORMAL, "Exiting."); exit(0); } else { Sagan_Log(WARN, "FIFO writer closed. Waiting for FIFO writer to restart...."); fifoerr = true; /* Set flag so our wile(fgets) knows */ } } sleep(1); /* So we don't eat 100% CPU */ } /* while(fd != NULL) */ fclose(fd); /* ???? */ } /* End of while(1) */ } /* End of main */ sagan-1.2.0/src/credits.h0000644000175000017500000000200213310531444014132 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Credits( void ); sagan-1.2.0/src/after.h0000644000175000017500000000263413310531444013611 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ sbool After_By_Src ( int rule_position, char *ip_src, unsigned char *ip_src_bits, char *select, char *syslog_message ); sbool After_By_Dst ( int rule_position, char *ip_dst, unsigned char *ip_dst_bits, char *select, char *syslog_message ); sbool After_By_Username( int rule_position, char *normalize_username, char *select, char *syslog_message ); sbool After_By_SrcPort( int rule_position, uint32_t ip_srcport_u32, char *select ); sbool After_By_DstPort( int rule_position, uint32_t ip_dstport_u32, char *select ); sagan-1.2.0/src/usage.c0000644000175000017500000000741013310531444013604 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* usage.c * * Gives the user basic operation of the sagan binary. Also displays * information of compile time options * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include "sagan.h" #include "version.h" void Usage(void) { fprintf(stderr, "\n--[Sagan version %s | Help/usage screen]--------------------------------\n\n", VERSION); fprintf(stderr, "-h, --help\t\tHelp (this screen).\n"); fprintf(stderr, "-C, --credits\t\tSagan credits.\n"); fprintf(stderr, "-d, --debug [type]\tTypes: engine, syslog, load, fwsam, external,threads,\n\t\t\tipc, limits, malformed, xbit, brointel, json, parse_ip"); #ifdef HAVE_LIBESMTP fprintf(stderr, ", smtp"); #endif #ifdef HAVE_LIBLOGNORM fprintf(stderr, ", normalize"); #endif #ifdef HAVE_LIBPCAP fprintf(stderr, ", plog"); #endif #ifdef WITH_BLUEDOT fprintf(stderr, ", bluedot"); #endif #ifdef HAVE_LIBMAXMINDDB fprintf(stderr, ", geoip2"); #endif #ifdef HAVE_LIBHIREDIS fprintf(stderr, ", redis"); #endif fprintf(stderr, ".\n"); fprintf(stderr, "-D, --daemon\t\tMake process a daemon (fork to the background).\n"); fprintf(stderr, "-u, --user [username]\tRun as user (defaults to 'sagan').\n"); fprintf(stderr, "-c, --chroot [dir]\tChroot Sagan to specified directory.\n"); fprintf(stderr, "-f, --config [file]\tSagan configuration file to load.\n"); fprintf(stderr, "-F, --file [file]\tFIFO over ride. This reads a file in rather than reading\n"); fprintf(stderr, "\t\t\tfrom a FIFO. The file must be in the Sagan format!\n"); fprintf(stderr, "-l, --log [file]\tsagan.log location [default: %s].\n", SAGANLOG ); fprintf(stderr, "-Q, --quiet\t\tRun Sagan in 'quiet' mode (no console output)\n"); fprintf(stderr, "\n"); #ifdef HAVE_LIBESMTP fprintf(stderr, "* libesmtp (SMTP) support is included.\n"); #endif #ifdef HAVE_LIBLOGNORM fprintf(stderr, "* liblognorm (log normalization) support is included.\n"); #endif #ifdef HAVE_LIBPCAP fprintf(stderr, "* PLOG (syslog sniffer) support is included.\n"); #endif #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) fprintf(stderr, "* libdnet (for unified2) support is included.\n"); #endif #ifdef HAVE_LIBMAXMINDDB fprintf(stderr, "* Maxmind GeoIP2 support is included.\n"); #endif #ifdef WITH_SNORTSAM fprintf(stderr, "* Snortsam support is included.\n"); #endif #ifdef WITH_SYSLOG fprintf(stderr, "* Syslog output is included.\n"); #endif #ifdef WITH_SYSSTRSTR fprintf(stderr, "* Using Sagan's built in 'strstr' function.\n"); #endif #ifdef WITH_BLUEDOT fprintf(stderr, "* Using Quadrant's Bluedot.\n"); #endif #ifdef PCRE_HAVE_JIT fprintf(stderr, "* Using PCRE JIT.\n"); #endif #ifdef HAVE_LIBHIREDIS fprintf(stderr, "* Using HiRedis/Redis.\n"); #endif fprintf(stderr, "\n* Compiled on %s at %s.\n", __DATE__, __TIME__); } sagan-1.2.0/src/send-alert.c0000644000175000017500000001006313310531444014534 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* send-alert.c * * Sends alert information to the correct processor */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include "sagan.h" #include "version.h" #include "output.h" #include "gen-msg.h" #include "processors/engine.h" struct _SaganConfig *config; void Send_Alert ( _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL, json_object *json_normalize, _Sagan_Processor_Info *processor_info, char *ip_src, char *ip_dst, char *normalize_http_uri, char *normalize_http_hostname, int proto, int alertid, int src_port, int dst_port, int pos, struct timeval tp ) { char tmp[64] = { 0 }; struct _Sagan_Event *SaganProcessorEvent = NULL; SaganProcessorEvent = malloc(sizeof(struct _Sagan_Event)); if ( SaganProcessorEvent == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for SaganProcessorEvent. Abort!", __FILE__, __LINE__); } memset(SaganProcessorEvent, 0, sizeof(_Sagan_Event)); if ( processor_info->processor_generator_id != SAGAN_PROCESSOR_GENERATOR_ID ) { Generator_Lookup(processor_info->processor_generator_id, alertid, tmp, sizeof(tmp)); SaganProcessorEvent->f_msg = tmp; } else { SaganProcessorEvent->f_msg = processor_info->processor_name; } SaganProcessorEvent->message = SaganProcSyslog_LOCAL->syslog_message; SaganProcessorEvent->program = processor_info->processor_name; SaganProcessorEvent->facility = processor_info->processor_facility; SaganProcessorEvent->priority = processor_info->processor_priority; /* Syslog priority */ SaganProcessorEvent->pri = processor_info->processor_pri; /* Sagan priority */ SaganProcessorEvent->class = processor_info->processor_class; SaganProcessorEvent->tag = processor_info->processor_tag; SaganProcessorEvent->rev = processor_info->processor_rev; SaganProcessorEvent->ip_src = ip_src; SaganProcessorEvent->ip_dst = ip_dst; SaganProcessorEvent->dst_port = dst_port; SaganProcessorEvent->src_port = src_port; SaganProcessorEvent->found = pos; SaganProcessorEvent->normalize_http_uri = normalize_http_uri; SaganProcessorEvent->normalize_http_hostname= normalize_http_hostname; snprintf(tmp, sizeof(tmp)-1, "%d", alertid); SaganProcessorEvent->sid = tmp; SaganProcessorEvent->host = SaganProcSyslog_LOCAL->syslog_host; SaganProcessorEvent->time = SaganProcSyslog_LOCAL->syslog_time; SaganProcessorEvent->date = SaganProcSyslog_LOCAL->syslog_date; SaganProcessorEvent->ip_proto = proto; SaganProcessorEvent->event_time = tp; SaganProcessorEvent->generatorid = processor_info->processor_generator_id; SaganProcessorEvent->json_normalize = json_normalize; Output ( SaganProcessorEvent ); free(SaganProcessorEvent); } sagan-1.2.0/src/json-handler.c0000644000175000017500000000551713310531444015072 0ustar champchamp/* $Id$ */ /* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* json.c * * Functions that handle JSON output. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include "sagan.h" #include "references.h" #include "util-base64.h" #include "util-time.h" #include "sagan-config.h" #include "json-handler.h" struct _SaganConfig *config; struct _SaganDebug *debug; void Format_JSON_Alert_EVE( _Sagan_Event *Event, char *str, size_t size ) { char *proto = NULL; char *drop = NULL; char timebuf[64]; char classbuf[64]; if ( Event->ip_proto == 17 ) { proto = "UDP"; } else if ( Event->ip_proto == 6 ) { proto = "TCP"; } else if ( Event->ip_proto == 1 ) { proto = "ICMP"; } else if ( Event->ip_proto != 1 || Event->ip_proto != 6 || Event->ip_proto != 17 ) { proto = "UNKNOWN"; } if ( Event->drop == true ) { drop = "blocked"; } else { drop = "allowed"; } CreateIsoTimeString(&Event->event_time, timebuf, sizeof(timebuf)); unsigned long b64_len = strlen(Event->message) * 2; uint8_t b64_target[b64_len]; Base64Encode( (const unsigned char*)Event->message, strlen(Event->message), b64_target, &b64_len); Classtype_Lookup( Event->class, classbuf, sizeof(classbuf) ); snprintf(str, size, EVE_ALERT, timebuf, FlowGetId(Event), config->eve_interface, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, proto, drop, Event->generatorid, Event->sid, Event->rev,Event->f_msg, classbuf, Event->pri, b64_target, "", Event->host, !Event->json_normalize ? "{}" : json_object_to_json_string_ext(Event->json_normalize, FJSON_TO_STRING_PLAIN)); if ( debug->debugjson ) { Sagan_Log(DEBUG, "[%s, line %d] JSON Output: %s", __FILE__, __LINE__, str); } } sagan-1.2.0/src/xbit-redis.h0000644000175000017500000000247613310531444014566 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ void Xbit_Set_Redis( int rule_position, char *ip_src_char, char *ip_dst_char, int src_port, int dst_port, char *selector, _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ); sbool Xbit_Condition_Redis( int rule_position, char *ip_src_char, char *ip_dst_char, int src_port, int dst_port, char *selector ); void Xbit_Cleanup_Redis( char *xbit_name, uint32_t utime, char *notnull_selector, char *ip_src_char, char *ip_dst_char ); sagan-1.2.0/src/rules.h0000644000175000017500000001774613310531444013654 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef WITH_BLUEDOT #define BLUEDOT_MAX_CAT 10 #endif typedef struct _Rules_Loaded _Rules_Loaded; struct _Rules_Loaded { char ruleset[MAXPATH]; }; typedef struct arr_flow_1 arr_flow_1; struct arr_flow_1 { struct { unsigned char ipbits[MAXIPBIT]; unsigned char maskbits[MAXIPBIT]; } range; }; typedef struct arr_flow_2 arr_flow_2; struct arr_flow_2 { struct { unsigned char ipbits[MAXIPBIT]; unsigned char maskbits[MAXIPBIT]; } range; }; typedef struct arr_port_1 arr_port_1; struct arr_port_1 { int lo; int hi; }; typedef struct arr_port_2 arr_port_2; struct arr_port_2 { int lo; int hi; }; typedef struct meta_content_conversion meta_content_conversion; struct meta_content_conversion { char meta_content_converted[MAX_META_CONTENT_ITEMS][256]; int meta_counter; }; typedef struct _Rule_Struct _Rule_Struct; struct _Rule_Struct { unsigned s_size_rule; char s_msg[MAX_SAGAN_MSG]; pcre *re_pcre[MAX_PCRE]; pcre_extra *pcre_extra[MAX_PCRE]; char s_content[MAX_CONTENT][256]; char s_reference[MAX_REFERENCE][256]; char s_classtype[32]; char s_sid[32]; char s_rev[5]; int s_pri; char s_program[256]; char s_facility[50]; char s_syspri[25]; char s_level[25]; char s_tag[10]; char email[255]; sbool email_flag; sbool type; /* 0 == normal, 1 == dynamic */ char dynamic_ruleset[MAXPATH]; /* Check Flow */ struct arr_flow_1 flow_1[MAX_CHECK_FLOWS]; struct arr_flow_2 flow_2[MAX_CHECK_FLOWS]; struct arr_port_1 port_1[MAX_CHECK_FLOWS]; struct arr_port_2 port_2[MAX_CHECK_FLOWS]; struct meta_content_conversion meta_content_containers[MAX_META_CONTENT]; int direction; sbool flow_1_var; sbool flow_2_var; sbool port_1_var; sbool port_2_var; sbool has_flow; int flow_1_type[MAX_CHECK_FLOWS]; int flow_2_type[MAX_CHECK_FLOWS]; int flow_1_counter; int flow_2_counter; int port_1_type[MAX_CHECK_FLOWS]; int port_2_type[MAX_CHECK_FLOWS]; int port_1_counter; int port_2_counter; sbool s_nocase[MAX_CONTENT]; int s_offset[MAX_CONTENT]; int s_depth[MAX_CONTENT]; int s_distance[MAX_CONTENT]; int s_within[MAX_CONTENT]; sbool meta_nocase[MAX_META_CONTENT]; int meta_offset[MAX_META_CONTENT]; int meta_depth[MAX_META_CONTENT]; int meta_distance[MAX_META_CONTENT]; int meta_within[MAX_META_CONTENT]; unsigned char pcre_count; unsigned char content_count; unsigned char meta_content_count; unsigned char meta_content_converted_count; int xbit_count; /* Number of xbits in memory */ unsigned char xbit_condition_count; /* Number of isset/isnot within a rule */ unsigned char xbit_set_count; /* Number of set/unset within a rule */ unsigned char xbit_count_count; /* Number of count within a rule */ sbool xbit_flag; /* Does the rule contain a xbit? */ sbool xbit_noalert; /* Do we want to suppress "alerts" from xbits in ALL output plugins? */ sbool xbit_nounified2; /* Do we want to suppress "unified2" from xbits in unified2 output */ sbool xbit_noeve; /* Do we want to suppress "eve" from xbits */ unsigned char xbit_type[MAX_XBITS]; /* 1 == set, 2 == unset, 3 == isset, 4 == isnotset, 5 == set_srcport, 6 == set_dstport, 7 == set_ports, 8 == count */ unsigned char xbit_direction[MAX_XBITS]; /* 0 == none, 1 == both, 2 == by_src, 3 == by_dst */ int xbit_timeout[MAX_XBITS]; /* How long a xbit is to stay alive (seconds) */ char xbit_name[MAX_XBITS][64]; /* Name of the xbit */ unsigned char xbit_count_gt_lt[MAX_XBITS]; /* 0 == Greater, 1 == Less than, 2 == Equals. */ int xbit_count_counter[MAX_XBITS]; /* The amount the user is looking for */ sbool xbit_count_flag; int ref_count; int ip_proto; /*protocol to match against events*/ int default_dst_port; /*default dst port to set*/ int default_src_port; /*default src port to set*/ int default_proto; /*default protocol to set*/ sbool s_find_port; sbool s_find_proto; sbool s_find_proto_program; sbool s_find_src_ip; int s_find_src_pos; sbool s_find_dst_ip; int s_find_dst_pos; int s_find_hash_type; sbool normalize; sbool content_not[MAX_CONTENT]; /* content: ! "something" */ int drop; /* inline DROP for ext. */ unsigned char threshold_type; /* 1 = limit, 2 = thresh */ unsigned char threshold_method; /* 1 == src, 2 == dst, 3 == username, 4 == srcport, 5 == dstport */ int threshold_count; int threshold_seconds; unsigned char after_method; /* 1 == src, 2 == dst, 3 == username, 4 == dstport */ int after_count; int after_seconds; unsigned char fwsam_src_or_dst; /* 1 == src, 2 == dst */ unsigned long fwsam_seconds; sbool meta_content_flag; sbool meta_content_case[MAX_META_CONTENT]; sbool meta_content_not[MAX_META_CONTENT]; char meta_content[MAX_META_CONTENT][CONFBUF]; char meta_content_help[MAX_META_CONTENT][CONFBUF]; sbool alert_time_flag; unsigned char alert_days; sbool aetas_next_day; int aetas_start; int aetas_end; int alert_end_hour; int alert_end_minute; sbool external_flag; char external_program[MAXPATH]; /* Bro Intel */ sbool brointel_flag; sbool brointel_ipaddr_src; sbool brointel_ipaddr_dst; sbool brointel_ipaddr_both; sbool brointel_ipaddr_all; sbool brointel_domain; sbool brointel_file_hash; sbool brointel_url; sbool brointel_software; sbool brointel_email; sbool brointel_user_name; sbool brointel_file_name; sbool brointel_cert_hash; /* Blacklist */ sbool blacklist_flag; sbool blacklist_ipaddr_src; sbool blacklist_ipaddr_dst; sbool blacklist_ipaddr_both; sbool blacklist_ipaddr_all; #ifdef WITH_BLUEDOT unsigned char bluedot_ipaddr_type; /* 1 == src, 2 == dst, 3 == both, 4 == all */ int bluedot_ip_cats[BLUEDOT_MAX_CAT]; int bluedot_ip_cat_count; uint64_t bluedot_mdate_effective_period; uint64_t bluedot_cdate_effective_period; int bluedot_hash_cats[BLUEDOT_MAX_CAT]; int bluedot_hash_cat_count; int bluedot_url_cats[BLUEDOT_MAX_CAT]; int bluedot_url_cat_count; int bluedot_filename_cats[BLUEDOT_MAX_CAT]; int bluedot_filename_cat_count; sbool bluedot_file_hash; sbool bluedot_url; sbool bluedot_filename; #endif #ifdef HAVE_LIBMAXMINDDB sbool geoip2_flag; unsigned char geoip2_type; /* 1 == isnot, 2 == is */ char geoip2_country_codes[256]; unsigned char geoip2_src_or_dst; /* 1 == src, 2 == dst */ #endif }; void Load_Rules ( const char * ); sagan-1.2.0/src/output.c0000644000175000017500000001353613310531444014046 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* output.c * * This becomes a threaded operation. This handles all I/O intensive output plugins */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include "sagan.h" #include "output.h" #include "rules.h" #include "sagan-config.h" #include "output-plugins/alert.h" #include "output-plugins/external.h" #include "output-plugins/fast.h" #include "output-plugins/eve.h" #ifdef WITH_SNORTSAM #include "output-plugins/snortsam.h" #endif #ifdef WITH_SYSLOG #include "output-plugins/syslog-handler.h" #endif #ifdef HAVE_LIBESMTP #include "output-plugins/esmtp.h" #endif #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) #include "output-plugins/unified2.h" uint64_t unified_event_id; #endif struct _SaganCounters *counters; struct _Rule_Struct *rulestruct; struct _SaganConfig *config; sbool nonthread_alert_lock = false; pthread_mutex_t SaganOutputNonThreadMutex=PTHREAD_MUTEX_INITIALIZER; void Output( _Sagan_Event *Event ) { /******************************/ /* Single threaded operations */ /******************************/ /* Single threaded */ pthread_mutex_lock(&SaganOutputNonThreadMutex); nonthread_alert_lock = true; if ( config->alert_flag ) { Alert_File(Event); } if ( config->eve_flag && rulestruct[Event->found].xbit_noeve == false ) { Alert_JSON(Event); } if ( config->fast_flag ) { Fast_File(Event); } #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) if ( config->sagan_unified2_flag && rulestruct[Event->found].xbit_nounified2 == false ) { Unified2( Event ); Unified2LogPacketAlert( Event ); if ( Event->host[0] != '\0' ) { Unified2WriteExtraData( Event, Is_IPv6(Event->host) ? EVENT_INFO_XFF_IPV6 : EVENT_INFO_XFF_IPV4 ); } /* Write IPv6 data to "extra" data */ if ( Is_IPv6(Event->ip_src ) ) { Unified2WriteExtraData( Event, EVENT_INFO_IPV6_SRC ); } if ( Is_IPv6(Event->ip_dst ) ) { Unified2WriteExtraData( Event, EVENT_INFO_IPV6_DST ); } /* These get normalized in engine.c and passed via * send-alert.c. When adding more, remember to add * them there! */ if ( Event->normalize_http_uri != NULL ) { Unified2WriteExtraData( Event, EVENT_INFO_HTTP_URI ); } if ( Event->normalize_http_hostname != NULL ) { Unified2WriteExtraData( Event, EVENT_INFO_HTTP_HOSTNAME ); } unified_event_id++; } #endif nonthread_alert_lock = false; pthread_mutex_unlock(&SaganOutputNonThreadMutex); /* End single threaded */ /****************************************************************************/ /* Syslog output */ /****************************************************************************/ #ifdef WITH_SYSLOG if ( config->sagan_syslog_flag ) { Alert_Syslog( Event ); } #endif /****************************************************************************/ /* Snortsam Support */ /****************************************************************************/ /* If we have a snortsam server && the rule requires snortsam..... */ #ifdef WITH_SNORTSAM if ( config->sagan_fwsam_flag && rulestruct[Event->found].fwsam_src_or_dst ) { FWSam( Event ); } #endif /****************************************************************************/ /* SMTP/Email support (libesmtp) */ /****************************************************************************/ #ifdef HAVE_LIBESMTP if ( config->sagan_esmtp_flag && rulestruct[Event->found].email_flag ) { ESMTP_Thread( Event ); } #endif /****************************************************************************/ /* External program support */ /****************************************************************************/ if ( config->sagan_external_output_flag ) { External_Thread( Event, config->sagan_external_command ); } /****************************************************************************/ /* External program via rule */ /****************************************************************************/ if ( rulestruct[Event->found].external_flag ) { External_Thread( Event, rulestruct[Event->found].external_program ); } } sagan-1.2.0/src/threshold.h0000644000175000017500000000265313310531444014505 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ sbool Thresh_By_Src ( int rule_position, char *ip_src, unsigned char *ip_src_bits, char *selector, char *syslog_message ); sbool Thresh_By_Dst ( int rule_position, char *ip_dst, unsigned char *ip_dst_bits, char *selector, char *syslog_message ); sbool Thresh_By_Username( int rule_position, char *normalize_username, char *selector, char *syslog_message ); sbool Thresh_By_SrcPort( int rule_position, uint32_t ip_srcport_u32, char *selector ); sbool Thresh_By_DstPort( int rule_position, uint32_t ip_dstport_u32, char *selector ); sagan-1.2.0/src/key.c0000644000175000017500000000327013310531444013270 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* key.c * * This runs as a thread for stdin. This allows users, when running * in the foreground, to hit "enter" to see statistics of sagan. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #ifdef HAVE_SYS_PRCTL_H #include #endif #include "version.h" #include "sagan.h" #include "sagan-defs.h" #include "key.h" #include "stats.h" struct _SaganConfig *config; void Key_Handler( void ) { (void)SetThreadName("SaganKeyhandler"); while(1) { int key; key=getchar(); if ( key != 0 ) { Statistics(); } } } sagan-1.2.0/src/output-plugins/0000755000175000017500000000000013310531444015351 5ustar champchampsagan-1.2.0/src/output-plugins/syslog-handler.c0000644000175000017500000000513513310531444020454 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* syslog-handler.c * * Send Sagan alerts to a remote syslog server using the same format that * Snort uses. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef WITH_SYSLOG #include #include #include #include #include #include "sagan.h" #include "classifications.h" #include "sagan-config.h" #include "output-plugins/syslog-handler.h" struct _Rule_Struct *rulestruct; struct _SaganConfig *config; void Alert_Syslog( _Sagan_Event *Event ) { char syslog_message_output[1024] = { 0 }; char *tmp_proto = NULL; char classbuf[64]; /* Template to mimic Snort syslog output */ char *syslog_template = "[%lu:%s:%s] %s [Classification: %s] [Priority: %d] %s %s:%d -> %s:%d - %s"; if ( Event->ip_proto != 1 || Event->ip_proto != 6 || Event->ip_proto != 17 ) { tmp_proto = "{UNKNOWN}"; } if ( Event->ip_proto == 1 ) { tmp_proto = "{ICMP}"; } if ( Event->ip_proto == 6 ) { tmp_proto = "{TCP}"; } if ( Event->ip_proto == 17 ) { tmp_proto = "{UDP}"; } Classtype_Lookup( Event->class, classbuf, sizeof(classbuf) ); snprintf(syslog_message_output, sizeof(syslog_message_output), syslog_template, Event->generatorid, Event->sid, Event->rev, Event->f_msg, classbuf, Event->pri, tmp_proto, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->message); /* Send syslog message */ openlog("sagan", config->sagan_syslog_options, config->sagan_syslog_facility); syslog(config->sagan_syslog_priority, "%s", syslog_message_output); closelog(); } #endif sagan-1.2.0/src/output-plugins/syslog-handler.h0000644000175000017500000000217713310531444020464 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-syslog.c * * Send Sagan alerts to a remote syslog server using the same format that * Snort uses. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Alert_Syslog( _Sagan_Event * ); sagan-1.2.0/src/output-plugins/fast.c0000644000175000017500000000450113310531444016452 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* fast.c * * Provides logging functionality in a 'snort like' fast format. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include "sagan.h" #include "references.h" #include "sagan-config.h" #include "util-time.h" #include "output-plugins/alert.h" struct _Rule_Struct *rulestruct; struct _SaganConfig *config; void Fast_File( _Sagan_Event *Event ) { char timebuf[64]; CreateTimeString(&Event->event_time, timebuf, sizeof(timebuf), 0); fprintf(config->sagan_fast_stream, "%s [**] [%lu:%s] %s [**] [Classification: %s] [Priority: %d] ", timebuf, Event->generatorid, Event->sid, Event->f_msg, Event->class, Event->pri); if ( Event->ip_proto == 1 ) { fprintf(config->sagan_fast_stream, "{ICMP}"); } else if ( Event->ip_proto == 6 ) { fprintf(config->sagan_fast_stream, "{TCP}"); } else if ( Event->ip_proto == 17 ) { fprintf(config->sagan_fast_stream, "{UDP}"); } else if ( Event->ip_proto != 1 && Event->ip_proto !=6 && Event->ip_proto != 17 ) { fprintf(config->sagan_fast_stream, "{UNKNOWN}"); } fprintf(config->sagan_fast_stream," %s:%d -> %s:%d\n", Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port); fflush(config->sagan_fast_stream); } sagan-1.2.0/src/output-plugins/esmtp.h0000644000175000017500000000266113310531444016657 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-esmtp.h */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBESMTP #define ESMTPTO 32 /* 'To' buffer size max */ #define ESMTPFROM 32 /* 'From' buffer size max */ #define ESMTPSERVER 32 /* SMTP server size max */ #define MAX_EMAILSIZE 15360 /* Largest e-mail that can be sent */ const char *esmtp_cb ( void **, int *, void * ); int ESMTP_Thread( _Sagan_Event * ); int FixLF(_SaganConfig *, char *, char *); #endif sagan-1.2.0/src/output-plugins/snortsam-twofish.h0000644000175000017500000002405113310531444021053 0ustar champchamp/* $Id: twofish.h,v 2.1 2008/12/15 20:36:05 fknobbe Exp $ * * * Copyright (C) 1997-2000 The Cryptix Foundation Limited. * Copyright (C) 2000 Farm9. * Copyright (C) 2001 Frank Knobbe. * All rights reserved. * * For Cryptix code: * Use, modification, copying and distribution of this software is subject * the terms and conditions of the Cryptix General Licence. You should have * received a copy of the Cryptix General Licence along with this library; * if not, you can download a copy from http://www.cryptix.org/ . * * For Farm9: * --- jojo@farm9.com, August 2000, converted from Java to C++, added CBC mode and * ciphertext stealing technique, added AsciiTwofish class for easy encryption * decryption of text strings * * Frank Knobbe : * --- April 2001, converted from C++ to C, prefixed global variables * with TwoFish, substituted some defines, changed functions to make use of * variables supplied in a struct, modified and added routines for modular calls. * Cleaned up the code so that defines are used instead of fixed 16's and 32's. * Created two general purpose crypt routines for one block and multiple block * encryption using Joh's CBC code. * Added crypt routines that use a header (with a magic and data length). * (Basically a major rewrite). * * Note: Routines labeled _TwoFish are private and should not be used * (or with extreme caution). * */ #ifndef __TWOFISH_LIBRARY_HEADER__ #define __TWOFISH_LIBRARY_HEADER__ #ifndef FALSE #define FALSE 0 #endif #ifndef TRUE #define TRUE !FALSE #endif #ifndef bool #define bool int #endif /* Constants */ #define TwoFish_DEFAULT_PW "SnortHas2FishEncryptionRoutines!" /* default password (not more than 32 chars) */ #define TwoFish_MAGIC "TwoFish" /* to indentify a successful decryption */ enum { TwoFish_KEY_SIZE = 256, /* Valid values: 64, 128, 192, 256 */ /* User 256, other key sizes have not been tested. */ /* (But should work. I substituted as much as */ /* I could with this define.) */ TwoFish_ROUNDS = 16, TwoFish_BLOCK_SIZE = 16, /* bytes in a data-block */ TwoFish_KEY_LENGTH = TwoFish_KEY_SIZE/8, /* 32= 256-bit key */ TwoFish_TOTAL_SUBKEYS = 4+4+2*TwoFish_ROUNDS, TwoFish_MAGIC_LEN = TwoFish_BLOCK_SIZE-8, TwoFish_SK_BUMP = 0x01010101, TwoFish_SK_ROTL = 9, TwoFish_P_00 = 1, TwoFish_P_01 = 0, TwoFish_P_02 = 0, TwoFish_P_03 = TwoFish_P_01 ^ 1, TwoFish_P_04 = 1, TwoFish_P_10 = 0, TwoFish_P_11 = 0, TwoFish_P_12 = 1, TwoFish_P_13 = TwoFish_P_11 ^ 1, TwoFish_P_14 = 0, TwoFish_P_20 = 1, TwoFish_P_21 = 1, TwoFish_P_22 = 0, TwoFish_P_23 = TwoFish_P_21 ^ 1, TwoFish_P_24 = 0, TwoFish_P_30 = 0, TwoFish_P_31 = 1, TwoFish_P_32 = 1, TwoFish_P_33 = TwoFish_P_31 ^ 1, TwoFish_P_34 = 1, TwoFish_GF256_FDBK = 0x169, TwoFish_GF256_FDBK_2 = 0x169 / 2, TwoFish_GF256_FDBK_4 = 0x169 / 4, TwoFish_RS_GF_FDBK = 0x14D, /* field generator */ TwoFish_MDS_GF_FDBK = 0x169 /* primitive polynomial for GF(256) */ }; /* Global data structure for callers */ typedef struct { u_int32_t sBox[4 * 256]; /* Key dependent S-box */ u_int32_t subKeys[TwoFish_TOTAL_SUBKEYS]; /* Subkeys */ u_int8_t key[TwoFish_KEY_LENGTH]; /* Encryption Key */ u_int8_t *output; /* Pointer to output buffer */ u_int8_t qBlockPlain[TwoFish_BLOCK_SIZE]; /* Used by CBC */ u_int8_t qBlockCrypt[TwoFish_BLOCK_SIZE]; u_int8_t prevCipher[TwoFish_BLOCK_SIZE]; struct /* Header for crypt functions. Has to be at least one block long. */ { u_int32_t salt; /* Random salt in first block (will salt the rest through CBC) */ u_int8_t length[4]; /* The amount of data following the header */ u_int8_t magic[TwoFish_MAGIC_LEN]; /* Magic to identify successful decryption */ } header; bool qBlockDefined; bool dontflush; } TWOFISH; #ifndef __TWOFISH_LIBRARY_SOURCE__ extern bool TwoFish_srand; /* if set to TRUE (default), first call of TwoFishInit will seed rand(); */ /* call of TwoFishInit */ #endif /**** Public Functions ****/ /* TwoFish Initialization * * This routine generates a global data structure for use with TwoFish, * initializes important values (such as subkeys, sBoxes), generates subkeys * and precomputes the MDS matrix if not already done. * * Input: User supplied password (will be appended by default password of 'SnortHas2FishEncryptionRoutines!') * * Output: Pointer to TWOFISH structure. This data structure contains key dependent data. * This pointer is used with all other crypt functions. */ TWOFISH *TwoFishInit(char *userkey); /* TwoFish Destroy * * Nothing else but a free... * * Input: Pointer to the TwoFish structure. * */ void TwoFishDestroy(TWOFISH *tfdata); /* TwoFish Alloc * * Allocates enough memory for the output buffer as required. * * Input: Length of the plaintext. * Boolean flag for BinHex Output. * Pointer to the TwoFish structure. * * Output: Returns a pointer to the memory allocated. */ void *TwoFishAlloc(unsigned long len,bool binhex,bool decrypt,TWOFISH *tfdata); /* TwoFish Free * * Free's the allocated buffer. * * Input: Pointer to the TwoFish structure * * Output: (none) */ void TwoFishFree(TWOFISH *tfdata); /* TwoFish Set Output * * If you want to allocate the output buffer yourself, * then you can set it with this function. * * Input: Pointer to your output buffer * Pointer to the TwoFish structure * * Output: (none) */ void TwoFishSetOutput(char *outp,TWOFISH *tfdata); /* TwoFish Raw Encryption * * Does not use header, but does use CBC (if more than one block has to be encrypted). * * Input: Pointer to the buffer of the plaintext to be encrypted. * Pointer to the buffer receiving the ciphertext. * The length of the plaintext buffer. * The TwoFish structure. * * Output: The amount of bytes encrypted if successful, otherwise 0. */ unsigned long TwoFishEncryptRaw(char *in,char *out,unsigned long len,TWOFISH *tfdata); /* TwoFish Raw Decryption * * Does not use header, but does use CBC (if more than one block has to be decrypted). * * Input: Pointer to the buffer of the ciphertext to be decrypted. * Pointer to the buffer receiving the plaintext. * The length of the ciphertext buffer (at least one cipher block). * The TwoFish structure. * * Output: The amount of bytes decrypted if successful, otherwise 0. */ unsigned long TwoFishDecryptRaw(char *in,char *out,unsigned long len,TWOFISH *tfdata); /* TwoFish Encryption * * Uses header and CBC. If the output area has not been intialized with TwoFishAlloc, * this routine will alloc the memory. In addition, it will include a small 'header' * containing the magic and some salt. That way the decrypt routine can check if the * packet got decrypted successfully, and return 0 instead of garbage. * * Input: Pointer to the buffer of the plaintext to be encrypted. * Pointer to the pointer to the buffer receiving the ciphertext. * The pointer either points to user allocated output buffer space, or to NULL, in which case * this routine will set the pointer to the buffer allocated through the struct. * The length of the plaintext buffer. * Can be -1 if the input is a null terminated string, in which case we'll count for you. * Boolean flag for BinHex Output (if used, output will be twice as large as input). * Note: BinHex conversion overwrites (converts) input buffer! * The TwoFish structure. * * Output: The amount of bytes encrypted if successful, otherwise 0. */ unsigned long TwoFishEncrypt(char *in,char **out,signed long len,bool binhex,TWOFISH *tfdata); /* TwoFish Decryption * * Uses header and CBC. If the output area has not been intialized with TwoFishAlloc, * this routine will alloc the memory. In addition, it will check the small 'header' * containing the magic. If magic does not match we return 0. Otherwise we return the * amount of bytes decrypted (should be the same as the length in the header). * * Input: Pointer to the buffer of the ciphertext to be decrypted. * Pointer to the pointer to the buffer receiving the plaintext. * The pointer either points to user allocated output buffer space, or to NULL, in which case * this routine will set the pointer to the buffer allocated through the struct. * The length of the ciphertext buffer. * Can be -1 if the input is a null terminated binhex string, in which case we'll count for you. * Boolean flag for BinHex Input (if used, plaintext will be half as large as input). * Note: BinHex conversion overwrites (converts) input buffer! * The TwoFish structure. * * Output: The amount of bytes decrypted if successful, otherwise 0. */ unsigned long TwoFishDecrypt(char *in,char **out,signed long len,bool binhex,TWOFISH *tfdata); /**** Private Functions ****/ u_int8_t TwoFish__b(u_int32_t x,int n); void _TwoFish_BinHex(u_int8_t *buf,unsigned long len,bool bintohex); unsigned long _TwoFish_CryptRawCBC(char *in,char *out,unsigned long len,bool decrypt,TWOFISH *tfdata); unsigned long _TwoFish_CryptRaw16(char *in,char *out,unsigned long len,bool decrypt,TWOFISH *tfdata); unsigned long _TwoFish_CryptRaw(char *in,char *out,unsigned long len,bool decrypt,TWOFISH *tfdata); void _TwoFish_PrecomputeMDSmatrix(void); void _TwoFish_MakeSubKeys(TWOFISH *tfdata); void _TwoFish_qBlockPush(u_int8_t *p,u_int8_t *c,TWOFISH *tfdata); void _TwoFish_qBlockPop(u_int8_t *p,u_int8_t *c,TWOFISH *tfdata); void _TwoFish_ResetCBC(TWOFISH *tfdata); void _TwoFish_FlushOutput(u_int8_t *b,unsigned long len,TWOFISH *tfdata); void _TwoFish_BlockCrypt(u_int8_t *in,u_int8_t *out,unsigned long size,int decrypt,TWOFISH *tfdata); void _TwoFish_BlockCrypt16(u_int8_t *in,u_int8_t *out,bool decrypt,TWOFISH *tfdata); u_int32_t _TwoFish_RS_MDS_Encode(u_int32_t k0,u_int32_t k1); u_int32_t _TwoFish_F32(u_int32_t k64Cnt,u_int32_t x,u_int32_t *k32); u_int32_t _TwoFish_Fe320(u_int32_t *lsBox,u_int32_t x); u_int32_t _TwoFish_Fe323(u_int32_t *lsBox,u_int32_t x); u_int32_t _TwoFish_Fe32(u_int32_t *lsBox,u_int32_t x,u_int32_t R); #endif sagan-1.2.0/src/output-plugins/eve.c0000644000175000017500000000306213310531444016275 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* eve.c * * Write alerts in a JSON/Suricata like format * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include "sagan.h" #include "sagan-defs.h" #include "json-handler.h" #include "output-plugins/eve.h" #include "sagan-config.h" struct _SaganConfig *config; void Alert_JSON( _Sagan_Event *Event ) { char alert_data[MAX_SYSLOGMSG+1024]; if ( config->eve_alerts == true ) { Format_JSON_Alert_EVE( Event, alert_data, sizeof(alert_data) ); fprintf(config->eve_stream, "%s\n", alert_data); } fflush(config->eve_stream); } sagan-1.2.0/src/output-plugins/fast.h0000644000175000017500000000201213310531444016452 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Fast_File( _Sagan_Event *); sagan-1.2.0/src/output-plugins/external.h0000644000175000017500000000203013310531444017337 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void External_Thread( _Sagan_Event *, char * ); sagan-1.2.0/src/output-plugins/snortsam.c0000644000175000017500000015101113310531444017362 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* snortsam.c * * This allows Sagan to send block information to firewall via Snortsam. For * more information, see http://www.snortsam.net * * This is useful it you want to block an event network wide. Cool stuff! * * The majority of the code was taken from the samtool.c which is distributed * with Snortsam. * */ /* * Original Snortsam copyright information: * * Copyright (c) 2001-2009 Frank Knobbe * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * * This is the remote module that listens for snort alerts generated with the * Alert_FWsam plug-in. This module provides secure gateway functionality between * the snort alerts and various firewalls. It listens to the snort alerts, and can * invoke a block on following firewalls: * - Checkpoint Firewall-1 (by sending an OPSEC packet to port 18183, * either via the OPSEC API, or using a self-assembled packet, or by execution * of the fw.exe through command line. * - Cisco PIX (by telnetting into the PIX and issuing the SHUN command) * - Cisco Routers (by telnetting ino the router and modifying the ACL) * - Cisco Routers (by telnetting ino the router and adding a null-route) * - Netscreen firewalls (by telnetting in the Netscreen and adding IP's to a group * which is denied access in the policy) */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef WITH_SNORTSAM #include #include #include "sagan.h" #include "sagan-defs.h" #include "rules.h" #include "sagan-config.h" #include "output-plugins/snortsam.h" #define NUM_HOSTS 255 #define FWSAM_NETWAIT 1000 #define FWSAM_NETHOLD 6000 struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganConfig *config; unsigned long blockip[NUM_HOSTS +1],blockpeer[NUM_HOSTS +1],blockduration=0,blocksid=0; unsigned short blockport=0,blockproto=0,blocklog=FWSAM_LOG_NONE,blockhow=FWSAM_HOW_INOUT,blockmode=FWSAM_STATUS_BLOCK,checkout=true; pthread_mutex_t fwsam_mutex = PTHREAD_MUTEX_INITIALIZER; void FWSam( _Sagan_Event *Event ) { pthread_mutex_lock(&fwsam_mutex); int retval=0; blockduration=rulestruct[Event->found].fwsam_seconds; blocksid=atol(Event->sid); if ( rulestruct[Event->found].fwsam_src_or_dst == 1 ) { blockip[0]=inet_addr(Event->ip_src); blockip[1]=0; } else { blockip[0]=inet_addr(Event->ip_dst); blockip[1]=0; } retval|=FWsamBlock(config->sagan_fwsam_info); pthread_mutex_unlock(&fwsam_mutex); } int FWsamBlock(char *arg) { char str[512],*p,*encbuf,*decbuf,*samport,*sampass,*samhost; int i,error=true,len,ipidx=0,peeridx=0; FWsamPacket sampacket; struct hostent *hoste; unsigned long samip; FWsamStation station; strlcpy(str,arg, sizeof(str)); samhost=str; samport=NULL; sampass=NULL; p=str; while(*p && *p!=':' && *p!='/') p++; if(*p==':') { *p++=0; if(*p) samport=p; while(*p && *p!='/') p++; } if(*p=='/') { *p++=0; if(*p) sampass=p; } samip=0; if(inet_addr(samhost)==INADDR_NONE) { hoste=gethostbyname(samhost); if(!hoste) { Sagan_Log(WARN, "[%s, line %d] Unable to resolve host '%s', ignoring entry!" , __FILE__, __LINE__, samhost); return(1); } else samip=*(unsigned long *)hoste->h_addr; } else { samip=inet_addr(samhost); if(!samip) { Sagan_Log(WARN, "[%s, line %d] Invalid host address '%s', ignoring entry!", __FILE__, __LINE__, samhost); return(1); } } station.stationip.s_addr=samip; if(samport!=NULL && atoi(samport)>0) station.stationport=atoi(samport); else station.stationport=FWSAM_DEFAULTPORT; if(sampass!=NULL) { strncpy(station.stationkey,sampass,TwoFish_KEY_LENGTH); station.stationkey[TwoFish_KEY_LENGTH]=0; } else station.stationkey[0]=0; strlcpy(station.initialkey,station.stationkey,sizeof(station.initialkey)); station.stationfish=TwoFishInit(station.stationkey); station.localsocketaddr.sin_port=htons(0); station.localsocketaddr.sin_addr.s_addr=0; station.localsocketaddr.sin_family=AF_INET; station.stationsocketaddr.sin_port=htons(station.stationport); station.stationsocketaddr.sin_addr=station.stationip; station.stationsocketaddr.sin_family=AF_INET; do station.myseqno=rand(); while(station.myseqno<20 || station.myseqno>65500); station.mykeymod[0]=rand(); station.mykeymod[1]=rand(); station.mykeymod[2]=rand(); station.mykeymod[3]=rand(); station.stationseqno=0; station.persistentsocket=true; station.packetversion=FWSAM_PACKETVERSION_PERSISTENT_CONN; if(FWsamCheckIn(&station)) { error=false; do { ipidx=0; do { if(!station.persistentsocket) { /* create a socket for the station */ station.stationsocket=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); if(station.stationsocket==INVALID_SOCKET) { Sagan_Log(WARN, "[%s, line %d] Invalid Socket error!", __FILE__, __LINE__ ); error=true; } if(bind(station.stationsocket,(struct sockaddr *)&(station.localsocketaddr),sizeof(struct sockaddr))) { Sagan_Log(WARN, "[%s, line %d] Can not bind socket!", __FILE__, __LINE__); error=true; } } else error=false; if(!error) { if(!station.persistentsocket) { /* let's connect to the agent */ if(connect(station.stationsocket,(struct sockaddr *)&station.stationsocketaddr,sizeof(struct sockaddr))) { Sagan_Log(WARN, "[%s, line %d] Could not send block to host %s.", __FILE__, __LINE__, inet_ntoa(station.stationip)); closesocket(station.stationsocket); error=true; } } if(!error) { if( debug->debugfwsam ) { Sagan_Log(DEBUG, "[FWsamBlock] Connected to host %s. %s IP %s", inet_ntoa(station.stationip),blockmode==FWSAM_STATUS_BLOCK?"Blocking":"Unblocking",inettoa(blockip[ipidx])); } /* now build the packet */ station.myseqno+=station.stationseqno; /* increase my seqno by adding agent seq no */ sampacket.endiancheck=1; /* This is an endian indicator for Snortsam */ sampacket.snortseqno[0]=(char)station.myseqno; sampacket.snortseqno[1]=(char)(station.myseqno>>8); sampacket.fwseqno[0]=(char)station.stationseqno;/* fill station seqno */ sampacket.fwseqno[1]=(char)(station.stationseqno>>8); sampacket.status=blockmode; /* set block action */ sampacket.version=station.packetversion; /* set packet version */ sampacket.duration[0]=(char)blockduration; /* set duration */ sampacket.duration[1]=(char)(blockduration>>8); sampacket.duration[2]=(char)(blockduration>>16); sampacket.duration[3]=(char)(blockduration>>24); sampacket.fwmode=blocklog|blockhow|FWSAM_WHO_SRC; /* set the mode */ sampacket.dstip[0]=(char)blockpeer[peeridx]; /* destination IP */ sampacket.dstip[1]=(char)(blockpeer[peeridx]>>8); sampacket.dstip[2]=(char)(blockpeer[peeridx]>>16); sampacket.dstip[3]=(char)(blockpeer[peeridx]>>24); sampacket.srcip[0]=(char)blockip[ipidx]; /* source IP */ sampacket.srcip[1]=(char)(blockip[ipidx]>>8); sampacket.srcip[2]=(char)(blockip[ipidx]>>16); sampacket.srcip[3]=(char)(blockip[ipidx]>>24); sampacket.protocol[0]=(char)blockproto; /* protocol */ sampacket.protocol[1]=(char)(blockproto>>8);/* protocol */ if(blockproto==6 || blockproto==17) { sampacket.dstport[0]=(char)blockport; sampacket.dstport[1]=(char)(blockport>>8); } else sampacket.dstport[0]=sampacket.dstport[1]=0; sampacket.srcport[0]=sampacket.srcport[1]=0; sampacket.sig_id[0]=(char)blocksid; /* set signature ID */ sampacket.sig_id[1]=(char)(blocksid>>8); sampacket.sig_id[2]=(char)(blocksid>>16); sampacket.sig_id[3]=(char)(blocksid>>24); if( debug->debugfwsam ) { Sagan_Log(DEBUG, "[FWsamBlock] Sending %s",blockmode==FWSAM_STATUS_BLOCK?"BLOCK":"UNBLOCK"); Sagan_Log(DEBUG, "[FWsamBlock] Snort SeqNo: %x",station.myseqno); Sagan_Log(DEBUG, "[FWsamBlock] Mgmt SeqNo : %x",station.stationseqno); Sagan_Log(DEBUG, "[FWsamBlock] Status : %i",blockmode); Sagan_Log(DEBUG, "[FWsamBlock] Version : %i",station.packetversion); Sagan_Log(DEBUG, "[FWsamBlock] Mode : %i",blocklog|blockhow|FWSAM_WHO_SRC); Sagan_Log(DEBUG, "[FWsamBlock] Duration : %li",blockduration); Sagan_Log(DEBUG, "[FWsamBlock] Protocol : %i",blockproto); Sagan_Log(DEBUG, "[FWsamBlock] Src IP : %s",inettoa(blockip[ipidx])); Sagan_Log(DEBUG, "[FWsamBlock] Src Port : %i",0); Sagan_Log(DEBUG, "[FWsamBlock] Dest IP : %s",inettoa(blockpeer[peeridx])); Sagan_Log(DEBUG, "[FWsamBlock] Dest Port : %i",blockport); Sagan_Log(DEBUG, "[FWsamBlock] Sig_ID : %lu",blocksid); } encbuf=TwoFishAlloc(sizeof(FWsamPacket),false,false,station.stationfish); /* get the encryption buffer */ len=TwoFishEncrypt((char *)&sampacket,(char **)&encbuf,sizeof(FWsamPacket),false,station.stationfish); /* encrypt the packet with current key */ if(send(station.stationsocket,encbuf,len,0)!=len) /* weird...could not send */ { Sagan_Log(WARN, "[%s, line %d] Could not send to host %s" , __FILE__, __LINE__, inet_ntoa(station.stationip)); closesocket(station.stationsocket); error=true; } else { i=FWSAM_NETWAIT; ioctlsocket(station.stationsocket,FIONBIO,&i); /* set non blocking and wait for */ while(i-- >1) /* the response packet */ { waitms(10); /* wait for response (default maximum 3 secs */ if(recv(station.stationsocket,encbuf,len,0)==len) i=0; /* if we received packet we set the counter to 0. */ /* by the time we check with if, it's already dec'ed to -1 */ } if(!i) /* id we timed out (i was one, then dec'ed)... */ { Sagan_Log(WARN, "[%s, line %d] Did not receive response from host %s" , __FILE__, __LINE__, inet_ntoa(station.stationip) ); closesocket(station.stationsocket); error=true; } else /* got a packet */ { decbuf=(char *)&sampacket; /* get the pointer to the packet struct */ len=TwoFishDecrypt(encbuf,(char **)&decbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,false,station.stationfish); /* try to decrypt the packet with current key */ if(len!=sizeof(FWsamPacket)) /* invalid decryption */ { strlcpy(station.stationkey,station.initialkey,sizeof(station.stationkey)); /* try the intial key */ TwoFishDestroy(station.stationfish); station.stationfish=TwoFishInit(station.stationkey); /* re-initialize the TwoFish with the intial key */ len=TwoFishDecrypt(encbuf,(char **)&decbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,false,station.stationfish); /* try again to decrypt */ if ( debug->debugfwsam ) Sagan_Log(DEBUG, "FWsamCheckOut] Had to use initial key!"); } if(len==sizeof(FWsamPacket)) /* valid decryption */ { if(sampacket.version==station.packetversion) /* master speaks my language */ { if(sampacket.status==FWSAM_STATUS_OK || sampacket.status==FWSAM_STATUS_NEWKEY || sampacket.status==FWSAM_STATUS_RESYNC || sampacket.status==FWSAM_STATUS_HOLD) { station.stationseqno=sampacket.fwseqno[0] | (sampacket.fwseqno[1]<<8); /* get stations seqno */ station.lastcontact=(unsigned long)time(NULL); /* set the last contact time (not used yet) */ if ( debug->debugfwsam ) { Sagan_Log(DEBUG, "[FWsamBlock] Received %s",sampacket.status==FWSAM_STATUS_OK?"OK": sampacket.status==FWSAM_STATUS_NEWKEY?"NEWKEY": sampacket.status==FWSAM_STATUS_RESYNC?"RESYNC": sampacket.status==FWSAM_STATUS_HOLD?"HOLD":"ERROR"); Sagan_Log(DEBUG, "[FWsamBlock] Snort SeqNo: %x",sampacket.snortseqno[0]|(sampacket.snortseqno[1]<<8)); Sagan_Log(DEBUG, "[FWsamBlock] Mgmt SeqNo : %x",station.stationseqno); Sagan_Log(DEBUG, "[FWsamBlock] Status : %i",sampacket.status); Sagan_Log(DEBUG, "[FWsamBlock] Version : %i",sampacket.version); } if(sampacket.status==FWSAM_STATUS_HOLD) { i=FWSAM_NETHOLD; /* Stay on hold for a maximum of 60 secs (default) */ while(i-- >1) /* the response packet */ { waitms(10); /* wait for response */ if(recv(station.stationsocket,encbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,0)==sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE) i=0; /* if we received packet we set the counter to 0. */ } if(!i) /* id we timed out (i was one, then dec'ed)... */ { Sagan_Log(WARN, "[%s, line %d] Did not receive response from host %s" , __FILE__, __LINE__, inet_ntoa(station.stationip) ); error=true; sampacket.status=FWSAM_STATUS_ERROR; } else /* got a packet */ { decbuf=(char *)&sampacket; /* get the pointer to the packet struct */ len=TwoFishDecrypt(encbuf,(char **)&decbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,false,station.stationfish); /* try to decrypt the packet with current key */ if(len!=sizeof(FWsamPacket)) /* invalid decryption */ { strlcpy(station.stationkey,station.initialkey,sizeof(station.stationkey)); /* try the intial key */ TwoFishDestroy(station.stationfish); station.stationfish=TwoFishInit(station.stationkey); /* re-initialize the TwoFish with the intial key */ len=TwoFishDecrypt(encbuf,(char **)&decbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,false,station.stationfish); /* try again to decrypt */ if ( debug->debugfwsam ) Sagan_Log(DEBUG, "[FWsamBlock] Had to use initial key again!"); } if( debug->debugfwsam ) { Sagan_Log(DEBUG, "[FWsamBlock] Received %s", sampacket.status==FWSAM_STATUS_OK?"OK": sampacket.status==FWSAM_STATUS_NEWKEY?"NEWKEY": sampacket.status==FWSAM_STATUS_RESYNC?"RESYNC": sampacket.status==FWSAM_STATUS_HOLD?"HOLD":"ERROR"); Sagan_Log(DEBUG, "[FWsamBlock] Snort SeqNo: %x",sampacket.snortseqno[0]|(sampacket.snortseqno[1]<<8)); Sagan_Log(DEBUG, "[FWsamBlock] Mgmt SeqNo : %x",station.stationseqno); Sagan_Log(DEBUG, "[FWsamBlock] Status : %i",sampacket.status); Sagan_Log(DEBUG, "[FWsamBlock] Version : %i",sampacket.version); } if(len!=sizeof(FWsamPacket)) /* invalid decryption */ { Sagan_Log(WARN, "[%s, line %d] Password mismatch! Ignoring host %s" , __FILE__, __LINE__, inet_ntoa(station.stationip)); error=true; sampacket.status=FWSAM_STATUS_ERROR; } else if(sampacket.version!=station.packetversion) /* invalid protocol version */ { Sagan_Log(WARN, "[%s, line %d] Protocol version error! Ignoring host %s" , __FILE__, __LINE__, inet_ntoa(station.stationip)); error=true; sampacket.status=FWSAM_STATUS_ERROR; } else if(sampacket.status!=FWSAM_STATUS_OK && sampacket.status!=FWSAM_STATUS_NEWKEY && sampacket.status!=FWSAM_STATUS_RESYNC) { Sagan_Log(WARN, "[%s, line %d] Funky handshake error! Ignoring host %s" , __FILE__, __LINE__, inet_ntoa(station.stationip)); error=true; sampacket.status=FWSAM_STATUS_ERROR; } } } if(sampacket.status==FWSAM_STATUS_RESYNC) /* if station want's to resync... */ { strlcpy(station.stationkey,station.initialkey,sizeof(station.stationkey)); /* ...we use the intial key... */ memcpy(station.fwkeymod,sampacket.duration,4); /* and note the random key modifier */ } if(sampacket.status==FWSAM_STATUS_NEWKEY || sampacket.status==FWSAM_STATUS_RESYNC) { FWsamNewStationKey(&station,&sampacket); /* generate new TwoFish keys */ if( debug->debugfwsam ) Sagan_Log(NORMAL, "[%s, line %d] Generated new encryption key.... " , __FILE__, __LINE__); } if(!station.persistentsocket) closesocket(station.stationsocket); } else if(sampacket.status==FWSAM_STATUS_ERROR) /* if SnortSam reports an error on second try, */ { closesocket(station.stationsocket); /* something is messed up and ... */ error=true; Sagan_Log(WARN, "[%s, line %d] Undetermined error right after CheckIn! Ignoring host %s" , __FILE__, __LINE__, inet_ntoa(station.stationip)); } else /* an unknown status means trouble... */ { Sagan_Log(WARN, "[%s, line %d] Funky handshake error! Ignoring host %s!" , __FILE__, __LINE__, inet_ntoa(station.stationip)); closesocket(station.stationsocket); error=true; } } else /* if the SnortSam agent uses a different packet version, we have no choice but to ignore it. */ { Sagan_Log(WARN, "[%s, line %d] Protocol version errror! Ignoring host %s!" , __FILE__, __LINE__, inet_ntoa(station.stationip)); closesocket(station.stationsocket); error=true; } } else /* if the intial key failed to decrypt as well, the keys are not configured the same, and we ignore that SnortSam station. */ { Sagan_Log(WARN, "[%s, line %d] Password mismatch! Ignoring host %s!" , __FILE__, __LINE__, inet_ntoa(station.stationip)); closesocket(station.stationsocket); error=true; } } } free(encbuf); /* release of the TwoFishAlloc'ed encryption buffer */ } } ipidx++; } while(!error && ipidxstationsocket=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); if(station->stationsocket==INVALID_SOCKET) { Sagan_Log(WARN, "[%s, line %d] Invalid Socket errror!" , __FILE__, __LINE__); return false; } if(bind(station->stationsocket,(struct sockaddr *)&(station->localsocketaddr),sizeof(struct sockaddr))) { Sagan_Log(WARN, "[%s, line %d] Can not bind to socket!" , __FILE__, __LINE__); return false; } /* let's connect to the agent */ if(connect(station->stationsocket,(struct sockaddr *)&station->stationsocketaddr,sizeof(struct sockaddr))) { Sagan_Log(WARN, "[%s, line %d] Could not connect to host %s", __FILE__, __LINE__, inet_ntoa(station->stationip)); return false; } else { if ( debug->debugfwsam ) { Sagan_Log(WARN, "[FWsamCheckIn] Connected to host %s", inet_ntoa(station->stationip)); } /* now build the packet */ sampacket.endiancheck=1; sampacket.snortseqno[0]=(char)station->myseqno; /* fill my sequence number number */ sampacket.snortseqno[1]=(char)(station->myseqno>>8); /* fill my sequence number number */ sampacket.status=FWSAM_STATUS_CHECKIN; /* let's check in */ sampacket.version=station->packetversion; /* set the packet version */ memcpy(sampacket.duration,station->mykeymod,4); /* we'll send SnortSam our key modifier in the duration slot */ /* (the checkin packet is just the plain initial key) */ if ( debug->debugfwsam ) { Sagan_Log(DEBUG, "[FWsamCheckIn] Sending CHECKIN"); Sagan_Log(DEBUG, "[FWsamCheckIn] Snort SeqNo: %x",station->myseqno); Sagan_Log(DEBUG, "[FWsamCheckIn] Mode : %i",sampacket.status); Sagan_Log(DEBUG, "[FWsamCheckIn] Version : %i",sampacket.version); } encbuf=TwoFishAlloc(sizeof(FWsamPacket),false,false,station->stationfish); /* get buffer for encryption */ len=TwoFishEncrypt((char *)&sampacket,(char **)&encbuf,sizeof(FWsamPacket),false,station->stationfish); /* encrypt with initial key */ if(send(station->stationsocket,encbuf,len,0)!=len) /* weird...could not send */ Sagan_Log(WARN, "Could not send to host %s", inet_ntoa(station->stationip)); else { i=FWSAM_NETWAIT; ioctlsocket(station->stationsocket,FIONBIO,&i); /* set non blocking and wait for */ while(i-- >1) { waitms(10); /* wait a maximum of 3 secs for response */ if(recv(station->stationsocket,encbuf,len,0)==len) i=0; } if(!i) /* time up? */ Sagan_Log(WARN, "Did not receive response from host %s", inet_ntoa(station->stationip)); else { decbuf=(char *)&sampacket; /* got status packet */ len=TwoFishDecrypt(encbuf,(char **)&decbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,false,station->stationfish); /* try to decrypt with initial key */ if(len==sizeof(FWsamPacket)) /* valid decryption */ { if ( debug->debugfwsam ) { Sagan_Log(DEBUG, "[FWsamCheckIn] Received %s",sampacket.status==FWSAM_STATUS_OK?"OK": sampacket.status==FWSAM_STATUS_NEWKEY?"NEWKEY": sampacket.status==FWSAM_STATUS_RESYNC?"RESYNC": sampacket.status==FWSAM_STATUS_HOLD?"HOLD":"ERROR"); Sagan_Log(DEBUG, "[FWsamCheckIn] Snort SeqNo: %x",sampacket.snortseqno[0]|(sampacket.snortseqno[1]<<8)); Sagan_Log(DEBUG, "[FWsamCheckIn] Mgmt SeqNo : %x",sampacket.fwseqno[0]|(sampacket.fwseqno[1]<<8)); Sagan_Log(DEBUG, "[FWsamCheckIn] Status : %i",sampacket.status); Sagan_Log(DEBUG, "[FWsamCheckIn] Version : %i",sampacket.version); } if(sampacket.version==FWSAM_PACKETVERSION_PERSISTENT_CONN || sampacket.version==FWSAM_PACKETVERSION) /* master speaks my language */ { if(sampacket.status==FWSAM_STATUS_OK || sampacket.status==FWSAM_STATUS_NEWKEY || sampacket.status==FWSAM_STATUS_RESYNC) { station->stationseqno=sampacket.fwseqno[0]|(sampacket.fwseqno[1]<<8); /* get stations seqno */ station->lastcontact=(unsigned long)time(NULL); stationok=true; station->packetversion=sampacket.version; if(sampacket.version==FWSAM_PACKETVERSION) station->persistentsocket=false; if(sampacket.status==FWSAM_STATUS_NEWKEY || sampacket.status==FWSAM_STATUS_RESYNC) /* generate new keys */ { memcpy(station->fwkeymod,sampacket.duration,4); /* note the key modifier */ FWsamNewStationKey(station,&sampacket); /* and generate new TwoFish keys (with key modifiers) */ if ( debug->debugfwsam ) Sagan_Log(DEBUG, "[FWsamCheckIn] Generated new encryption key....."); } } else if(sampacket.status==FWSAM_STATUS_ERROR && sampacket.version==FWSAM_PACKETVERSION) { if(station->persistentsocket) { Sagan_Log(WARN, "[%s, line %d] Host %s doesn't support packet version %i for persistent connections. Trying packet version %i!" , __FILE__, __LINE__, inet_ntoa(station->stationip),FWSAM_PACKETVERSION_PERSISTENT_CONN,FWSAM_PACKETVERSION); station->persistentsocket=false; station->packetversion=FWSAM_PACKETVERSION; again=true; } else Sagan_Log(WARN, "[%s, line %d] Protocol version mismatch! Ignoring host %s", __FILE__, __LINE__, inet_ntoa(station->stationip)); } else /* weird, got a strange status back */ Sagan_Log(WARN, "[%s, line %d] Funky handshake error! Ignoring host %s!", __FILE__, __LINE__, inet_ntoa(station->stationip)); } else /* packet version does not match */ Sagan_Log(WARN, "[%s, line %d] Potocol version error! Ignoring host %s!", __FILE__, __LINE__, inet_ntoa(station->stationip)); } else /* key does not match */ Sagan_Log(WARN, "[%s, line %d] Password mismatch! Ignoring host %s!",__FILE__, __LINE__, inet_ntoa(station->stationip)); } } free(encbuf); /* release TwoFishAlloc'ed buffer */ } if(!(stationok && station->persistentsocket)) closesocket(station->stationsocket); } while(again); return stationok; } void waitms(unsigned int dur) { usleep(dur*1000); } /* Generates a new encryption key for TwoFish based on seq numbers and a random that * the SnortSam agents send on checkin (in protocol) */ void FWsamNewStationKey(FWsamStation *station,FWsamPacket *packet) { unsigned char newkey[TwoFish_KEY_LENGTH+2]; int i; newkey[0]=packet->snortseqno[0]; /* current snort seq # (which both know) */ newkey[1]=packet->snortseqno[1]; newkey[2]=packet->fwseqno[0]; /* current SnortSam seq # (which both know) */ newkey[3]=packet->fwseqno[1]; newkey[4]=packet->protocol[0]; /* the random SnortSam chose */ newkey[5]=packet->protocol[1]; strncpy( (char *)newkey+6,station->stationkey,TwoFish_KEY_LENGTH-6); /* append old key */ newkey[TwoFish_KEY_LENGTH]=0; newkey[0]^=station->mykeymod[0]; /* modify key with key modifiers which were */ newkey[1]^=station->mykeymod[1]; /* exchanged during the check-in handshake. */ newkey[2]^=station->mykeymod[2]; newkey[3]^=station->mykeymod[3]; newkey[4]^=station->fwkeymod[0]; newkey[5]^=station->fwkeymod[1]; newkey[6]^=station->fwkeymod[2]; newkey[7]^=station->fwkeymod[3]; for(i=0; i<=7; i++) if(newkey[i]==0) newkey[i]++; // safecopy(station->stationkey,newkey); strlcpy(station->stationkey,(const char *)newkey,sizeof(station->stationkey)); TwoFishDestroy(station->stationfish); station->stationfish=TwoFishInit( (char *)newkey); } /* This function (together with the define in snortsam.h) attempts * to prevent buffer overflows by checking the destination buffer size. */ /* This does nothing else than inet_ntoa, but it keeps 256 results in a static string * unlike inet_ntoa which keeps only one. This is used for (s)printf's were two IP * addresses are printed (this has been increased from four while multithreading the app). */ char *inettoa(unsigned long ip) { struct in_addr ips; static char addr[20]; ips.s_addr=ip; strncpy(addr,inet_ntoa(ips),19); addr[19]=0; return addr; } /* FWsamCheckOut will be called when samtool exists. It de-registeres this tool * from the list of sensor that the SnortSam agent keeps. */ void FWsamCheckOut(FWsamStation *station) { FWsamPacket sampacket; int i,len; char *encbuf,*decbuf; if(!station->persistentsocket) { station->stationsocket=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); if(station->stationsocket==INVALID_SOCKET) { Sagan_Log(WARN, "[%s, line %d] Invalid socket error!" , __FILE__, __LINE__); return; } if(bind(station->stationsocket,(struct sockaddr *)&(station->localsocketaddr),sizeof(struct sockaddr))) { Sagan_Log(WARN, "[%s, line %d] Can not bind socket!" , __FILE__, __LINE__); return; } /* let's connect to the agent */ i=!connect(station->stationsocket,(struct sockaddr *)&station->stationsocketaddr,sizeof(struct sockaddr)); } else i=true; if(i) { if( debug->debugfwsam ) Sagan_Log(DEBUG, "[FWsamCheckOut] Disconnecting from host %s",inet_ntoa(station->stationip)); /* now build the packet */ station->myseqno+=station->stationseqno; /* increase my seqno */ sampacket.endiancheck=1; sampacket.snortseqno[0]=(char)station->myseqno; sampacket.snortseqno[1]=(char)(station->myseqno>>8); sampacket.fwseqno[0]=(char)station->stationseqno; /* fill station seqno */ sampacket.fwseqno[1]=(char)(station->stationseqno>>8); sampacket.status=FWSAM_STATUS_CHECKOUT; /* checking out... */ sampacket.version=station->packetversion; if( debug->debugfwsam ) { Sagan_Log(DEBUG, "[FWsamCheckOut] Sending CHECKOUT"); Sagan_Log(DEBUG, "[FWsamCheckOut] Snort SeqNo: %x",station->myseqno); Sagan_Log(DEBUG, "[FWsamCheckOut] Mgmt SeqNo : %x",station->stationseqno); Sagan_Log(DEBUG, "[FWsamCheckOut] Status : %i",sampacket.status); } encbuf=TwoFishAlloc(sizeof(FWsamPacket),false,false,station->stationfish); /* get encryption buffer */ len=TwoFishEncrypt((char *)&sampacket,(char **)&encbuf,sizeof(FWsamPacket),false,station->stationfish); /* encrypt packet with current key */ if(send(station->stationsocket,encbuf,len,0)==len) { i=FWSAM_NETWAIT; ioctlsocket(station->stationsocket,FIONBIO,&i); /* set non blocking and wait for */ while(i-- >1) { waitms(10); /* ...wait a maximum of 3 secs for response... */ if(recv(station->stationsocket,encbuf,len,0)==len) /* ... for the status packet */ i=0; } if(i) /* if we got the packet */ { decbuf=(char *)&sampacket; len=TwoFishDecrypt(encbuf,(char **)&decbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,false,station->stationfish); if(len!=sizeof(FWsamPacket)) /* invalid decryption */ { strlcpy(station->stationkey,station->initialkey,sizeof(station->stationkey)); /* try initial key */ TwoFishDestroy(station->stationfish); /* toss this fish */ station->stationfish=TwoFishInit(station->stationkey); /* re-initialze TwoFish with initial key */ len=TwoFishDecrypt(encbuf,(char **)&decbuf,sizeof(FWsamPacket)+TwoFish_BLOCK_SIZE,false,station->stationfish); /* and try to decrypt again */ if( debug->debugfwsam ) Sagan_Log(DEBUG, "[FWsamCheckOut] Had to use initial key!"); } if(len==sizeof(FWsamPacket)) /* valid decryption */ { if(sampacket.version!=station->packetversion) /* but don't really care since we are on the way out */ Sagan_Log(WARN, "[%s, line %d] Protocol version error!", __FILE__, __LINE__ ); } else Sagan_Log(WARN, "[%s, line %d] Password mismatch!", __FILE__, __LINE__); } } free(encbuf); /* release TwoFishAlloc'ed buffer */ } else Sagan_Log(WARN, "[%s, line %d] Could not connect to host %s for CheckOut", __FILE__, __LINE__, inet_ntoa(station->stationip)); closesocket(station->stationsocket); station->persistentsocket=false; } #endif sagan-1.2.0/src/output-plugins/eve.h0000644000175000017500000000201413310531444016276 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-alert-json.h * * Write alerts in a JSON/Suricata like format * */ void Alert_JSON( _Sagan_Event * ); sagan-1.2.0/src/output-plugins/esmtp.c0000644000175000017500000002063113310531444016647 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* esmtp.c * * Threaded output for e-mail support via the libesmtp. For more information * about libesmtp, please see: http://www.stafford.uklinux.net/libesmtp. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBESMTP #include #include #include /* Needs to be after above headers */ #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "references.h" #include "rules.h" #include "esmtp.h" #include "util-time.h" #include "version.h" struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganConfig *config; struct _SaganCounters *counters; pthread_mutex_t CounterESMTPCountFailed=PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t CounterESMTPCountSuccess=PTHREAD_MUTEX_INITIALIZER; int ESMTP_Thread ( _Sagan_Event *Event ) { char tmpref[256]; char timebuf[64]; char tmpa[MAX_EMAILSIZE]; char tmpb[MAX_EMAILSIZE]; int r = 0; Reference_Lookup( Event->found, 0, tmpref, sizeof(tmpref)); CreateTimeString(&Event->event_time, timebuf, sizeof(timebuf), 1); if ((r = snprintf(tmpa, sizeof(tmpa), "MIME-Version: 1.0\r\n" "Content-Type: text/plain;\r\n" "Content-Transfer-Encoding: 8bit\r\n" "From: %s\r\n" "To: %s\r\n" "Subject: %s%s\r\n" "\r\n\n" "[**] [%lu:%s] %s [**]\n" "[Classification: %s] [Priority: %d] [%s]\n" "[Alert Time: %s]\n" "%s %s %s:%d -> %s:%d %s %s\n" "Syslog message: %s\r\n%s\n\r", config->sagan_esmtp_from, rulestruct[Event->found].email, config->sagan_email_subject, Event->f_msg, Event->generatorid, Event->sid, Event->f_msg, Event->class, Event->pri, Event->host, timebuf, Event->date, Event->time, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->facility, Event->priority, Event->message, tmpref)) < 0) { Sagan_Log(NORMAL, "[%s, line %d] Cannot build mail.", __FILE__, __LINE__); goto failure; } /* Start building libesmtp connection information */ smtp_session_t session; smtp_message_t message; smtp_recipient_t recipient; const smtp_status_t *status; struct sigaction sa; sa.sa_handler = SIG_IGN; sigemptyset (&sa.sa_mask); sa.sa_flags = 0; sigaction (SIGPIPE, &sa, NULL); if((session = smtp_create_session ()) == NULL) { Sagan_Log(WARN, "[%s, line %d] Cannot create smtp session.", __FILE__, __LINE__); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); goto failure; } if((message = smtp_add_message (session)) == NULL) { Sagan_Log(WARN, "[%s, line %d] Cannot add message to smtp session.", __FILE__, __LINE__); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); goto failure; } if(!smtp_set_server (session, config->sagan_esmtp_server)) { Sagan_Log(WARN, "[%s, line %d] Cannot set smtp server.", __FILE__, __LINE__); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); goto failure; } if((r = FixLF(config, tmpb, tmpa)) <= 0) { Sagan_Log(WARN, "[%s, line %d] Cannot FixLF.", __FILE__, __LINE__); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); goto failure; } if(!smtp_set_message_str (message, tmpb)) { Sagan_Log(WARN, "[%s, line %d] Cannot set message string.", __FILE__, __LINE__); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); goto failure; } if(!smtp_set_reverse_path (message, config->sagan_esmtp_from)) { Sagan_Log(WARN, "[%s, line %d] Cannot reverse path.", __FILE__, __LINE__); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); goto failure; } if((recipient = smtp_add_recipient (message, rulestruct[Event->found].email)) == NULL) { Sagan_Log(WARN, "[%s, line %d] Cannot add recipient.", __FILE__, __LINE__); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); goto failure; } if (!smtp_start_session (session)) { char errtmp[128]; smtp_strerror (smtp_errno (), errtmp, sizeof(errtmp)); /* We log the error, but keep going. While SMTP failed, * we might be storing alerts another way */ Sagan_Log(WARN, "[%s, line %d] SMTP Error: %s", __FILE__, __LINE__, smtp_strerror (smtp_errno (), errtmp, sizeof(errtmp))); pthread_mutex_lock(&CounterESMTPCountFailed); counters->esmtp_count_failed++; pthread_mutex_unlock(&CounterESMTPCountFailed); } else { /* SMTP sent successful */ status = smtp_message_transfer_status (message); pthread_mutex_lock(&CounterESMTPCountSuccess); counters->esmtp_count_success++; pthread_mutex_unlock(&CounterESMTPCountSuccess); if ( debug->debugesmtp ) Sagan_Log(DEBUG, "SMTP %d %s", status->code, (status->text != NULL) ? status->text : "\n"); } failure: if (session != NULL) smtp_destroy_session (session); return(0); } int FixLF( _SaganConfig *config, char *d, char *s) { int sl=0; int i=0; int j=0; if(d == NULL) { return 0; } if(s == NULL) { d[0] = '\0'; return 0; } if((sl=strlen(s)) >= MAX_EMAILSIZE) { s[MAX_EMAILSIZE]='\0'; sl=MAX_EMAILSIZE; Sagan_Log(WARN, "[%s, line %d] Mail too large.", __FILE__, __LINE__); } for(i=0; i=MAX_EMAILSIZE) { d[MAX_EMAILSIZE]='\0'; Sagan_Log(WARN, "[%s, line %d] Mail too large.", __FILE__, __LINE__); break; } if(i>0 && s[i] == '\n' && s[i-1] != '\r') { d[j++] = '\r'; } d[j++] = s[i]; } if(j ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif /* sagan-unified2.h */ #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) #include #include #define UNIFIED2_PACKET 2 #define UNIFIED2_IDS_EVENT 7 #define UNIFIED2_IDS_EVENT_IPV6 72 #define UNIFIED2_IDS_EVENT_MPLS 99 #define UNIFIED2_IDS_EVENT_IPV6_MPLS 100 #define UNIFIED2_IDS_EVENT_VLAN 104 #define UNIFIED2_IDS_EVENT_IPV6_VLAN 105 #define UNIFIED2_EXTRA_DATA 110 #define SAGAN_SNPRINTF_ERROR -1 #define SAGAN_SNPRINTF_TRUNCATION 1 #define SAGAN_SNPRINTF_SUCCESS 0 #define SAFEMEM_SUCCESS 1 #define IP_MAXPACKET 65535 /* maximum packet size */ #define SAFEMEM_ERROR 0 #define SAFEMEM_SUCCESS 1 #define ERRORRET return SAFEMEM_ERROR; #define MAX_XFF_WRITE_BUF_LENGTH (sizeof(Serial_Unified2_Header) + \ sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData) \ + sizeof(struct in6_addr)) #define DECODE_BLEN 65535 #define EVENT_TYPE_EXTRA_DATA 4 void Unified2( _Sagan_Event * ); void Unified2LogPacketAlert( _Sagan_Event * ); void Unified2InitFile( void ); int SaganSnprintf(char *buf, size_t buf_size, const char *format, ...); void *SaganAlloc( unsigned long ); void Unified2CleanExit( void ); void Unified2WriteExtraData( _Sagan_Event *, int ); /* Data structure used for serialization of Unified2 Records */ typedef struct _Serial_Unified2_Header { uint32_t type; uint32_t length; } Serial_Unified2_Header; //UNIFIED2_PACKET = type 2 typedef struct _Serial_Unified2Packet { uint32_t sensor_id; uint32_t event_id; uint32_t event_second; uint32_t packet_second; uint32_t packet_microsecond; uint32_t linktype; uint32_t packet_length; uint8_t packet_data[4]; } Serial_Unified2Packet; //---------------LEGACY, type '7' //These structures are not used anymore in the product typedef struct _Serial_Unified2IDSEvent_legacy { uint32_t sensor_id; uint32_t event_id; uint32_t event_second; uint32_t event_microsecond; uint32_t signature_id; uint32_t generator_id; uint32_t signature_revision; uint32_t classification_id; uint32_t priority_id; uint32_t ip_source; uint32_t ip_destination; uint16_t sport_itype; uint16_t dport_icode; uint8_t protocol; uint8_t impact_flag;//sets packet_action uint8_t impact; uint8_t blocked; } Serial_Unified2IDSEvent_legacy; typedef struct _Serial_Unified2IDSEventIPv6_legacy { uint32_t sensor_id; uint32_t event_id; uint32_t event_second; uint32_t event_microsecond; uint32_t signature_id; uint32_t generator_id; uint32_t signature_revision; uint32_t classification_id; uint32_t priority_id; struct in6_addr ip_source; struct in6_addr ip_destination; uint16_t sport_itype; uint16_t dport_icode; uint8_t protocol; uint8_t impact_flag; uint8_t impact; uint8_t blocked; } Serial_Unified2IDSEventIPv6_legacy; #define UNIFIED_SET(legacy, type, member, value) { \ if (type == UNIFIED2_IDS_EVENT_IPV6) { \ ((Serial_Unified2IDSEventIPv6_legacy *)legacy)->member = value; \ } else { \ ((Serial_Unified2IDSEvent_legacy *)legacy)->member = value; \ } \ } #define UNIFIED_OFF(legacy, type, member) ( \ type == UNIFIED2_IDS_EVENT_IPV6 ? \ offsetof(Serial_Unified2IDSEventIPv6_legacy, member) : \ offsetof(Serial_Unified2IDSEvent_legacy, member) \ ) #define UNIFIED_SIZE(legacy, type) ( \ type == UNIFIED2_IDS_EVENT_IPV6 ? \ sizeof(Serial_Unified2IDSEventIPv6_legacy) : \ sizeof(Serial_Unified2IDSEvent_legacy) \ ) #define UNIFIED_MEMBER_SIZE(legacy, type, member) ( \ type == UNIFIED2_IDS_EVENT_IPV6 ? \ sizeof(((Serial_Unified2IDSEventIPv6_legacy *)legacy)->member) : \ sizeof(((Serial_Unified2IDSEvent_legacy *)legacy)->member) \ ) /* The below is from packet.h from Snort */ struct sf_timeval32 { uint32_t tv_sec; /* seconds */ uint32_t tv_usec; /* microseconds */ }; typedef struct _Event { uint32_t sig_generator; /* which part of snort generated the alert? */ uint32_t sig_id; /* sig id for this generator */ uint32_t sig_rev; /* sig revision for this id */ uint32_t classification; /* event classification */ uint32_t priority; /* event priority */ uint32_t event_id; /* event ID */ uint32_t event_reference; /* reference to other events that have gone off, * such as in the case of tagged packets... */ struct sf_timeval32 ref_time; /* reference time for the event reference */ } Event; typedef enum _EventDataType { EVENT_DATA_TYPE_BLOB = 1, EVENT_DATA_TYPE_MAX } EventDataType; //UNIFIED2_EXTRA_DATA - type 110 typedef struct _SerialUnified2ExtraData { uint32_t sensor_id; uint32_t event_id; uint32_t event_second; uint32_t type; /* EventInfo */ uint32_t data_type; /*EventDataType */ uint32_t blob_length; /* Length of the data + sizeof(blob_length) + sizeof(data_type)*/ } SerialUnified2ExtraData; typedef struct _Unified2ExtraDataHdr { uint32_t event_type; uint32_t event_length; } Unified2ExtraDataHdr; typedef enum _EventInfoEnum { EVENT_INFO_XFF_IPV4 = 1, EVENT_INFO_XFF_IPV6, EVENT_INFO_REVIEWED_BY, EVENT_INFO_GZIP_DATA, EVENT_INFO_SMTP_FILENAME, EVENT_INFO_SMTP_MAILFROM, EVENT_INFO_SMTP_RCPTTO, EVENT_INFO_SMTP_EMAIL_HDRS, EVENT_INFO_HTTP_URI, EVENT_INFO_HTTP_HOSTNAME, EVENT_INFO_IPV6_SRC, EVENT_INFO_IPV6_DST, EVENT_INFO_JSNORM_DATA } EventInfoEnum; #endif sagan-1.2.0/src/output-plugins/snortsam-twofish.c0000644000175000017500000012353113310531444021051 0ustar champchamp/* $Id: twofish.c,v 2.1 2008/12/15 20:36:05 fknobbe Exp $ * * * Copyright (C) 1997-2000 The Cryptix Foundation Limited. * Copyright (C) 2000 Farm9. * Copyright (C) 2001 Frank Knobbe. * All rights reserved. * * For Cryptix code: * Use, modification, copying and distribution of this software is subject * the terms and conditions of the Cryptix General Licence. You should have * received a copy of the Cryptix General Licence along with this library; * if not, you can download a copy from http://www.cryptix.org/ . * * For Farm9: * --- jojo@farm9.com, August 2000, converted from Java to C++, added CBC mode and * ciphertext stealing technique, added AsciiTwofish class for easy encryption * decryption of text strings * * Frank Knobbe : * --- April 2001, converted from C++ to C, prefixed global variables * with TwoFish, substituted some defines, changed functions to make use of * variables supplied in a struct, modified and added routines for modular calls. * Cleaned up the code so that defines are used instead of fixed 16's and 32's. * Created two general purpose crypt routines for one block and multiple block * encryption using Joh's CBC code. * Added crypt routines that use a header (with a magic and data length). * (Basically a major rewrite). * * Note: Routines labeled _TwoFish are private and should not be used * (or with extreme caution). * */ #ifndef __TWOFISH_LIBRARY_SOURCE__ #define __TWOFISH_LIBRARY_SOURCE__ #include #include #include #include #include #include #ifdef WIN32 #ifndef u_long typedef unsigned long u_long; #endif #ifndef u_int32_t typedef unsigned long u_int32_t; #endif #ifndef u_word typedef unsigned short u_word; #endif #ifndef u_int16_t typedef unsigned short u_int16_t; #endif #ifndef u_char typedef unsigned char u_char; #endif #ifndef u_int8_t typedef unsigned char u_int8_t; #endif #endif /* WIN32 */ #include "output-plugins/snortsam-twofish.h" bool TwoFish_srand=true; /* if TRUE, first call of TwoFishInit will seed rand(); */ /* of TwoFishInit */ /* Fixed 8x8 permutation S-boxes */ static const u_int8_t TwoFish_P[2][256] = { { /* p0 */ 0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78, 0xE4, 0xDD, 0xD1, 0x38, 0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C, 0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48, 0xF2, 0xD0, 0x8B, 0x30, 0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82, 0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE, 0x16, 0x0C, 0xE3, 0x61, 0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B, 0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1, 0xE1, 0xE6, 0xBD, 0x45, 0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7, 0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF, 0x33, 0xC9, 0x62, 0x71, 0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8, 0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7, 0xA1, 0x1D, 0xAA, 0xED, 0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90, 0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B, 0x5F, 0x93, 0x0A, 0xEF, 0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B, 0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64, 0x2A, 0xCE, 0xCB, 0x2F, 0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A, 0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17, 0x55, 0x1F, 0x8A, 0x7D, 0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72, 0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34, 0x6E, 0x50, 0xDE, 0x68, 0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4, 0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42, 0x4A, 0x5E, 0xC1, 0xE0 }, { /* p1 */ 0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B, 0x45, 0x7D, 0xE8, 0x4B, 0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1, 0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F, 0x5E, 0xBA, 0xAE, 0x5B, 0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5, 0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54, 0x92, 0x74, 0x36, 0x51, 0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96, 0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C, 0x13, 0x95, 0x9C, 0xC7, 0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8, 0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF, 0x40, 0xE7, 0x2B, 0xE2, 0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9, 0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17, 0x66, 0x94, 0xA1, 0x1D, 0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E, 0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21, 0xC4, 0x1A, 0xEB, 0xD9, 0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01, 0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48, 0x4F, 0xF2, 0x65, 0x8E, 0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64, 0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44, 0xE0, 0x4D, 0x43, 0x69, 0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E, 0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC, 0x22, 0xC9, 0xC0, 0x9B, 0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9, 0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56, 0x55, 0x09, 0xBE, 0x91 } }; static bool TwoFish_MDSready=false; static u_int32_t TwoFish_MDS[4][256]; /* TwoFish_MDS matrix */ #define TwoFish_LFSR1(x) (((x)>>1)^(((x)&0x01)?TwoFish_MDS_GF_FDBK/2:0)) #define TwoFish_LFSR2(x) (((x)>>2)^(((x)&0x02)?TwoFish_MDS_GF_FDBK/2:0)^(((x)&0x01)?TwoFish_MDS_GF_FDBK/4:0)) #define TwoFish_Mx_1(x) ((u_int32_t)(x)) /* force result to dword so << will work */ #define TwoFish_Mx_X(x) ((u_int32_t)((x)^TwoFish_LFSR2(x))) /* 5B */ #define TwoFish_Mx_Y(x) ((u_int32_t)((x)^TwoFish_LFSR1(x)^TwoFish_LFSR2(x))) /* EF */ #define TwoFish_RS_rem(x) { u_int8_t b=(u_int8_t)(x>>24); u_int32_t g2=((b<<1)^((b&0x80)?TwoFish_RS_GF_FDBK:0))&0xFF; u_int32_t g3=((b>>1)&0x7F)^((b&1)?TwoFish_RS_GF_FDBK>>1:0)^g2; x=(x<<8)^(g3<<24)^(g2<<16)^(g3<<8)^b; } /*#define TwoFish__b(x,N) (((u_int8_t *)&x)[((N)&3)^TwoFish_ADDR_XOR])*/ /* pick bytes out of a dword */ #define TwoFish_b0(x) TwoFish__b(x,0) /* extract LSB of u_int32_t */ #define TwoFish_b1(x) TwoFish__b(x,1) #define TwoFish_b2(x) TwoFish__b(x,2) #define TwoFish_b3(x) TwoFish__b(x,3) /* extract MSB of u_int32_t */ u_int8_t TwoFish__b(u_int32_t x,int n) { n&=3; while(n-->0) x>>=8; return (u_int8_t)x; } /* TwoFish Initialization * * This routine generates a global data structure for use with TwoFish, * initializes important values (such as subkeys, sBoxes), generates subkeys * and precomputes the MDS matrix if not already done. * * Input: User supplied password (will be appended by default password of 'SnortHas2FishEncryptionRoutines!') * * Output: Pointer to TWOFISH structure. This data structure contains key dependent data. * This pointer is used with all other crypt functions. */ TWOFISH *TwoFishInit(char *userkey) { TWOFISH *tfdata; int i,x,m; char tkey[TwoFish_KEY_LENGTH+40]; tfdata=malloc(sizeof(TWOFISH)); /* allocate the TwoFish structure */ if(tfdata!=NULL) { if(*userkey) { strncpy(tkey,userkey,TwoFish_KEY_LENGTH); /* use first 32 chars of user supplied password */ tkey[TwoFish_KEY_LENGTH]=0; /* make sure it wasn't more */ } else strcpy(tkey,TwoFish_DEFAULT_PW); /* if no key defined, use default password */ for(i=0,x=0,m=strlen(tkey); ikey[i]=tkey[x++]; /* fill the whole keyspace with repeating key. */ if(x==m) x=0; } if(!TwoFish_MDSready) _TwoFish_PrecomputeMDSmatrix(); /* "Wake Up, Neo" */ _TwoFish_MakeSubKeys(tfdata); /* generate subkeys */ _TwoFish_ResetCBC(tfdata); /* reset the CBC */ tfdata->output=NULL; /* nothing to output yet */ tfdata->dontflush=false; /* reset decrypt skip block flag */ if(TwoFish_srand) { TwoFish_srand=false; srand(time(NULL)); } } return tfdata; /* return the data pointer */ } void TwoFishDestroy(TWOFISH *tfdata) { if(tfdata!=NULL) free(tfdata); } /* en/decryption with CBC mode */ unsigned long _TwoFish_CryptRawCBC(char *in,char *out,unsigned long len,bool decrypt,TWOFISH *tfdata) { unsigned long rl; rl=len; /* remember how much data to crypt. */ while(len>TwoFish_BLOCK_SIZE) /* and now we process block by block. */ { _TwoFish_BlockCrypt((unsigned char*)in,(unsigned char*)out,TwoFish_BLOCK_SIZE,decrypt,tfdata); /* de/encrypt it. */ in+=TwoFish_BLOCK_SIZE; /* adjust pointers. */ out+=TwoFish_BLOCK_SIZE; len-=TwoFish_BLOCK_SIZE; } if(len>0) /* if we have less than a block left... */ _TwoFish_BlockCrypt( (unsigned char*)in, (unsigned char*)out,len,decrypt,tfdata); /* ...then we de/encrypt that too. */ if(tfdata->qBlockDefined && !tfdata->dontflush) /* in case len was exactly one block... */ _TwoFish_FlushOutput(tfdata->qBlockCrypt,TwoFish_BLOCK_SIZE,tfdata); /* ...we need to write the... */ /* ...remaining bytes of the buffer */ return rl; } /* en/decryption on one block only */ unsigned long _TwoFish_CryptRaw16(char *in,char *out,unsigned long len,bool decrypt,TWOFISH *tfdata) { /* qBlockPlain already zero'ed through ResetCBC */ memcpy(tfdata->qBlockPlain,in,len); /* toss the data into it. */ _TwoFish_BlockCrypt16(tfdata->qBlockPlain,tfdata->qBlockCrypt,decrypt,tfdata); /* encrypt just that block without CBC. */ memcpy(out,tfdata->qBlockCrypt,TwoFish_BLOCK_SIZE); /* and return what we got */ return TwoFish_BLOCK_SIZE; } /* en/decryption without reset of CBC and output assignment */ unsigned long _TwoFish_CryptRaw(char *in,char *out,unsigned long len,bool decrypt,TWOFISH *tfdata) { if(in!=NULL && out!=NULL && len>0 && tfdata!=NULL) /* if we have valid data, then... */ { if(len>TwoFish_BLOCK_SIZE) /* ...check if we have more than one block. */ return _TwoFish_CryptRawCBC(in,out,len,decrypt,tfdata); /* if so, use the CBC routines... */ else return _TwoFish_CryptRaw16(in,out,len,decrypt,tfdata); /* ...otherwise just do one block. */ } return 0; } /* TwoFish Raw Encryption * * Does not use header, but does use CBC (if more than one block has to be encrypted). * * Input: Pointer to the buffer of the plaintext to be encrypted. * Pointer to the buffer receiving the ciphertext. * The length of the plaintext buffer. * The TwoFish structure. * * Output: The amount of bytes encrypted if successful, otherwise 0. */ unsigned long TwoFishEncryptRaw(char *in, char *out, unsigned long len, TWOFISH *tfdata) { _TwoFish_ResetCBC(tfdata); /* reset CBC flag. */ tfdata->output=(unsigned char*)out; /* output straight into output buffer. */ return _TwoFish_CryptRaw(in,out,len,false,tfdata); /* and go for it. */ } /* TwoFish Raw Decryption * * Does not use header, but does use CBC (if more than one block has to be decrypted). * * Input: Pointer to the buffer of the ciphertext to be decrypted. * Pointer to the buffer receiving the plaintext. * The length of the ciphertext buffer (at least one cipher block). * The TwoFish structure. * * Output: The amount of bytes decrypted if successful, otherwise 0. */ unsigned long TwoFishDecryptRaw(char *in, char *out, unsigned long len, TWOFISH *tfdata) { _TwoFish_ResetCBC(tfdata); /* reset CBC flag. */ tfdata->output=(unsigned char*)out; /* output straight into output buffer. */ return _TwoFish_CryptRaw(in,out,len,true,tfdata); /* and go for it. */ } /* TwoFish Free * * Free's the allocated buffer. * * Input: Pointer to the TwoFish structure * * Output: (none) */ void TwoFishFree(TWOFISH *tfdata) { if(tfdata->output!=NULL) /* if a valid buffer is present... */ { free(tfdata->output); /* ...then we free it for you... */ tfdata->output=NULL; /* ...and mark as such. */ } } /* TwoFish Set Output * * If you want to allocate the output buffer yourself, * then you can set it with this function. * * Input: Pointer to your output buffer * Pointer to the TwoFish structure * * Output: (none) */ void TwoFishSetOutput(char *outp,TWOFISH *tfdata) { tfdata->output=(unsigned char*)outp; /* (do we really need a function for this?) */ } /* TwoFish Alloc * * Allocates enough memory for the output buffer that would be required * * Input: Length of the plaintext. * Boolean flag for BinHex Output. * Pointer to the TwoFish structure. * * Output: Returns a pointer to the memory allocated. */ void *TwoFishAlloc(unsigned long len,bool binhex,bool decrypt,TWOFISH *tfdata) { /* TwoFishFree(tfdata); */ /* (don't for now) discard whatever was allocated earlier. */ if(decrypt) /* if decrypting... */ { if(binhex) /* ...and input is binhex encoded... */ len/=2; /* ...use half as much for output. */ len-=TwoFish_BLOCK_SIZE; /* Also, subtract the size of the header. */ } else { len+=TwoFish_BLOCK_SIZE; /* the size is just increased by the header... */ if(binhex) len*=2; /* ...and doubled if output is to be binhexed. */ } tfdata->output=malloc(len+TwoFish_BLOCK_SIZE);/* grab some memory...plus some extra (it's running over somewhere, crashes without extra padding) */ return tfdata->output; /* ...and return to caller. */ } /* bin2hex and hex2bin conversion */ void _TwoFish_BinHex(u_int8_t *buf,unsigned long len,bool bintohex) { u_int8_t *pi,*po,c; if(bintohex) { for(pi=buf+len-1,po=buf+(2*len)-1; len>0; pi--,po--,len--) /* let's start from the end of the bin block. */ { c=*pi; /* grab value. */ c&=15; /* use lower 4 bits. */ if(c>9) /* convert to ascii. */ c+=('a'-10); else c+='0'; *po--=c; /* set the lower nibble. */ c=*pi; /* grab value again. */ c>>=4; /* right shift 4 bits. */ c&=15; /* make sure we only have 4 bits. */ if(c>9) /* convert to ascii. */ c+=('a'-10); else c+='0'; *po=c; /* set the higher nibble. */ } /* and keep going. */ } else { for(pi=buf,po=buf; len>0; pi++,po++,len-=2) /* let's start from the beginning of the hex block. */ { c=tolower(*pi++)-'0'; /* grab higher nibble. */ if(c>9) /* convert to value. */ c-=('0'-9); *po=c<<4; /* left shit 4 bits. */ c=tolower(*pi)-'0'; /* grab lower nibble. */ if(c>9) /* convert to value. */ c-=('0'-9); *po|=c; /* and add to value. */ } } } /* TwoFish Encryption * * Uses header and CBC. If the output area has not been intialized with TwoFishAlloc, * this routine will alloc the memory. In addition, it will include a small 'header' * containing the magic and some salt. That way the decrypt routine can check if the * packet got decrypted successfully, and return 0 instead of garbage. * * Input: Pointer to the buffer of the plaintext to be encrypted. * Pointer to the pointer to the buffer receiving the ciphertext. * The pointer either points to user allocated output buffer space, or to NULL, in which case * this routine will set the pointer to the buffer allocated through the struct. * The length of the plaintext buffer. * Can be -1 if the input is a null terminated string, in which case we'll count for you. * Boolean flag for BinHex Output (if used, output will be twice as large as input). * Note: BinHex conversion overwrites (converts) input buffer! * The TwoFish structure. * * Output: The amount of bytes encrypted if successful, otherwise 0. */ unsigned long TwoFishEncrypt(char *in, char **out, signed long len, bool binhex, TWOFISH *tfdata) { unsigned long ilen,olen; if(len== -1) /* if we got -1 for len, we'll assume IN is a... */ ilen=strlen(in); /* ...\0 terminated string and figure len out ourselves... */ else ilen=len; /* ...otherwise we trust you supply a correct length. */ if(in!=NULL && out!=NULL && ilen>0 && tfdata!=NULL) /* if we got usable stuff, we'll do it. */ { if(*out==NULL) /* if OUT points to a NULL pointer... */ *out=TwoFishAlloc(ilen,binhex,false,tfdata); /* ...we'll (re-)allocate buffer space. */ if(*out!=NULL) { tfdata->output=(unsigned char*)*out; /* set output buffer. */ tfdata->header.salt=rand()*65536+rand(); /* toss in some salt. */ tfdata->header.length[0]= (u_int8_t)(ilen); tfdata->header.length[1]= (u_int8_t)(ilen>>8); tfdata->header.length[2]= (u_int8_t)(ilen>>16); tfdata->header.length[3]= (u_int8_t)(ilen>>24); memcpy(tfdata->header.magic,TwoFish_MAGIC,TwoFish_MAGIC_LEN); /* set the magic. */ olen=TwoFish_BLOCK_SIZE; /* set output counter. */ _TwoFish_ResetCBC(tfdata); /* reset the CBC flag */ _TwoFish_BlockCrypt((u_int8_t *)&(tfdata->header),(unsigned char*)*out,olen,false,tfdata); /* encrypt first block (without flush on 16 byte boundary). */ olen+=_TwoFish_CryptRawCBC(in,*out+TwoFish_BLOCK_SIZE,ilen,false,tfdata); /* and encrypt the rest (we do not reset the CBC flag). */ if(binhex) /* if binhex... */ { _TwoFish_BinHex( (unsigned char*)*out,olen,true); /* ...convert output to binhex... */ olen*=2; /* ...and size twice as large. */ } tfdata->output=(unsigned char*)*out; return olen; } } return 0; } /* TwoFish Decryption * * Uses header and CBC. If the output area has not been intialized with TwoFishAlloc, * this routine will alloc the memory. In addition, it will check the small 'header' * containing the magic. If magic does not match we return 0. Otherwise we return the * amount of bytes decrypted (should be the same as the length in the header). * * Input: Pointer to the buffer of the ciphertext to be decrypted. * Pointer to the pointer to the buffer receiving the plaintext. * The pointer either points to user allocated output buffer space, or to NULL, in which case * this routine will set the pointer to the buffer allocated through the struct. * The length of the ciphertext buffer. * Can be -1 if the input is a null terminated binhex string, in which case we'll count for you. * Boolean flag for BinHex Input (if used, plaintext will be half as large as input). * Note: BinHex conversion overwrites (converts) input buffer! * The TwoFish structure. * * Output: The amount of bytes decrypted if successful, otherwise 0. */ unsigned long TwoFishDecrypt(char *in, char **out, signed long len, bool binhex, TWOFISH *tfdata) { unsigned long ilen,elen,olen; const u_int8_t cmagic[TwoFish_MAGIC_LEN]=TwoFish_MAGIC; u_int8_t *tbuf; if(len== -1) /* if we got -1 for len, we'll assume IN is... */ ilen=strlen(in); /* ...\0 terminated binhex and figure len out ourselves... */ else ilen=len; /* ...otherwise we trust you supply a correct length. */ if(in!=NULL && out!=NULL && ilen>0 && tfdata!=NULL) /* if we got usable stuff, we'll do it. */ { if(*out==NULL) /* if OUT points to a NULL pointer... */ *out=TwoFishAlloc(ilen,binhex,true,tfdata); /* ...we'll (re-)allocate buffer space. */ if(*out!=NULL) { if(binhex) /* if binhex... */ { _TwoFish_BinHex( (unsigned char*)in,ilen,false); /* ...convert input to values... */ ilen/=2; /* ...and size half as much. */ } _TwoFish_ResetCBC(tfdata); /* reset the CBC flag. */ tbuf=(u_int8_t *)malloc(ilen+TwoFish_BLOCK_SIZE); /* get memory for data and header. */ if(tbuf==NULL) return 0; tfdata->output=tbuf; /* set output to temp buffer. */ olen=_TwoFish_CryptRawCBC(in,(char *)tbuf,ilen,true,tfdata)-TwoFish_BLOCK_SIZE; /* decrypt the whole thing. */ memcpy(&(tfdata->header),tbuf,TwoFish_BLOCK_SIZE); /* copy first block into header. */ //tfdata->output=*out; tfdata->output=(unsigned char*)*out; for(elen=0; elenheader.magic[elen]!=cmagic[elen]) break; if(elen==TwoFish_MAGIC_LEN) /* if magic matches then... */ { elen=(tfdata->header.length[0]) | (tfdata->header.length[1])<<8 | (tfdata->header.length[2])<<16 | (tfdata->header.length[3])<<24; /* .. we know how much to expect. */ if(elen>olen) /* adjust if necessary. */ elen=olen; memcpy(*out,tbuf+TwoFish_BLOCK_SIZE,elen); /* copy data into intended output. */ free(tbuf); return elen; } free(tbuf); } } return 0; } void _TwoFish_PrecomputeMDSmatrix(void) /* precompute the TwoFish_MDS matrix */ { u_int32_t m1[2]; u_int32_t mX[2]; u_int32_t mY[2]; u_int32_t i, j; for (i = 0; i < 256; i++) { j = TwoFish_P[0][i] & 0xFF; /* compute all the matrix elements */ m1[0] = j; mX[0] = TwoFish_Mx_X( j ) & 0xFF; mY[0] = TwoFish_Mx_Y( j ) & 0xFF; j = TwoFish_P[1][i] & 0xFF; m1[1] = j; mX[1] = TwoFish_Mx_X( j ) & 0xFF; mY[1] = TwoFish_Mx_Y( j ) & 0xFF; TwoFish_MDS[0][i] = m1[TwoFish_P_00] | /* fill matrix w/ above elements */ mX[TwoFish_P_00] << 8 | mY[TwoFish_P_00] << 16 | mY[TwoFish_P_00] << 24; TwoFish_MDS[1][i] = mY[TwoFish_P_10] | mY[TwoFish_P_10] << 8 | mX[TwoFish_P_10] << 16 | m1[TwoFish_P_10] << 24; TwoFish_MDS[2][i] = mX[TwoFish_P_20] | mY[TwoFish_P_20] << 8 | m1[TwoFish_P_20] << 16 | mY[TwoFish_P_20] << 24; TwoFish_MDS[3][i] = mX[TwoFish_P_30] | m1[TwoFish_P_30] << 8 | mY[TwoFish_P_30] << 16 | mX[TwoFish_P_30] << 24; } TwoFish_MDSready=true; } void _TwoFish_MakeSubKeys(TWOFISH *tfdata) /* Expand a user-supplied key material into a session key. */ { u_int32_t k64Cnt = TwoFish_KEY_LENGTH / 8; u_int32_t k32e[4]; /* even 32-bit entities */ u_int32_t k32o[4]; /* odd 32-bit entities */ u_int32_t sBoxKey[4]; u_int32_t offset,i,j; u_int32_t A, B, q=0; u_int32_t k0,k1,k2,k3; u_int32_t b0,b1,b2,b3; /* split user key material into even and odd 32-bit entities and */ /* compute S-box keys using (12, 8) Reed-Solomon code over GF(256) */ for (offset=0,i=0,j=k64Cnt-1; i<4 && offsetkey[offset++]; k32e[i]|= tfdata->key[offset++]<<8; k32e[i]|= tfdata->key[offset++]<<16; k32e[i]|= tfdata->key[offset++]<<24; k32o[i] = tfdata->key[offset++]; k32o[i]|= tfdata->key[offset++]<<8; k32o[i]|= tfdata->key[offset++]<<16; k32o[i]|= tfdata->key[offset++]<<24; sBoxKey[j] = _TwoFish_RS_MDS_Encode( k32e[i], k32o[i] ); /* reverse order */ } /* compute the round decryption subkeys for PHT. these same subkeys */ /* will be used in encryption but will be applied in reverse order. */ i=0; while(i < TwoFish_TOTAL_SUBKEYS) { A = _TwoFish_F32( k64Cnt, q, k32e ); /* A uses even key entities */ q += TwoFish_SK_BUMP; B = _TwoFish_F32( k64Cnt, q, k32o ); /* B uses odd key entities */ q += TwoFish_SK_BUMP; B = B << 8 | B >> 24; A += B; tfdata->subKeys[i++] = A; /* combine with a PHT */ A += B; tfdata->subKeys[i++] = A << TwoFish_SK_ROTL | A >> (32-TwoFish_SK_ROTL); } /* fully expand the table for speed */ k0 = sBoxKey[0]; k1 = sBoxKey[1]; k2 = sBoxKey[2]; k3 = sBoxKey[3]; for (i = 0; i < 256; i++) { b0 = b1 = b2 = b3 = i; switch (k64Cnt & 3) { case 1: /* 64-bit keys */ tfdata->sBox[ 2*i ] = TwoFish_MDS[0][(TwoFish_P[TwoFish_P_01][b0]) ^ TwoFish_b0(k0)]; tfdata->sBox[ 2*i+1] = TwoFish_MDS[1][(TwoFish_P[TwoFish_P_11][b1]) ^ TwoFish_b1(k0)]; tfdata->sBox[0x200+2*i ] = TwoFish_MDS[2][(TwoFish_P[TwoFish_P_21][b2]) ^ TwoFish_b2(k0)]; tfdata->sBox[0x200+2*i+1] = TwoFish_MDS[3][(TwoFish_P[TwoFish_P_31][b3]) ^ TwoFish_b3(k0)]; break; case 0: /* 256-bit keys (same as 4) */ b0 = (TwoFish_P[TwoFish_P_04][b0]) ^ TwoFish_b0(k3); b1 = (TwoFish_P[TwoFish_P_14][b1]) ^ TwoFish_b1(k3); b2 = (TwoFish_P[TwoFish_P_24][b2]) ^ TwoFish_b2(k3); b3 = (TwoFish_P[TwoFish_P_34][b3]) ^ TwoFish_b3(k3); case 3: /* 192-bit keys */ b0 = (TwoFish_P[TwoFish_P_03][b0]) ^ TwoFish_b0(k2); b1 = (TwoFish_P[TwoFish_P_13][b1]) ^ TwoFish_b1(k2); b2 = (TwoFish_P[TwoFish_P_23][b2]) ^ TwoFish_b2(k2); b3 = (TwoFish_P[TwoFish_P_33][b3]) ^ TwoFish_b3(k2); case 2: /* 128-bit keys */ tfdata->sBox[ 2*i ]= TwoFish_MDS[0][(TwoFish_P[TwoFish_P_01][(TwoFish_P[TwoFish_P_02][b0]) ^ TwoFish_b0(k1)]) ^ TwoFish_b0(k0)]; tfdata->sBox[ 2*i+1]= TwoFish_MDS[1][(TwoFish_P[TwoFish_P_11][(TwoFish_P[TwoFish_P_12][b1]) ^ TwoFish_b1(k1)]) ^ TwoFish_b1(k0)]; tfdata->sBox[0x200+2*i ]= TwoFish_MDS[2][(TwoFish_P[TwoFish_P_21][(TwoFish_P[TwoFish_P_22][b2]) ^ TwoFish_b2(k1)]) ^ TwoFish_b2(k0)]; tfdata->sBox[0x200+2*i+1]= TwoFish_MDS[3][(TwoFish_P[TwoFish_P_31][(TwoFish_P[TwoFish_P_32][b3]) ^ TwoFish_b3(k1)]) ^ TwoFish_b3(k0)]; } } } /** * Encrypt or decrypt exactly one block of plaintext in CBC mode. * Use "ciphertext stealing" technique described on pg. 196 * of "Applied Cryptography" to encrypt the final partial * (i.e. <16 byte) block if necessary. * * jojo: the "ciphertext stealing" requires we read ahead and have * special handling for the last two blocks. Because of this, the * output from the TwoFish algorithm is handled internally here. * It would be better to have a higher level handle this as well as * CBC mode. Unfortunately, I've mixed the two together, which is * pretty crappy... The Java version separates these out correctly. * * fknobbe: I have reduced the CBC mode to work on memory buffer only. * Higher routines should use an intermediate buffer and handle * their output seperately (mainly so the data can be flushed * in one chunk, not seperate 16 byte blocks...) * * @param in The plaintext. * @param out The ciphertext * @param size how much to encrypt * @param tfdata: Pointer to the global data structure containing session keys. * @return none */ void _TwoFish_BlockCrypt(u_int8_t *in,u_int8_t *out,unsigned long size,int decrypt,TWOFISH *tfdata) { u_int8_t PnMinusOne[TwoFish_BLOCK_SIZE]; u_int8_t CnMinusOne[TwoFish_BLOCK_SIZE]; u_int8_t CBCplusCprime[TwoFish_BLOCK_SIZE]; u_int8_t Pn[TwoFish_BLOCK_SIZE]; u_int8_t *p,*pout; unsigned long i; /* here is where we implement CBC mode and cipher block stealing */ if(size==TwoFish_BLOCK_SIZE) { /* if we are encrypting, CBC means we XOR the plain text block with the */ /* previous cipher text block before encrypting */ if(!decrypt && tfdata->qBlockDefined) { for(p=in,i=0; iqBlockCrypt[i]; /* FK: I'm copying the xor'ed input into Pn... */ } else memcpy(Pn,in,TwoFish_BLOCK_SIZE); /* FK: same here. we work of Pn all the time. */ /* TwoFish block level encryption or decryption */ _TwoFish_BlockCrypt16(Pn,out,decrypt,tfdata); /* if we are decrypting, CBC means we XOR the result of the decryption */ /* with the previous cipher text block to get the resulting plain text */ if(decrypt && tfdata->qBlockDefined) { for (p=out,i=0; iqBlockPlain[i]; } /* save the input and output blocks, since CBC needs these for XOR */ /* operations */ _TwoFish_qBlockPush(Pn,out,tfdata); } else { /* cipher block stealing, we are at Pn, */ /* but since Cn-1 must now be replaced with CnC' */ /* we pop it off, and recalculate Cn-1 */ if(decrypt) { /* We are on an odd block, and had to do cipher block stealing, */ /* so the PnMinusOne has to be derived differently. */ /* First we decrypt it into CBC and C' */ _TwoFish_qBlockPop(CnMinusOne,PnMinusOne,tfdata); _TwoFish_BlockCrypt16(CnMinusOne,CBCplusCprime,decrypt,tfdata); /* we then xor the first few bytes with the "in" bytes (Cn) */ /* to recover Pn, which we put in out */ for(p=in,pout=out,i=0; iprevCipher[i]; /* So at this point, out has PnMinusOne */ _TwoFish_qBlockPush(CnMinusOne,PnMinusOne,tfdata); _TwoFish_FlushOutput(tfdata->qBlockCrypt,TwoFish_BLOCK_SIZE,tfdata); _TwoFish_FlushOutput(out,size,tfdata); } else { _TwoFish_qBlockPop(PnMinusOne,CnMinusOne,tfdata); memset(Pn,0,TwoFish_BLOCK_SIZE); memcpy(Pn,in,size); for(i=0; iqBlockCrypt,TwoFish_BLOCK_SIZE,tfdata); _TwoFish_FlushOutput(CnMinusOne,size,tfdata); /* old Cn-1 becomes new partial Cn */ } tfdata->qBlockDefined=false; } } void _TwoFish_qBlockPush(u_int8_t *p,u_int8_t *c,TWOFISH *tfdata) { if(tfdata->qBlockDefined) _TwoFish_FlushOutput(tfdata->qBlockCrypt,TwoFish_BLOCK_SIZE,tfdata); memcpy(tfdata->prevCipher,tfdata->qBlockPlain,TwoFish_BLOCK_SIZE); memcpy(tfdata->qBlockPlain,p,TwoFish_BLOCK_SIZE); memcpy(tfdata->qBlockCrypt,c,TwoFish_BLOCK_SIZE); tfdata->qBlockDefined=true; } void _TwoFish_qBlockPop(u_int8_t *p,u_int8_t *c,TWOFISH *tfdata) { memcpy(p,tfdata->qBlockPlain,TwoFish_BLOCK_SIZE ); memcpy(c,tfdata->qBlockCrypt,TwoFish_BLOCK_SIZE ); tfdata->qBlockDefined=false; } /* Reset's the CBC flag and zero's PrevCipher (through qBlockPlain) (important) */ void _TwoFish_ResetCBC(TWOFISH *tfdata) { tfdata->qBlockDefined=false; memset(tfdata->qBlockPlain,0,TwoFish_BLOCK_SIZE); } void _TwoFish_FlushOutput(u_int8_t *b,unsigned long len,TWOFISH *tfdata) { unsigned long i; for(i=0; idontflush; i++) *tfdata->output++ = *b++; tfdata->dontflush=false; } void _TwoFish_BlockCrypt16(u_int8_t *in,u_int8_t *out,bool decrypt,TWOFISH *tfdata) { u_int32_t x0,x1,x2,x3; u_int32_t k,t0,t1,R; x0=*in++; x0|=(*in++ << 8 ); x0|=(*in++ << 16); x0|=(*in++ << 24); x1=*in++; x1|=(*in++ << 8 ); x1|=(*in++ << 16); x1|=(*in++ << 24); x2=*in++; x2|=(*in++ << 8 ); x2|=(*in++ << 16); x2|=(*in++ << 24); x3=*in++; x3|=(*in++ << 8 ); x3|=(*in++ << 16); x3|=(*in++ << 24); if(decrypt) { x0 ^= tfdata->subKeys[4]; /* swap input and output whitening keys when decrypting */ x1 ^= tfdata->subKeys[5]; x2 ^= tfdata->subKeys[6]; x3 ^= tfdata->subKeys[7]; k = 7+(TwoFish_ROUNDS*2); for (R = 0; R < TwoFish_ROUNDS; R += 2) { t0 = _TwoFish_Fe320( tfdata->sBox, x0); t1 = _TwoFish_Fe323( tfdata->sBox, x1); x3 ^= t0 + (t1<<1) + tfdata->subKeys[k--]; x3 = x3 >> 1 | x3 << 31; x2 = x2 << 1 | x2 >> 31; x2 ^= t0 + t1 + tfdata->subKeys[k--]; t0 = _TwoFish_Fe320( tfdata->sBox, x2); t1 = _TwoFish_Fe323( tfdata->sBox, x3); x1 ^= t0 + (t1<<1) + tfdata->subKeys[k--]; x1 = x1 >> 1 | x1 << 31; x0 = x0 << 1 | x0 >> 31; x0 ^= t0 + t1 + tfdata->subKeys[k--]; } x2 ^= tfdata->subKeys[0]; x3 ^= tfdata->subKeys[1]; x0 ^= tfdata->subKeys[2]; x1 ^= tfdata->subKeys[3]; } else { x0 ^= tfdata->subKeys[0]; x1 ^= tfdata->subKeys[1]; x2 ^= tfdata->subKeys[2]; x3 ^= tfdata->subKeys[3]; k = 8; for (R = 0; R < TwoFish_ROUNDS; R += 2) { t0 = _TwoFish_Fe320( tfdata->sBox, x0); t1 = _TwoFish_Fe323( tfdata->sBox, x1); x2 ^= t0 + t1 + tfdata->subKeys[k++]; x2 = x2 >> 1 | x2 << 31; x3 = x3 << 1 | x3 >> 31; x3 ^= t0 + (t1<<1) + tfdata->subKeys[k++]; t0 = _TwoFish_Fe320( tfdata->sBox, x2); t1 = _TwoFish_Fe323( tfdata->sBox, x3); x0 ^= t0 + t1 + tfdata->subKeys[k++]; x0 = x0 >> 1 | x0 << 31; x1 = x1 << 1 | x1 >> 31; x1 ^= t0 + (t1<<1) + tfdata->subKeys[k++]; } x2 ^= tfdata->subKeys[4]; x3 ^= tfdata->subKeys[5]; x0 ^= tfdata->subKeys[6]; x1 ^= tfdata->subKeys[7]; } *out++ = (u_int8_t)(x2 ); *out++ = (u_int8_t)(x2 >> 8); *out++ = (u_int8_t)(x2 >> 16); *out++ = (u_int8_t)(x2 >> 24); *out++ = (u_int8_t)(x3 ); *out++ = (u_int8_t)(x3 >> 8); *out++ = (u_int8_t)(x3 >> 16); *out++ = (u_int8_t)(x3 >> 24); *out++ = (u_int8_t)(x0 ); *out++ = (u_int8_t)(x0 >> 8); *out++ = (u_int8_t)(x0 >> 16); *out++ = (u_int8_t)(x0 >> 24); *out++ = (u_int8_t)(x1 ); *out++ = (u_int8_t)(x1 >> 8); *out++ = (u_int8_t)(x1 >> 16); *out++ = (u_int8_t)(x1 >> 24); } /** * Use (12, 8) Reed-Solomon code over GF(256) to produce a key S-box * 32-bit entity from two key material 32-bit entities. * * @param k0 1st 32-bit entity. * @param k1 2nd 32-bit entity. * @return Remainder polynomial generated using RS code */ u_int32_t _TwoFish_RS_MDS_Encode(u_int32_t k0,u_int32_t k1) { u_int32_t i,r; for(r=k1,i=0; i<4; i++) /* shift 1 byte at a time */ TwoFish_RS_rem(r); r ^= k0; for(i=0; i<4; i++) TwoFish_RS_rem(r); return r; } u_int32_t _TwoFish_F32(u_int32_t k64Cnt,u_int32_t x,u_int32_t *k32) { u_int8_t b0,b1,b2,b3; u_int32_t k0,k1,k2,k3,result = 0; b0=TwoFish_b0(x); b1=TwoFish_b1(x); b2=TwoFish_b2(x); b3=TwoFish_b3(x); k0=k32[0]; k1=k32[1]; k2=k32[2]; k3=k32[3]; switch (k64Cnt & 3) { case 1: /* 64-bit keys */ result = TwoFish_MDS[0][(TwoFish_P[TwoFish_P_01][b0] & 0xFF) ^ TwoFish_b0(k0)] ^ TwoFish_MDS[1][(TwoFish_P[TwoFish_P_11][b1] & 0xFF) ^ TwoFish_b1(k0)] ^ TwoFish_MDS[2][(TwoFish_P[TwoFish_P_21][b2] & 0xFF) ^ TwoFish_b2(k0)] ^ TwoFish_MDS[3][(TwoFish_P[TwoFish_P_31][b3] & 0xFF) ^ TwoFish_b3(k0)]; break; case 0: /* 256-bit keys (same as 4) */ b0 = (TwoFish_P[TwoFish_P_04][b0] & 0xFF) ^ TwoFish_b0(k3); b1 = (TwoFish_P[TwoFish_P_14][b1] & 0xFF) ^ TwoFish_b1(k3); b2 = (TwoFish_P[TwoFish_P_24][b2] & 0xFF) ^ TwoFish_b2(k3); b3 = (TwoFish_P[TwoFish_P_34][b3] & 0xFF) ^ TwoFish_b3(k3); case 3: /* 192-bit keys */ b0 = (TwoFish_P[TwoFish_P_03][b0] & 0xFF) ^ TwoFish_b0(k2); b1 = (TwoFish_P[TwoFish_P_13][b1] & 0xFF) ^ TwoFish_b1(k2); b2 = (TwoFish_P[TwoFish_P_23][b2] & 0xFF) ^ TwoFish_b2(k2); b3 = (TwoFish_P[TwoFish_P_33][b3] & 0xFF) ^ TwoFish_b3(k2); case 2: /* 128-bit keys (optimize for this case) */ result = TwoFish_MDS[0][(TwoFish_P[TwoFish_P_01][(TwoFish_P[TwoFish_P_02][b0] & 0xFF) ^ TwoFish_b0(k1)] & 0xFF) ^ TwoFish_b0(k0)] ^ TwoFish_MDS[1][(TwoFish_P[TwoFish_P_11][(TwoFish_P[TwoFish_P_12][b1] & 0xFF) ^ TwoFish_b1(k1)] & 0xFF) ^ TwoFish_b1(k0)] ^ TwoFish_MDS[2][(TwoFish_P[TwoFish_P_21][(TwoFish_P[TwoFish_P_22][b2] & 0xFF) ^ TwoFish_b2(k1)] & 0xFF) ^ TwoFish_b2(k0)] ^ TwoFish_MDS[3][(TwoFish_P[TwoFish_P_31][(TwoFish_P[TwoFish_P_32][b3] & 0xFF) ^ TwoFish_b3(k1)] & 0xFF) ^ TwoFish_b3(k0)]; break; } return result; } u_int32_t _TwoFish_Fe320(u_int32_t *lsBox,u_int32_t x) { return lsBox[ TwoFish_b0(x)<<1 ]^ lsBox[ ((TwoFish_b1(x)<<1)|1)]^ lsBox[0x200+ (TwoFish_b2(x)<<1) ]^ lsBox[0x200+((TwoFish_b3(x)<<1)|1)]; } u_int32_t _TwoFish_Fe323(u_int32_t *lsBox,u_int32_t x) { return lsBox[ (TwoFish_b3(x)<<1) ]^ lsBox[ ((TwoFish_b0(x)<<1)|1)]^ lsBox[0x200+ (TwoFish_b1(x)<<1) ]^ lsBox[0x200+((TwoFish_b2(x)<<1)|1)]; } u_int32_t _TwoFish_Fe32(u_int32_t *lsBox,u_int32_t x,u_int32_t R) { return lsBox[ 2*TwoFish__b(x,R ) ]^ lsBox[ 2*TwoFish__b(x,R+1)+1]^ lsBox[0x200+2*TwoFish__b(x,R+2) ]^ lsBox[0x200+2*TwoFish__b(x,R+3)+1]; } #endif sagan-1.2.0/src/output-plugins/external.c0000644000175000017500000001102713310531444017340 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* external.c * * Threaded function for user defined external system (execl) calls. This * allows sagan to pass information to a external program. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "version.h" #include "lockfile.h" #include "references.h" #include "sagan-config.h" #include "output-plugins/external.h" struct _Rule_Struct *rulestruct; struct _SaganDebug *debug; struct _SaganConfig *config; pthread_mutex_t ext_mutex = PTHREAD_MUTEX_INITIALIZER; void External_Thread ( _Sagan_Event *Event, char *execute_script ) { int in[2]; int out[2]; int n, pid; char buf[MAX_SYSLOGMSG]; char data[MAX_SYSLOGMSG]; char tmpref[256]; char tmp[6]; if ( debug->debugexternal ) { Sagan_Log(WARN, "[%s, line %d] In External_Thread()", __FILE__, __LINE__); } Reference_Lookup( Event->found, 1, tmpref, sizeof(tmpref)); if ( Event->drop == 1 ) { snprintf(tmp, sizeof(tmp), "True"); } else { snprintf(tmp, sizeof(tmp), "False"); } snprintf(data, sizeof(data), "\n\ ID:%lu:%s\n\ Message:%s\n\ Classification:%s\n\ Drop:%s\n\ Priority:%d\n\ Date:%s\n\ Time:%s\n\ Source:%s\n\ Source Port:%d\n\ Destination:%s\n\ Destination Port:%d\n\ Facility:%s\n\ Syslog Priority:%s\n\ Liblognorm JSON:%s\n\ %sSyslog message:%s\n"\ \ ,Event->generatorid\ ,Event->sid,\ Event->f_msg,\ Event->class,\ tmp,\ Event->pri,\ Event->date,\ Event->time,\ Event->ip_src,\ Event->src_port,\ Event->ip_dst,\ Event->dst_port,\ Event->facility,\ Event->priority,\ !Event->json_normalize ? "{}" : json_object_to_json_string_ext(Event->json_normalize, FJSON_TO_STRING_PLAIN), tmpref,\ Event->message); pthread_mutex_lock( &ext_mutex ); if ( pipe(in) < 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Cannot create input pipe!", __FILE__, __LINE__); } if ( pipe(out) < 0 ) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Cannot create output pipe!", __FILE__, __LINE__); } pid=fork(); if ( pid < 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot create external program process", __FILE__, __LINE__); } else if ( pid == 0 ) { /* Causes problems with alert.log */ close(0); close(1); close(2); dup2(in[0],0); // Stdin.. dup2(out[1],1); dup2(out[1],2); close(in[1]); close(out[0]); execl(execute_script, execute_script, NULL, (char *)NULL); Remove_Lock_File(); Sagan_Log(WARN, "[%s, line %d] Cannot execute %s", __FILE__, __LINE__, config->sagan_external_command); } close(in[0]); close(out[1]); /* Write to child input */ n = write(in[1], data, strlen(data)); close(in[1]); n = read(out[0], buf, sizeof(buf)); close(out[0]); buf[n] = 0; waitpid(pid, NULL, 0); pthread_mutex_unlock( &ext_mutex ); if ( debug->debugexternal == 1 ) { Sagan_Log(DEBUG, "[%s, line %d] Executed %s", __FILE__, __LINE__, config->sagan_external_command); } } sagan-1.2.0/src/output-plugins/alert.h0000644000175000017500000000201313310531444016625 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Alert_File( _Sagan_Event *); sagan-1.2.0/src/output-plugins/unified2.c0000644000175000017500000006711413310531444017233 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* unified2.c * * This allows Sagan to output to a Snort's 'unified2' format. This format * can then be read by programs like barnyard2, etc. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) #include #include #include #include #include #include #include #include #ifdef HAVE_DUMBNET_H #include #else #include #endif #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "classifications.h" #include "output-plugins/unified2.h" sbool endian; uint64_t unified_event_id; struct _Rule_Struct *rulestruct; struct _Class_Struct *classstruct; struct _SaganCounters *counters; struct _SaganConfig *config; static void Unified2Write( uint8_t *, uint32_t ); static int SafeMemcpy(void *, const void *, size_t, const void *, const void *); static int inBounds(const uint8_t *, const uint8_t *, const uint8_t *); static void Unified2RotateFile( void ); static uint8_t write_pkt_buffer[sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2IDSEvent_legacy) + IP_MAXPACKET]; #define write_pkt_end (write_pkt_buffer + sizeof(write_pkt_buffer)) #define MAX_XDATA_WRITE_BUF_LEN (MAX_XFF_WRITE_BUF_LENGTH - \ sizeof(struct in6_addr) + DECODE_BLEN) char *eth_addr="00:11:22:33:44:55"; /* Bogus ethernet address for ethernet frame */ /*********************************************************/ /* Unified2InitFile - Initializes the file to be openned */ /*********************************************************/ void Unified2InitFile( void ) { char filepath[1024]; char *fname_ptr; if (config == NULL) { Sagan_Log(ERROR, "[%s, line %d] Could not init Unified2. Config data is null", __FILE__, __LINE__ ); } config->unified2_timestamp = (uint32_t)time(NULL); if (!config->unified2_nostamp) { if (SaganSnprintf(filepath, sizeof(filepath), "%s.%u", config->unified2_filepath, config->unified2_timestamp) != SAGAN_SNPRINTF_SUCCESS) Sagan_Log(ERROR, "[%s, line %d] Failed to copy Unified2 file path", __FILE__, __LINE__); fname_ptr = filepath; } else { fname_ptr = config->unified2_filepath; } if ((config->unified2_stream = fopen(fname_ptr, "wb")) == NULL) { Sagan_Log(ERROR, "[%s, line %d] Cannot open file %s.", __FILE__, __LINE__, fname_ptr); } } /****************************************************/ /* Sagan_Unified2 - Write the Unified2 event */ /****************************************************/ void Unified2( _Sagan_Event *Event ) { int i=0; uint32_t write_len = 0; unsigned char ip_src[MAXIPBIT] = {0}; unsigned char ip_dst[MAXIPBIT] = {0}; Serial_Unified2_Header *hdr = (Serial_Unified2_Header *)&write_pkt_buffer[0]; uint8_t *alertdata = (uint8_t*)hdr + sizeof(Serial_Unified2_Header); int type = Is_IPv6(Event->ip_src) || Is_IPv6(Event->ip_dst) ? UNIFIED2_IDS_EVENT_IPV6 : UNIFIED2_IDS_EVENT; memset(write_pkt_buffer, 0, sizeof(write_pkt_buffer)); hdr->type = htonl(type); // EXTRA DATA type hdr->length = htonl(UNIFIED_SIZE(alertdata, type)); UNIFIED_SET(alertdata, type, event_id, htonl(unified_event_id)); // Event ID (increments) UNIFIED_SET(alertdata, type, event_second, htonl(Event->event_time.tv_sec)); // Event epoch UNIFIED_SET(alertdata, type, event_microsecond, htonl( Event->event_time.tv_usec)); // Event microseconds UNIFIED_SET(alertdata, type, signature_id, htonl(atoi(Event->sid))); UNIFIED_SET(alertdata, type, signature_revision, htonl(atoi(Event->rev))); // Rule Revision /* Search for the classification type. */ /* There's probably a better way to do this - Champ Clark III - 02/17/2011 */ for(i=0; i < counters->classcount; i++) { if (!strcmp(Event->class, classstruct[i].s_shortname)) { UNIFIED_SET(alertdata, type, classification_id, htonl(i + 1)); } } UNIFIED_SET(alertdata, type, priority_id, htonl(Event->pri)); // Priority UNIFIED_SET(alertdata, type, protocol, Event->ip_proto); // Protocol UNIFIED_SET(alertdata, type, generator_id, htonl(Event->generatorid)); // From gen-msg.map IP2Bit(Event->ip_src, ip_src); /* Already in network byte order. *NOTE* For now, if one side isn't IPv6 but the other is, just convert to IPv4-mapped address. This is probably not the best solution */ if (type == UNIFIED2_IDS_EVENT_IPV6 && !Is_IPv6(Event->ip_src)) { memset(alertdata + UNIFIED_OFF(alertdata, type, ip_source) + UNIFIED_MEMBER_SIZE(alertdata, type, ip_source) - UNIFIED_MEMBER_SIZE(alertdata, UNIFIED2_IDS_EVENT, ip_source) - 2, 0xff, 2); memcpy(alertdata + UNIFIED_OFF(alertdata, type, ip_source) + UNIFIED_MEMBER_SIZE(alertdata, type, ip_source) - UNIFIED_MEMBER_SIZE(alertdata, UNIFIED2_IDS_EVENT, ip_source), ip_src, UNIFIED_MEMBER_SIZE(alertdata, UNIFIED2_IDS_EVENT, ip_source)); } else { memcpy(alertdata + UNIFIED_OFF(alertdata, type, ip_source), ip_src, UNIFIED_MEMBER_SIZE(alertdata, type, ip_source)); } IP2Bit(Event->ip_dst, ip_dst); /* Already in network byte order. */ if (type == UNIFIED2_IDS_EVENT_IPV6 && !Is_IPv6(Event->ip_dst)) { memset(alertdata + UNIFIED_OFF(alertdata, type, ip_destination) + UNIFIED_MEMBER_SIZE(alertdata, type, ip_destination) - UNIFIED_MEMBER_SIZE(alertdata, UNIFIED2_IDS_EVENT, ip_destination) - 2, 0xff, 2); memcpy(alertdata + UNIFIED_OFF(alertdata, type, ip_destination) + UNIFIED_MEMBER_SIZE(alertdata, type, ip_destination) - UNIFIED_MEMBER_SIZE(alertdata, UNIFIED2_IDS_EVENT, ip_destination), ip_dst, UNIFIED_MEMBER_SIZE(alertdata, UNIFIED2_IDS_EVENT, ip_destination)); } else { memcpy(alertdata + UNIFIED_OFF(alertdata, type, ip_destination), ip_dst, UNIFIED_MEMBER_SIZE(alertdata, type, ip_destination)); } UNIFIED_SET(alertdata, type, sport_itype, htons(Event->src_port)); UNIFIED_SET(alertdata, type, dport_icode, htons(Event->dst_port)); /* Rotate if log has gotten to big */ write_len = sizeof(Serial_Unified2_Header) + UNIFIED_SIZE(alertdata, type); if ((config->unified2_current + write_len) > config->unified2_limit) { Unified2RotateFile(); } Unified2Write(write_pkt_buffer, write_len); } /*****************************************************************************/ /* Unified2LogPacketAlert - Create's a raw TCP/UDP/IP/ICMP 'packet' */ /* This packet is "fake", as we are taking syslog data and 'building' */ /* a packet with libdnet. This fake packet is then fed to the Unified2 */ /* file for reading by Barnyard2, etc. */ /*****************************************************************************/ void Unified2LogPacketAlert( _Sagan_Event *Event ) { Serial_Unified2_Header hdr; Serial_Unified2Packet logheader; uint32_t pkt_length = 0; uint32_t i = 0; uint32_t write_len = sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2Packet) - 4; unsigned char tmp_ip[MAXIPBIT] = {0}; uint32_t *tmp_ip_u32 = (uint32_t *)&tmp_ip[0]; int version; /* Barnyard2 doesn't really support IPv6 and throws errors when set this way. We leave it as IPv4 as a kludge around this issue :( */ if ( !config->unified2_force_ipv4 ) { version = Is_IPv6(Event->ip_src) || Is_IPv6(Event->ip_dst) ? 6 : 4; } else { version = 4; } memset(write_pkt_buffer, 0, sizeof(write_pkt_buffer)); /* Ethernet */ u_char *p_eth, eth_buf[ETH_LEN_MAX]; struct eth_hdr *eth; int len_eth = 0; struct addr addr; /* IP header */ struct ip_hdr *ip; u_char *p_iphdr, iphdr_buf[IP_LEN_MAX]; int len_iphdr = 0; /* TCP header */ struct tcp_hdr *tcp; u_char *p_tcp, tcp_buf[IP_LEN_MAX]; /* UDP header */ struct udp_hdr *udp; u_char *p_udp, udp_buf[IP_LEN_MAX]; /* ICMP header */ struct icmp_hdr *icmp; u_char *p_icmp, icmp_buf[IP_LEN_MAX]; /* 'Packet' payload (syslog data) */ u_char packet_buf[IP_LEN_MAX]; uint8_t packet_data[63556]; int p_len = 0; unsigned int len_payload = strlen(Event->message); /* Our payload 'length' */ /* Build the ethernet frame */ eth = (struct eth_hdr *)eth_buf; memset(eth, 0, sizeof(*eth)); eth->eth_type = htons(ETH_TYPE_IP); addr_aton(eth_addr, &addr); memcpy(ð->eth_src, &addr.addr_eth, ETH_ADDR_LEN); addr_aton(eth_addr, &addr); memcpy(ð->eth_dst, &addr.addr_eth, ETH_ADDR_LEN); p_eth = eth_buf + ETH_HDR_LEN; len_eth = p_eth - eth_buf; if ( Event->ip_proto == 0 ) { Sagan_Log(WARN, "[%s, line %d] Protocol set to 0! NOT logging to unfied2!", __FILE__, __LINE__); return; } /* Type == UDP */ if ( Event->ip_proto == 17 ) { udp = (struct udp_hdr *)udp_buf; memset(udp, 0, sizeof(*udp)); udp->uh_sport = htons(Event->src_port); udp->uh_dport = htons(Event->dst_port); p_udp = udp_buf + UDP_HDR_LEN; p_len = p_udp - udp_buf; udp->uh_ulen = htons(p_len + len_payload); memcpy(packet_buf, udp_buf, sizeof(packet_buf)); } /* Type == TCP */ else if ( Event->ip_proto == 6 ) { tcp = (struct tcp_hdr *)tcp_buf; memset(tcp, 0, sizeof(*tcp)); tcp->th_sport = htons(Event->src_port); tcp->th_dport = htons(Event->dst_port); tcp->th_seq = 0; tcp->th_ack = 0; tcp->th_off = 5; tcp->th_flags = TH_SYN; // or TH_FIN, TH_PUSH tcp->th_win = TCP_WIN_MAX; tcp->th_urp = 0; p_tcp = tcp_buf + TCP_HDR_LEN; p_len = p_tcp - tcp_buf; memcpy(packet_buf, tcp_buf, sizeof(packet_buf)); } /* Type == ICMP */ else if ( Event->ip_proto == 1 ) { icmp = (struct icmp_hdr *)icmp_buf; memset(icmp, 0, sizeof(*icmp)); icmp->icmp_type = ICMP_ECHO; icmp->icmp_code = 0; p_icmp = icmp_buf + ICMP_HDR_LEN; p_len = p_icmp - icmp_buf; memcpy(packet_buf, icmp_buf, sizeof(packet_buf)); } /* We'll always need a IP header, so build it here */ ip = (struct ip_hdr *)iphdr_buf; memset(ip, 0, sizeof(*ip)); ip->ip_hl = 5; ip->ip_v = version; ip->ip_tos = 0; ip->ip_id = 0; ip->ip_off = 0; ip->ip_ttl = IP_TTL_MAX; ip->ip_p = Event->ip_proto; ip->ip_sum = 0; /* *NOTE*: These will be wrong for IPv6 addresses *TODO*: Even though the legacy format doesn't take the IPv6 address it should be possible to provide a fake IPv6 packet here. */ IP2Bit(Event->ip_src, tmp_ip); ip->ip_src = *tmp_ip_u32; IP2Bit(Event->ip_dst, tmp_ip); ip->ip_dst = *tmp_ip_u32; p_iphdr = iphdr_buf + IP_HDR_LEN; len_iphdr = p_iphdr - iphdr_buf; pkt_length = strlen(Event->message) + p_len + len_iphdr; ip->ip_len = htons( len_payload + p_len + len_iphdr); // Don't include eth frame. ip_checksum(iphdr_buf, len_iphdr); // Valid checksum pkt_length = len_eth + len_iphdr + p_len + len_payload; write_len += pkt_length; /***************************************************************************/ /* Here we populate the data needed for the Packet portion of the Unified2 */ /* output. */ /***************************************************************************/ logheader.sensor_id = 0; logheader.linktype = htonl(1); // linktype set to ethernet (don't need tokenring, etc). logheader.event_id = htonl(unified_event_id); logheader.event_second = htonl(Event->event_time.tv_sec); logheader.packet_second = htonl(Event->event_time.tv_sec); logheader.packet_microsecond = htonl(Event->event_time.tv_usec); logheader.packet_length = htonl(len_eth + len_iphdr + p_len + len_payload); hdr.length = htonl(sizeof(Serial_Unified2Packet) - 4 + pkt_length); hdr.type = htonl(UNIFIED2_PACKET); if (SafeMemcpy(write_pkt_buffer, &hdr, sizeof(Serial_Unified2_Header), write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { Sagan_Log(ERROR, "[%s, line %d] Failed to copy Serial_Unified2_Header.", __FILE__, __LINE__); return; } if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header), &logheader, sizeof(Serial_Unified2Packet) - 4, write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { Sagan_Log(ERROR, "[%s, line %d] Failed to copy Serial_Unified2Packet.", __FILE__, __LINE__ ); return; } /* packet_data stores our fake 'packet' information. We now start building * the packet for use */ /* Ethernet */ for ( i = 0; i < len_eth; i++ ) { packet_data[i] = eth_buf[i]; } /* IP header */ for ( i = 0; i < len_iphdr; i++ ) { packet_data[i + len_eth] = iphdr_buf[i]; } /* UDP/TCP/ICMP header */ for ( i = 0; i < p_len-1; i++ ) { packet_data[i + len_eth + len_iphdr] = packet_buf[i]; } /* Payload ( Syslog message ) */ for ( i = 0; i < len_payload; i++ ) { packet_data[i + len_eth + len_iphdr + p_len ] = Event->message[i]; } /* Copy it to our Unified2/write_pkt_buffer */ if (SafeMemcpy(write_pkt_buffer + sizeof(Serial_Unified2_Header) + sizeof(Serial_Unified2Packet) - 4, packet_data, pkt_length, write_pkt_buffer, write_pkt_end) != SAFEMEM_SUCCESS) { Sagan_Log(ERROR, "[%s, line %d] Failed to copy pseudo packet data.", __FILE__, __LINE__); return; } Unified2Write(write_pkt_buffer, write_len); } /*****************************************************************************/ /* The below functions where taken from Sourcefire's "Snort" for direct */ /* compatibility. */ /*****************************************************************************/ void Unified2CleanExit( void ) { if (config != NULL) { if (config->unified2_stream != NULL) fclose(config->unified2_stream); free(config); } } static void Unified2RotateFile( void ) { fclose(config->unified2_stream); config->unified2_current = 0; Unified2InitFile(); } int SaganSnprintf(char *buf, size_t buf_size, const char *format, ...) { va_list ap; int ret; if (buf == NULL || buf_size <= 0 || format == NULL) { return SAGAN_SNPRINTF_ERROR; } /* zero first byte in case an error occurs with * vsnprintf, so buffer is null terminated with * zero length */ buf[0] = '\0'; buf[buf_size - 1] = '\0'; va_start(ap, format); ret = vsnprintf(buf, buf_size, format, ap); va_end(ap); if (ret < 0) { return SAGAN_SNPRINTF_ERROR; } if (buf[buf_size - 1] != '\0' || (size_t)ret >= buf_size) { /* result was truncated */ buf[buf_size - 1] = '\0'; return SAGAN_SNPRINTF_TRUNCATION; } return SAGAN_SNPRINTF_SUCCESS; } int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end) { void *tmp; if(n < 1) { ERRORRET; } if (!dst || !src || !start || !end) { ERRORRET; } tmp = ((uint8_t*)dst) + (n-1); if (tmp < dst) { ERRORRET; } if(!inBounds(start,end, dst) || !inBounds(start,end,tmp)) { ERRORRET; } memcpy(dst, src, n); return SAFEMEM_SUCCESS; } int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p) { if(p >= start && p < end) { return 1; } return 0; } static void Unified2Write( uint8_t *buf, uint32_t buf_len ) { size_t fwcount = 0; int ffstatus = 0; /* Nothing to write or nothing to write to */ if ((buf == NULL) || (config == NULL) || (config->unified2_stream == NULL)) { return; } /* Don't use fsync(). It is a total performance killer */ if (((fwcount = fwrite(buf, (size_t)buf_len, 1, config->unified2_stream)) != 1) || ((ffstatus = fflush(config->unified2_stream)) != 0)) { /* errno is saved just to avoid other intervening calls * (e.g. ErrorMessage) potentially reseting it to something else. */ int error = errno; int max_retries = 3; /* On iterations other than the first, the only non-zero error will be * EINTR or interrupt. Only iterate a maximum of max_retries times so * there is no chance of infinite looping if for some reason the write * is constantly interrupted */ while ((error != 0) && (max_retries != 0)) { if (config->unified2_nostamp) { Sagan_Log(ERROR, "[%s, line %d] Failed to write Unified2 file (%s): %s", __FILE__, __LINE__, config->unified2_filepath, strerror(error)); } else { Sagan_Log(ERROR, "[%s, line %d] Failed to write to Unified2 file. (%s.%u): %s", __FILE__, __LINE__, config->unified2_filepath, config->unified2_timestamp, strerror(error)); } while ((error == EINTR) && (max_retries != 0)) { max_retries--; /* Supposedly an interrupt can only occur before anything * has been written. Try again */ Sagan_Log(WARN, "[%s, line %d] Got interrupt. Retry write to Unified2.", __FILE__, __LINE__); if (fwcount != 1) { /* fwrite() failed. Redo fwrite and fflush */ if (((fwcount = fwrite(buf, (size_t)buf_len, 1, config->unified2_stream)) == 1) && ((ffstatus = fflush(config->unified2_stream)) == 0)) { Sagan_Log(NORMAL, "[%s, line %d] Write to Unified2 file succeeded!", __FILE__, __LINE__); error = 0; break; } } else if ((ffstatus = fflush(config->unified2_stream)) == 0) { Sagan_Log(NORMAL, "[%s, line %d] Write to Unified2 file succeeded!", __FILE__, __LINE__); error = 0; break; } error = errno; Sagan_Log(ERROR, "[%s, line %d] Retrying write to Unified2 file failed", __FILE__, __LINE__); } /* If we've reached the maximum number of interrupt retries, just bail out of the main while loop */ if (max_retries == 0) continue; switch (error) { case 0: break; case EIO: Sagan_Log(ERROR, "[%s, line %d] Unified2 file is corrupt", __FILE__, __LINE__); Unified2RotateFile(); if (config->unified2_nostamp) { Sagan_Log(NORMAL, "[%s, line %d] New Unified2 file: %s", __FILE__, __LINE__, config->unified2_filepath); } else { Sagan_Log(NORMAL, "[%s, line %d] New Unified2 file: %s.%u", __FILE__, __LINE__, config->unified2_filepath, config->unified2_timestamp); } if (((fwcount = fwrite(buf, (size_t)buf_len, 1, config->unified2_stream)) == 1) && ((ffstatus = fflush(config->unified2_stream)) == 0)) { Sagan_Log(NORMAL, "[%s, line %d] Write to Unified2 file succeeded!", __FILE__, __LINE__); error = 0; break; } error = errno; /* Loop again if interrupt */ if (error == EINTR) break; /* Write out error message again, then fall through and fatal */ if (config->unified2_nostamp) { Sagan_Log(ERROR, "[%s, line %d] Failed to write to Unified2 file", __FILE__, __LINE__); } else { Sagan_Log(ERROR, "[%s, line %d] Failed to write to Unified2 file", __FILE__, __LINE__); } /* Fall through */ case EAGAIN: /* We're not in non-blocking mode */ case EBADF: case EFAULT: case EFBIG: case EINVAL: case ENOSPC: case EPIPE: default: Sagan_Log(ERROR, "[%s, line %d] Cannot write to device", __FILE__, __LINE__); } } if ((max_retries == 0) && (error != 0)) { Sagan_Log(ERROR, "[%s, line %d] Maximum number of interrupts exceeded.", __FILE__, __LINE__); } } config->unified2_current += buf_len; } /***************************************************************************** * Unified2WriteExtraData - Writes any "extra data" that might be useful for * for analysis. For example, we always write the syslog source IP as the * XFF or "original IP" address. *****************************************************************************/ void Unified2WriteExtraData( _Sagan_Event *Event, int type ) { Serial_Unified2_Header hdr; SerialUnified2ExtraData alertdata; Unified2ExtraDataHdr alertHdr; uint8_t write_buffer[MAX_XDATA_WRITE_BUF_LEN]; uint8_t *write_end = NULL; uint8_t *ptr = NULL; uint8_t *buffer = NULL; unsigned char ipbits[MAXIPBIT] = {0}; uint32_t len = 0; uint32_t write_len = 0; switch(type) { case EVENT_INFO_XFF_IPV4: IP2Bit(Event->host, ipbits); buffer = (void *)ipbits; len = sizeof(uint32_t); break; case EVENT_INFO_XFF_IPV6: IP2Bit(Event->host, ipbits); buffer = (void *)ipbits; len = MAXIPBIT; break; case EVENT_INFO_IPV6_SRC: IP2Bit(Event->ip_src, ipbits); buffer = (void *)ipbits; len = MAXIPBIT; break; case EVENT_INFO_IPV6_DST: IP2Bit(Event->ip_dst, ipbits); buffer = (void *)ipbits; len = MAXIPBIT; break; case EVENT_INFO_HTTP_URI: buffer = (uint8_t*)Event->normalize_http_uri; len = strlen((char *)buffer); break; case EVENT_INFO_HTTP_HOSTNAME: buffer = (uint8_t*)Event->normalize_http_hostname; len = strlen((const char *)buffer); break; default: Sagan_Log(ERROR,"[%s, line %d] Whoa. Unknown Unified2 Extra Data type passed! Abort!!", __FILE__, __LINE__); break; } write_len = sizeof(Serial_Unified2_Header) + sizeof(Unified2ExtraDataHdr); alertdata.sensor_id = 0; alertdata.event_id = htonl(unified_event_id); alertdata.event_second = htonl(Event->event_time.tv_sec); alertdata.data_type = htonl(EVENT_DATA_TYPE_BLOB); alertdata.type = htonl(type); alertdata.blob_length = htonl(sizeof(alertdata.data_type) + sizeof(alertdata.blob_length) + len); write_len = write_len + sizeof(alertdata) + len; alertHdr.event_type = htonl(EVENT_TYPE_EXTRA_DATA); alertHdr.event_length = htonl(write_len - sizeof(Serial_Unified2_Header)); if ((config->unified2_current + write_len) > config->unified2_limit) { Unified2RotateFile(); } hdr.length = htonl(write_len - sizeof(Serial_Unified2_Header)); hdr.type = htonl(UNIFIED2_EXTRA_DATA); write_end = write_buffer + sizeof(write_buffer); ptr = write_buffer; if (SafeMemcpy(ptr, &hdr, sizeof(hdr), write_buffer, write_end) != SAFEMEM_SUCCESS) { Sagan_Log(ERROR, "[%s, line %d] Failed to copy Serial_Unified2_Header.", __FILE__, __LINE__); } ptr = ptr + sizeof(hdr); if (SafeMemcpy(ptr, &alertHdr, sizeof(alertHdr), write_buffer, write_end) != SAFEMEM_SUCCESS) { Sagan_Log(ERROR, "[%s, line %d] Failed to copy Unified2ExtraDataHdr.", __FILE__, __LINE__); } ptr = ptr + sizeof(alertHdr); if (SafeMemcpy(ptr, &alertdata, sizeof(alertdata), write_buffer, write_end) != SAFEMEM_SUCCESS) { Sagan_Log(ERROR, "[%s, line %d] Failed to copy SerialUnified2ExtraData.", __FILE__, __LINE__); } ptr = ptr + sizeof(alertdata); if (SafeMemcpy(ptr, buffer, len, write_buffer, write_end) != SAFEMEM_SUCCESS) { Sagan_Log(ERROR, "[%s, line %d] Failed to copy extra data buffer.", __FILE__, __LINE__); } Unified2Write(write_buffer, write_len); } #endif sagan-1.2.0/src/output-plugins/snortsam.h0000644000175000017500000004362513310531444017402 0ustar champchamp/* $Id: snortsam.h,v 2.41 2009/10/16 22:19:36 fknobbe Exp $ * * * Copyright (c) 2001-2009 Frank Knobbe * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * * Header file for SnortSam.c * */ #ifndef __SNORTSAM_H__ #define __SNORTSAM_H__ #ifdef _DEBUG #define FWSAMDEBUG #endif #ifdef DEBUG #define FWSAMDEBUG #endif /* room for platform defines, if any necessary */ #ifndef SOLARIS /* Addtl Solaris defines */ #if defined(SUN) || defined(SunOS) || defined(SPARC) #define SOLARIS #endif #endif #include #include #include #include #include #include #include #include #include #ifdef WIN32 /* ------------------ Windows platform specific stuff ----------------------- */ #include "win32_service.h" #include /* included to provide compatibility with plugins not written under Windows (although I'm mainly developing under FreeBSD now...)*/ #define SIGKILL 9 /* kill (cannot be caught or ignored) */ #define SIGQUIT 3 /* quit */ #define SIGHUP 1 /* hangup */ #define SIGUSR1 30 /* user defined signal 1 */ #define SIGUSR2 31 /* user defined signal 2 */ #define SIGPIPE 13 /* write on a pipe with no one to read it */ #define strncasecmp strnicmp #define strcasecmp stricmp #define snprintf _snprintf #define vsnprintf _vsnprintf #define bzero(x, y) memset((x), 0, (y)) #define execv _execv #define getpid _getpid #define index strchr #define bcopy(x, y, z) memcpy((void *)x, (const void *)y, (size_t) z) #define mkdir(x, y) _mkdir(x) #define read _read #define write _write #define lseek _lseek #ifndef ssize_t typedef size_t ssize_t; #endif #ifndef pid_t typedef int pid_t; #endif #ifndef pthread_mutex_t typedef HANDLE pthread_mutex_t; #endif #ifndef pthread_t typedef HANDLE pthread_t; #endif #ifndef u_long typedef unsigned long u_long; #endif #ifndef u_int32_t typedef unsigned long u_int32_t; #endif #ifndef u_word typedef unsigned short u_word; #endif #ifndef u_int16_t typedef unsigned short u_int16_t; #endif #ifndef u_char typedef unsigned char u_char; #endif #ifndef u_int8_t typedef unsigned char u_int8_t; #endif #else /* ------------------ Other platform specific stuff ----------------------- */ #include #include #include #include #include #include #include #ifdef SOLARIS #include #ifndef _uint_defined #include typedef uint32_t u_int32_t; typedef uint16_t u_int16_t; typedef uint8_t u_int8_t; #define _uint_defined #endif /* _uint_defined */ #endif #define stricmp strcasecmp #define strnicmp strncasecmp /* PLUGIN WRITER: Please use the following for socket stuff */ typedef int SOCKET; #define ioctlsocket ioctl #define closesocket close #endif /* ------------------ End platform specific stuff ----------------------- */ #include "output-plugins/snortsam-twofish.h" /* compatibilty stuff */ #ifndef INVALID_SOCKET #define INVALID_SOCKET -1 #endif #ifndef INADDR_NONE #define INADDR_NONE -1 #endif #ifndef FALSE #define FALSE 0 #endif #ifndef TRUE #define TRUE !FALSE #endif #ifndef bool #define bool int #endif /* Use only if necessary */ /* #ifndef _TIME_T_DEFINED typedef long time_t; #define _TIME_T_DEFINED #endif */ #ifdef ENABLE_OPSEC #define _MYLIBCSTUFF /* Resolves a conflict between libc.lib and msvcrt.lib under Windows */ #endif #ifndef _MYLIBCSTUFF #define myisdigit(x) isdigit(x) #define myisspace(x) isspace(x) #define mytolower(x) tolower(x) #endif /* defines */ #define safecopy(dst,src) _safecp(dst,sizeof(dst),src) #define FWSAMHISTORYVERSION "SSSF01" /* Magic is probably better word. Records filetype and version in header of state file. */ #define BLOCKQUEUESIZE 20000 /* Create a blocking queue with this many blocking requests. It's set a bit high to accomodate the rollback field */ #define QUEUE_RETRYTIME 3000 /* If the queue is full, wait three seconds and check again for a free slot for a blocking request */ #define STRBUFSIZE 1024 #define FILEBUFSIZE 512 #define FWSAM_DEFAULTPORT 898 /* Default port if user does not specify one in snort.conf */ /* (Was unused last time I checked...) */ #define FWSAM_PACKETVERSION 14 #define FWSAM_PACKETVERSION_PERSISTENT_CONN 15 #define FWSAM_STATUS_CHECKIN 1 /* snort to fw */ #define FWSAM_STATUS_CHECKOUT 2 #define FWSAM_STATUS_BLOCK 3 #define FWSAM_STATUS_UNBLOCK 9 #define FWSAM_STATUS_OK 4 /* fw to snort */ #define FWSAM_STATUS_ERROR 5 #define FWSAM_STATUS_NEWKEY 6 #define FWSAM_STATUS_RESYNC 7 #define FWSAM_STATUS_HOLD 8 #define FWSAM_LOG_NONE 0 #define FWSAM_LOG_SHORTLOG 1 #define FWSAM_LOG_SHORTALERT 2 #define FWSAM_LOG_LONGLOG 3 #define FWSAM_LOG_LONGALERT 4 #define FWSAM_LOG (FWSAM_LOG_SHORTLOG|FWSAM_LOG_SHORTALERT|FWSAM_LOG_LONGLOG|FWSAM_LOG_LONGALERT) #define FWSAM_WHO_DST 8 #define FWSAM_WHO_SRC 16 #define FWSAM_WHO (FWSAM_WHO_DST|FWSAM_WHO_SRC) #define FWSAM_HOW_IN 32 #define FWSAM_HOW_OUT 64 #define FWSAM_HOW_INOUT (FWSAM_HOW_IN|FWSAM_HOW_OUT) #define FWSAM_HOW_THIS 128 #define FWSAM_HOW (FWSAM_HOW_IN|FWSAM_HOW_OUT|FWSAM_HOW_THIS) /* Plugin status */ #define ACTIVE 2 #define INACTIVE 1 #define DISABLED 0 /* Checkpoint SAM packet offsets */ #define CP_DATALEN 27 /* byte */ #define CP_IPADDR 40 /* long */ #define CP_ACTION 47 /* byte */ #define CP_DURATION 48 /* long */ #define CP_LOGTYPE 55 /* byte */ #define CP_MODSTR 60 /* string */ /* Variable Definitions */ typedef struct _blockinfo /* Block info structure */ { unsigned long sig_id; /* Snort Signature ID (for logging/presentation) */ unsigned long blockip; /* IP to be blocked */ unsigned long peerip; /* Peer IP (if connection) */ time_t duration; /* Duration of block */ time_t blocktime; /* Time when block started */ unsigned short port; /* Port (if connection) */ unsigned short proto; /* Protocol (if connection) */ unsigned short mode; /* Blocking mode (src, dst, connection) */ short block; /* block or unblock flag --- this flag is dynamically changed */ } BLOCKINFO; typedef struct _oldblockinfo /* Block info structure */ { unsigned long blockip; /* IP to be blocked */ unsigned long peerip; /* Peer IP (if connection) */ time_t duration; /* Duration of block */ time_t blocktime; /* Time when block started */ unsigned short port; /* Port (if connection) */ unsigned short proto; /* Protocol (if connection) */ unsigned short mode; /* Blocking mode (src, dst, connection) */ short block; /* block or unblock flag --- this flag is dynamically changed */ } OLDBLOCKINFO; typedef struct _blockqueue /* queue for blocking requests */ { BLOCKINFO blockinfo; /* COPY of block request (not just pointer) */ volatile unsigned long processing; /* how many plugins are processing this request */ unsigned long originator; /* Orignating IP address so that forwarder can skip sending a request back to another Snortsam if it received it from there. */ int forceunblock; /* Unblocking can be forced even if plugin does expiration itself. */ int extension; /* On devices that don't time-out, skip the repeated block. On devices that time-out themselves, block again. */ int reload; /* Set TRUE on a queue entry caused by a USR1 reload. */ } BLOCKQUEUE; typedef struct _datalist /* List of plugin devices/parameters */ { void *data; /* Pointer to list data */ volatile unsigned long readpointer; /* Pointer to queue request */ volatile int busy; /* Busy/Free flag */ struct _datalist *next; /* Pointer to next element */ } DATALIST; typedef struct _threadtable /* This table is allocated with room for all possible threads. It keeps track of: */ { volatile pthread_t threadid; /* a) the Thread ID so that getout() can cancel all running threads before exit (handle under Windows), */ volatile unsigned long winthreadid; /* Also, the Windows thread ID. Under Windows, this is the ID, above is the handle. */ unsigned long plugin; /* b) the plugin parameter for a thread, */ DATALIST *datap; /* c) the data pointer parameter for a thread. */ } THREADTABLE; typedef struct _snortsensor /* structure for a snort sensor */ { struct _snortsensor *next; struct in_addr snortip; /* IP address of sensor */ BLOCKINFO *rbfield; /* an array of block structs for rollback */ TWOFISH *snortfish; /* the TwoFish of the sensor */ time_t *rbmeterfield; /* array of times, for threshold metering */ time_t lastcontact; /* last contact not used yet */ time_t lastkeytime; /* Last time keys got negotiated */ time_t sleepstart; /* */ unsigned long actrb; /* pointer to the next empty slot to note blocking info */ unsigned long actrbmeter; /* pointer to the next emtpy meter slot */ int persistentsocket; /* Flag for permanent connection */ int toberemoved; /* Flag to schedule sensor for removal. */ unsigned short myseqno; /* the SnortSam packet sequence number */ unsigned short snortseqno; /* and the one from the snort box */ SOCKET snortsocket; /* the socket of that sensor */ unsigned char snortkeymod[4]; /* snortbox key modifier (random, supplied at check-in) */ unsigned char mykeymod[4]; /* SnortSam key modifier (random, returned at check-in) */ unsigned char currentkey[TwoFish_KEY_LENGTH+2]; /* the current key (intial key kept in accept list) */ unsigned char packetversion; /* The packet version the sensor uses. */ } SENSORLIST; typedef struct _FWsampacket /* 2 blocks (3rd block is header from TwoFish) */ { unsigned short endiancheck; /* 0 */ unsigned char srcip[4]; /* 2 */ unsigned char dstip[4]; /* 6 */ unsigned char duration[4]; /* 10 */ unsigned char snortseqno[2]; /* 14 */ unsigned char fwseqno[2]; /* 16 */ unsigned char srcport[2]; /* 18 */ unsigned char dstport[2]; /* 20 */ unsigned char protocol[2]; /* 22 */ unsigned char fwmode; /* 24 */ unsigned char version; /* 25 */ unsigned char status; /* 26 */ unsigned char sig_id[4]; /* 27 */ unsigned char fluff; /* 31 */ } FWsamPacket; /* 32 bytes in size */ typedef struct _Old13FWsampacket /* about 2 blocks (3rd block is header from TwoFish) */ { unsigned short endiancheck; /* 0 */ unsigned char srcip[4]; /* 2 */ unsigned char dstip[4]; /* 6 */ unsigned char duration[4]; /* 10 */ unsigned char snortseqno[2]; /* 14 */ unsigned char fwseqno[2]; /* 16 */ unsigned char srcport[2]; /* 18 */ unsigned char dstport[2]; /* 20 */ unsigned char protocol[2]; /* 22 */ unsigned char fwmode; /* 24 */ unsigned char version; /* 25 */ unsigned char status; /* 26 */ } Old13FWsamPacket; /* 27 */ typedef struct _dontblocklist /* list of IP's/nets never to be blocked */ { struct _dontblocklist *next; struct in_addr ip; unsigned long mask; int block; } DONTBLOCKLIST; typedef struct _onlyblocklist /* list of IP's/nets never to be blocked */ { struct _onlyblocklist *next; struct in_addr ip; unsigned long mask; int block; } ONLYBLOCKLIST; typedef struct _overridelist /* list of IP's/nets where block duration is overridden */ { struct _overridelist *next; struct in_addr ip; unsigned long mask; time_t newduration; } OVERRIDELIST; typedef struct _limitlist /* list of IP's/nets where block duration is limited */ { struct _limitlist *next; struct in_addr ip; unsigned long mask; time_t limit; int upper; } LIMITLIST; typedef struct _acceptlist /* list of authorized snort sensors (with their initial key) */ { struct _acceptlist *next; struct in_addr ip; unsigned long mask; unsigned char initialkey[TwoFish_KEY_LENGTH+2]; } ACCEPTLIST; typedef struct _sidfilterlist /* list of accepted or denied SIDs from listed sensor/network */ { struct _sidfilterlist *next; struct in_addr ip; unsigned long mask; unsigned long *sidarray; unsigned long sidcount; int typedenied; } SIDFILTERLIST; typedef struct _fwdata { struct in_addr ip; } FWDATA; typedef struct _blockhistory { struct _blockhistory *next; BLOCKINFO blockinfo; } BLOCKHISTORY; /* Global Vars */ #if !defined( __SNORTSAM_C__) && !defined(__SAMTOOL_C__) extern unsigned long netmask[2][33]; extern unsigned short netmaskbigendian; extern char myhostname[STRBUFSIZE+2]; #endif /* Functions */ #define getnetmask(x) (netmask[netmaskbigendian][(((unsigned int)atoi(x))>32?32:(unsigned int)atoi(x))]) #ifdef _MYLIBCSTUFF char mytolower(char c); int myisspace(unsigned char c); int myisdigit(char c); #endif void _safecp(char *dst,unsigned long max,char *src); void *safemalloc(unsigned long,char *,char *); void waitms(unsigned int); void showerror(void); void getout(int ret); char *inettoa(unsigned long ip); void logmessage(unsigned int level,char *logmsg,char *module,unsigned long ip); unsigned long parseduration(char *p); unsigned long getip(char *ipstr); char *gethstname(unsigned long ip); void parseline(char *arg,bool first,char *file,unsigned long line); void parsefile(char *cfgfile,bool first,char *callingfile,unsigned long callingline); void adddontblock(unsigned long ip, unsigned long mask,int block, char *func, char *what); void addoverride(unsigned long ip, unsigned long mask, unsigned long dur, char *func, char *what); void sortacceptlist(void); void sortdontblocklist(void); void sortoverridelist(void); void sortlimitlist(void); void sortsidfilterlist(void); void sortpluginindex(void); ACCEPTLIST *allowedhost(unsigned long addr); int dontblockhost(unsigned long addr,int block); unsigned long override_duration_on_host(unsigned long addr,unsigned long duration); unsigned long limit_duration_on_sensor(unsigned long addr,unsigned long duration); int sid_denied_from_sensor(unsigned long addr, unsigned long sid); SENSORLIST *getsnorty(unsigned long addr,ACCEPTLIST *ap); void removesnort(SENSORLIST *snorty) ; void newkey(SENSORLIST *snortbox,FWsamPacket *packet); int sendpacket(SENSORLIST *snortbox,char *packet,unsigned long packetsize); void rollback(SENSORLIST *sensor); BLOCKHISTORY *inhistory(BLOCKINFO *bd); int isrepetitive(BLOCKINFO *bd); #if !defined(__SSP_ISA_CPP__) && !defined(__SSP_ISA2004_CPP__) void savehistory(void); #endif void block(SENSORLIST *snortbox,unsigned long bsip,unsigned short bsport, unsigned long bdip,unsigned short bdport, unsigned short bproto,time_t bduration,unsigned char bmode, time_t btime,unsigned long bsig_id); void unblock(BLOCKINFO *bhp,char *comment,unsigned long reqip,int force); void addtohistory(BLOCKHISTORY *,int); void clearhistory(void); void reloadhistory(int reblock); int processincomingrequest(SENSORLIST *snortbox,char *buf,unsigned long packetsize,ACCEPTLIST *acceptp); int waitfor(SOCKET sock,char *text,unsigned long timeout); int sendreceive(SOCKET socket,unsigned int timeout,char *plugin,struct in_addr ip,char *sendmsg,char *response,char *errmsg1,char *errmsg2); void addrequesttoqueue(short,BLOCKINFO *,int,int,int,unsigned long); void queuehandler(void); int moreinqueue(unsigned long); void multithreadhandler(THREADTABLE *); void singlethreadhandler(THREADTABLE *); signed long getfreethreadindex(void); void sig_usr1_flagger(int i); void sig_usr2_flagger(int i); #endif /* __SNORTSAM_H__ */ void FWSam( _Sagan_Event * ); int FWsamBlock(char *); /* Typedefs */ typedef struct _FWsamstation /* structure of a mgmt station */ { unsigned short myseqno; unsigned short stationseqno; unsigned char mykeymod[4]; unsigned char fwkeymod[4]; unsigned short stationport; struct in_addr stationip; struct sockaddr_in localsocketaddr; struct sockaddr_in stationsocketaddr; SOCKET stationsocket; /* the socket of that station */ TWOFISH *stationfish; char initialkey[TwoFish_KEY_LENGTH+2]; char stationkey[TwoFish_KEY_LENGTH+2]; time_t lastcontact; int persistentsocket; /* Flag for permanent connection */ unsigned char packetversion; /* The packet version the sensor uses. */ } FWsamStation; void FWsamNewStationKey(FWsamStation *,FWsamPacket *); void FWsamCheckOut(FWsamStation *); int FWsamCheckIn(FWsamStation *); sagan-1.2.0/src/output-plugins/alert.c0000644000175000017500000000517713310531444016636 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* alert.c * * Provides logging functionality in a 'snort like' format. Usually in * the /var/log/sagan directory named 'alert' * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include "sagan.h" #include "alert.h" #include "util-time.h" #include "references.h" #include "sagan-config.h" struct _Rule_Struct *rulestruct; struct _SaganConfig *config; struct _SaganCounters *counters; pthread_mutex_t CounterAlertTotalMutex=PTHREAD_MUTEX_INITIALIZER; void Alert_File( _Sagan_Event *Event ) { char tmpref[256]; char timebuf[64]; CreateTimeString(&Event->event_time, timebuf, sizeof(timebuf), 1); pthread_mutex_lock(&CounterAlertTotalMutex); counters->alert_total++; pthread_mutex_unlock(&CounterAlertTotalMutex); fprintf(config->sagan_alert_stream, "\n[**] [%lu:%s] %s [**]\n", Event->generatorid, Event->sid, Event->f_msg); fprintf(config->sagan_alert_stream, "[Classification: %s] [Priority: %d] [%s]\n", Event->class, Event->pri, Event->host ); fprintf(config->sagan_alert_stream, "[Alert Time: %s]\n", timebuf); fprintf(config->sagan_alert_stream, "%s %s %s:%d -> %s:%d %s %s\n", Event->date, Event->time, Event->ip_src, Event->src_port, Event->ip_dst, Event->dst_port, Event->facility, Event->priority); fprintf(config->sagan_alert_stream, "Message: %s\n", Event->message); if ( Event->found != 0 ) { Reference_Lookup( Event->found, 0, tmpref, sizeof(tmpref) ); if (strcmp(tmpref, "" )) { fprintf(config->sagan_alert_stream, "%s\n", tmpref); } } fflush(config->sagan_alert_stream); } sagan-1.2.0/src/flow.h0000644000175000017500000000217013310531444013452 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif sbool Check_Flow( int b, int ip_porto, unsigned char *ip_src_bits, int normalize_src_port, unsigned char *ip_dst_bits, int normalize_dst_port); sagan-1.2.0/src/flow.c0000644000175000017500000003113613310531444013451 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Adam Hall ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* check-flow.c */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "rules.h" #include "sagan-config.h" struct _Rule_Struct *rulestruct; /********************/ /************************/ /*****************/ /***** flow_type ****/ /******* flow_var *******/ /*** direction ***/ /* 0 = not in group */ /** 0 = any **/ /** 0 = any **/ /* 1 = in group */ /** 1 = var **/ /** 1 = right **/ /* 2 = not match ip */ /************************/ /** 2 = left **/ /* 3 = match ip */ /************************/ /*****************/ /********************/ /************************/ /*****************/ sbool Check_Flow( int b, int ip_proto, unsigned char *ip_src_bits, int normalize_src_port, unsigned char *ip_dst_bits, int normalize_dst_port) { unsigned char *src; unsigned char *dst; int port_src; int port_dst; unsigned char *ip_src; unsigned char *ip_dst; src = ip_src_bits; dst = ip_dst_bits; unsigned char ip_convert[MAXIPBIT] = { 0 }; if(rulestruct[b].direction == 0 || rulestruct[b].direction == 1) { ip_src = src; ip_dst = dst; port_src = normalize_src_port; port_dst = normalize_dst_port; } else { ip_src = dst; ip_dst = src; port_src = normalize_dst_port; port_dst = normalize_src_port; } /*proto*/ int c1=0; /*flow 1*/ int w=0; int a1=0; int eq1=0; int ne1=0; int eq1_val=0; int ne1_val=0; int f1; /*port 1*/ int b1=0; int u=0; int eq3=0; int ne3=0; int eq3_val=0; int ne3_val=0; int g1; /*flow 2*/ int z=0; int a2=0; int eq2=0; int ne2=0; int eq2_val=0; int ne2_val=0; int f2; /*port 2*/ int b2=0; int v=0; int eq4=0; int ne4=0; int eq4_val=0; int ne4_val=0; int g2; int i; int failed=0; /*Begin ip_proto*/ if(rulestruct[b].ip_proto != 0) { if(ip_proto == rulestruct[b].ip_proto) { c1=1; } } else { c1=1; } if(c1 != 1) { return 0; } /*Begin flow_1*/ if(rulestruct[b].flow_1_var != 0) { for(i=0; i < rulestruct[b].flow_1_counter; i++) { w++; f1 = rulestruct[b].flow_1_type[w]; if(f1 == 0) { ne1++; if(is_inrange(ip_src, (unsigned char *)&rulestruct[b].flow_1[i].range, 1)) { ne1_val++; } } else if(f1 == 1) { eq1++; if(is_inrange(ip_src, (unsigned char *)&rulestruct[b].flow_1[i].range, 1)) { eq1_val++; } } else if(f1 == 2) { ne1++; memset(ip_convert, 0, MAXIPBIT); memcpy(ip_convert, ip_src, MAXIPBIT); if (!memcmp(ip_convert, rulestruct[b].flow_1[i].range.ipbits, MAXIPBIT) ) { ne1_val++; } } else if(f1 == 3) { eq1++; memset(ip_convert, 0, MAXIPBIT); memcpy(ip_convert, ip_src, MAXIPBIT); if (!memcmp(ip_convert, rulestruct[b].flow_1[i].range.ipbits, MAXIPBIT)) { eq1_val++; } } } } else { a1=1; } /* if ne1, did anything match (meaning failed) */ if(ne1>0) { if(ne1_val > 0) { failed++; } } /* if eq1, did anything not match meaning failed */ if(eq1>0) { if(eq1_val < 1) { failed++; } } /* if either failed, we did not match, no need to check the second flow... we already failed! */ if(a1 != 1) { if(failed > 0) { return 0; } } /*Begin port_1*/ if(rulestruct[b].port_1_var != 0) { for(i=0; i < rulestruct[b].port_1_counter; i++) { u++; g1 = rulestruct[b].port_1_type[u]; if(g1 == 0) { ne3++; if(port_src >= rulestruct[b].port_1[i].lo && port_src <= rulestruct[b].port_1[i].hi) { ne3_val++; } } if(g1 == 1) { eq3++; if(port_src >= rulestruct[b].port_1[i].lo && port_src <= rulestruct[b].port_1[i].hi) { eq3_val++; } } if(g1 == 2) { ne3++; if(port_src == rulestruct[b].port_1[i].lo) { ne3_val++; } } if(g1 == 3) { eq3++; if(port_src == rulestruct[b].port_1[i].lo) { eq3_val++; } } } } else { b1=1; } /* if ne3, did anything match (meaning failed) */ if(ne3>0) { if(ne3_val > 0) { failed++; } } /* if eq3, did anything not match meaning failed */ if(eq3>0) { if(eq3_val < 1) { failed++; } } /* if either failed, we did not match, no need to check the second flow... we already failed! */ if(b1 != 1) { if(failed > 0) { return 0; } } /*Begin flow_2*/ if(rulestruct[b].flow_2_var != 0) { for(i=0; i < rulestruct[b].flow_2_counter; i++) { z++; f2 = rulestruct[b].flow_2_type[z]; if(f2 == 0) { ne2++; if(is_inrange(ip_dst, (unsigned char *)&rulestruct[b].flow_2[i].range, 1)) { ne2_val++; } } else if(f2 == 1) { eq2++; if(is_inrange(ip_dst, (unsigned char *)&rulestruct[b].flow_2[i].range, 1)) { eq2_val++; } } else if(f2 == 2) { ne2++; memset(ip_convert, 0, MAXIPBIT); memcpy(ip_convert, ip_dst, MAXIPBIT); if (!memcmp(ip_convert, rulestruct[b].flow_2[i].range.ipbits, MAXIPBIT )) { ne2_val++; } } else if(f2 == 3) { eq2++; memset(ip_convert, 0, MAXIPBIT); memcpy(ip_convert, ip_dst, MAXIPBIT); if (!memcmp(ip_convert, rulestruct[b].flow_2[i].range.ipbits, MAXIPBIT )) { eq2_val++; } } } } else { a2=1; } /* if ne2, did anything match (meaning failed) */ if(ne2>0) { if(ne2_val > 0) { failed++; } } /* if eq2, did anything not match meaning failed */ if(eq2>0) { if(eq2_val < 1) { failed++; } } /* if either failed, we did not match, leave */ if(a2 != 1) { if(failed > 0) { return 0; } } /*Begin port_2*/ if(rulestruct[b].port_2_var != 0) { for(i=0; i < rulestruct[b].port_2_counter; i++) { v++; g2 = rulestruct[b].port_2_type[v]; if(g2 == 0) { ne4++; if(port_dst >= rulestruct[b].port_2[i].lo && port_dst <= rulestruct[b].port_2[i].hi) { ne4_val++; } } if(g2 == 1) { eq4++; if(port_dst >= rulestruct[b].port_2[i].lo && port_dst <= rulestruct[b].port_2[i].hi) { eq4_val++; } } if(g2 == 2) { ne4++; if(port_dst == rulestruct[b].port_2[i].lo) { ne4_val++; } } if(g2 == 3) { eq4++; if(port_dst == rulestruct[b].port_2[i].lo) { eq4_val++; } } } } else { b2=1; } /* if ne4, did anything match (meaning failed) */ if(ne4>0) { if(ne4_val > 0) { failed++; } } /* if eq4, did anything not match meaning failed */ if(eq4>0) { if(eq4_val < 1) { failed++; } } /* if either failed, we did not match, no need to check the second flow... we already failed! */ if(b2 != 1) { if(failed > 0) { return 0; } } /* If we made it to this point we have a match */ return 1; } /*We are done*/ sagan-1.2.0/src/redis.c0000644000175000017500000001721113310531444013606 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* redis.c - Function that access/write to Redis database */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBHIREDIS #include #include #include #include #include #ifdef HAVE_SYS_PRCTL_H #include #endif #include "sagan.h" #include "sagan-config.h" #include "lockfile.h" #include "redis.h" struct _SaganConfig *config; struct _SaganDebug *debug; int redis_msgslot; pthread_cond_t SaganRedisDoWork; pthread_mutex_t SaganRedisWorkMutex; pthread_mutex_t RedisReaderMutex=PTHREAD_MUTEX_INITIALIZER; struct _Sagan_Redis *SaganRedis = NULL; /***************************************************************************** * Redis_Writer_Init - Redis "writer" threads initialization. *****************************************************************************/ void Redis_Writer_Init ( void ) { SaganRedis = malloc(config->redis_max_writer_threads * sizeof(struct _Sagan_Redis)); } /***************************************************************************** * Redis_Reader_Connect - Connectin for "read" operations *****************************************************************************/ void Redis_Reader_Connect ( void ) { struct timeval timeout = { 1, 500000 }; // 5.5 seconds config->c_reader_redis = redisConnectWithTimeout(config->redis_server, config->redis_port, timeout); if (config->c_reader_redis == NULL || config->c_reader_redis->err) { if (config->c_reader_redis) { Sagan_Log(ERROR, "[%s, line %d] Redis connection error - %s. Abort!", __FILE__, __LINE__, config->c_reader_redis->errstr); redisFree(config->c_reader_redis); } else { Sagan_Log(ERROR, "[%s, line %d] Redis connection error - Can't allocate Redis context", __FILE__, __LINE__); } } } /***************************************************************************** * Redis_Writer - Threads that "write" to Redis. We spawn up several to * avoid blocking. Writer accepts "stacked" commands seperated by ; *****************************************************************************/ void Redis_Writer ( void ) { (void)SetThreadName("SaganRedisWriter"); redisReply *reply; redisContext *c_writer_redis; char *tok = NULL; char *split_redis_command = NULL; char tmp_redis_command[16384] = { 0 }; struct timeval timeout = { 1, 500000 }; // 1.5 seconds c_writer_redis = redisConnectWithTimeout(config->redis_server, config->redis_port, timeout); if (c_writer_redis == NULL || c_writer_redis->err) { if (c_writer_redis) { redisFree(c_writer_redis); Sagan_Log(ERROR, "[%s, line %d] Redis 'writer' connection error - %s. Abort!", __FILE__, __LINE__, c_writer_redis->errstr); } else { Sagan_Log(ERROR, "[%s, line %d] Redis 'writer' connection error - Can't allocate Redis context", __FILE__, __LINE__); } } /******************/ /* Log into Redis */ /******************/ if ( config->redis_password[0] != '\0' ) { reply = redisCommand(c_writer_redis, "AUTH %s", config->redis_password); if (!strcmp(reply->str, "OK")) { if ( debug->debugredis ) { Sagan_Log( DEBUG, "Authentication success for 'writer' to Redis server at %s:%d (pthread ID: %lu).", config->redis_server, config->redis_port, pthread_self() ); } } else { Remove_Lock_File(); Sagan_Log(ERROR, "Authentication failure for 'writer' to to Redis server at %s:%d (pthread ID: %lu). Abort!", config->redis_server, config->redis_port, pthread_self() ); } } /* Redis "threaded" operations */ for (;;) { pthread_mutex_lock(&SaganRedisWorkMutex); while ( redis_msgslot == 0 ) pthread_cond_wait(&SaganRedisDoWork, &SaganRedisWorkMutex); redis_msgslot--; strlcpy(tmp_redis_command, SaganRedis[redis_msgslot].redis_command, sizeof(tmp_redis_command)); pthread_mutex_unlock(&SaganRedisWorkMutex); if ( debug->debugredis ) { Sagan_Log(DEBUG, "Thread %u received the following work: '%s'", pthread_self(), tmp_redis_command); } split_redis_command = strtok_r(tmp_redis_command, ";", &tok); while ( split_redis_command != NULL ) { if ( debug->debugredis ) { Sagan_Log(DEBUG, "Thread %u executing Redis command: '%s'", pthread_self(), split_redis_command); } reply = redisCommand(c_writer_redis, split_redis_command); if ( debug->debugredis ) { Sagan_Log(DEBUG, "Thread %u reply-str: '%s'", pthread_self(), reply->str); } freeReplyObject(reply); split_redis_command = strtok_r(NULL, ";", &tok); } } } /***************************************************************************** * Redis_Reader - This is _not_ a threaded operation and can't be :( This * function only returns _one_ result (not an array), even if they query * returns more than one result. *****************************************************************************/ void Redis_Reader ( char *redis_command, char *str, size_t size ) { redisReply *reply; pthread_mutex_lock(&RedisReaderMutex); reply = redisCommand(config->c_reader_redis, redis_command); if ( debug->debugredis ) { Sagan_Log(DEBUG, "[%s, line %d] Redis Command: \"%s\"", __FILE__, __LINE__, redis_command); Sagan_Log(DEBUG, "[%s, line %d] Redis Reply: \"%s\"", __FILE__, __LINE__, reply->str); } if ( reply->elements == 0 ) { /* strlcpy doesn't like to pass str as a \0. This "works" around that issue (causes segfault otherwise) */ if ( reply->str != '\0' ) { strlcpy(str, reply->str, size); } else { strlcpy(str, " ", size); } } else { strlcpy(str, reply->element[0]->str, size); } pthread_mutex_unlock(&RedisReaderMutex); freeReplyObject(reply); } #endif sagan-1.2.0/src/gen-msg.c0000644000175000017500000001122413310531444014033 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* gen-msg.c * * Reads in the sagan-gen-msg.map. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "gen-msg.h" struct _SaganCounters *counters; struct _Sagan_Processor_Generator *generator; struct _SaganConfig *config; struct _SaganDebug *debug; pthread_mutex_t CounterGenMapMutex=PTHREAD_MUTEX_INITIALIZER; void Load_Gen_Map( const char *genmap ) { FILE *genmapfile; char genbuf[1024]; char *saveptr=NULL; char *gen1=NULL; char *gen2=NULL; char *gen3=NULL; Sagan_Log(NORMAL, "Loading gen-msg.map file. [%s]", genmap); pthread_mutex_lock(&CounterGenMapMutex); counters->genmapcount=0; pthread_mutex_unlock(&CounterGenMapMutex); if (( genmapfile = fopen(genmap, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open generator file (%s)", __FILE__, __LINE__, genmap); } while(fgets(genbuf, 1024, genmapfile) != NULL) { /* Skip comments and blank linkes */ if (genbuf[0] == '#' || genbuf[0] == 10 || genbuf[0] == ';' || genbuf[0] == 32) { continue; } else { /* Allocate memory for references, not comments */ generator = (_Sagan_Processor_Generator *) realloc(generator, (counters->genmapcount+1) * sizeof(_Sagan_Processor_Generator)); if ( generator == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for generator. Abort!", __FILE__, __LINE__); } } gen1 = strtok_r(genbuf, "|", &saveptr); if ( gen1 == NULL ) { Sagan_Log(ERROR, "%s is incorrect or not correctly formated (gen1) ", genmap); } Remove_Return(gen1); gen2 = strtok_r(NULL, "|", &saveptr); if ( gen2 == NULL ) { Sagan_Log(ERROR, "%s is incorrect or not correctly formated (gen2) ", genmap); } Remove_Return(gen2); gen3 = strtok_r(NULL, "|", &saveptr); if ( gen3 == NULL ) { Sagan_Log(ERROR, "%s is incorrect or not correctly formated (gen3) ", genmap); } Remove_Return(gen3); generator[counters->genmapcount].generatorid=atoi(gen1); generator[counters->genmapcount].alertid=atoi(gen2); strlcpy(generator[counters->genmapcount].generator_msg, gen3, sizeof(generator[counters->genmapcount].generator_msg)); pthread_mutex_lock(&CounterGenMapMutex); counters->genmapcount++; pthread_mutex_unlock(&CounterGenMapMutex); } fclose(genmapfile); Sagan_Log(NORMAL, "%d generators loaded.", counters->genmapcount); } /****************************************************************************/ /* Sagan_Generator_Lookup - Looks up the "generator" ID (see the */ /* "gen-msg.map") of a processor */ /****************************************************************************/ void Generator_Lookup(int processor_id, int alert_id, char *str, size_t size) { int z=0; char *msg=NULL; for (z=0; zgenmapcount; z++) { if ( generator[z].generatorid == processor_id && generator[z].alertid == alert_id) { msg=generator[z].generator_msg; break; } } snprintf(str, size, "%s", msg); } sagan-1.2.0/src/util-base64.c0000644000175000017500000000547313310531444014546 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* util.c * * Various re-usable functions. * */ #include #include #include "util-base64.h" static const char *b64codes = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; /******************************************************************************** * Base64Encode - Returns a base64 encoded string. This was taken from * Suricata. I believe it was derived from Jouni Malinen work from: * * http://web.mit.edu/freebsd/head/contrib/wpa/src/utils/base64.c * http://stackoverflow.com/questions/342409/how-do-i-base64-encode-decode-in-c * ********************************************************************************/ int Base64Encode(const unsigned char *in, unsigned long inlen, unsigned char *out, unsigned long *outlen) { unsigned long i, len2, leven; unsigned char *p; if(in == NULL || out == NULL || outlen == NULL) { return -1; } /* valid output size ? */ len2 = 4 * ((inlen + 2) / 3); if (*outlen < len2 + 1) { *outlen = len2 + 1; return -1; } p = out; leven = 3*(inlen / 3); for (i = 0; i < leven; i += 3) { *p++ = b64codes[(in[0] >> 2) & 0x3F]; *p++ = b64codes[(((in[0] & 3) << 4) + (in[1] >> 4)) & 0x3F]; *p++ = b64codes[(((in[1] & 0xf) << 2) + (in[2] >> 6)) & 0x3F]; *p++ = b64codes[in[2] & 0x3F]; in += 3; } /* Pad it if necessary... */ if (i < inlen) { unsigned a = in[0]; unsigned b = (i+1 < inlen) ? in[1] : 0; *p++ = b64codes[(a >> 2) & 0x3F]; *p++ = b64codes[(((a & 3) << 4) + (b >> 4)) & 0x3F]; *p++ = (i+1 < inlen) ? b64codes[(((b & 0xf) << 2)) & 0x3F] : '='; *p++ = '='; } /* append a NULL byte */ *p = '\0'; /* return ok */ *outlen = p - out; return 0; } sagan-1.2.0/src/lockfile.c0000644000175000017500000001113713310531444014271 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* lockfile.c * * Creates a lock file for the Sagan process. We don't want Sagan to be * running more than once. Also does a simple 'test' to see if the PID * in the lock file is 'running' (via kill -0). Wrote this to decrease * the dependancies of Sagan, as opposed to using liblockfile. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "lockfile.h" #include "sagan-config.h" #include "signal-handler.h" #include "version.h" struct _SaganConfig *config; /* Was using liblockfile but decided for portability reasons, it was a * bad idea */ void CheckLockFile ( void ) { char buf[10]; FILE *lck; int pid; struct stat lckcheck; /* Check for lockfile first */ if (stat(config->sagan_lockfile, &lckcheck) == 0 ) { /* Lock file is present, open for read */ if (( lck = fopen(config->sagan_lockfile, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Lock file '%s' is present but can't be read [%s]", __FILE__, __LINE__, config->sagan_lockfile, strerror(errno)); } else { if (!fgets(buf, sizeof(buf), lck)) { Sagan_Log(ERROR, "[%s, line %d] Lock file (%s) is open for reading, but can't read contents.", __FILE__, __LINE__, config->sagan_lockfile); } fclose(lck); pid = atoi(buf); if ( pid == 0 ) { Sagan_Log(ERROR, "[%s, line %d] Lock file read but pid value is zero. Aborting.....", __FILE__, __LINE__); } /* Check to see if process is running. We use kill with 0 signal * to determine this. We check this return value. Signal 0 * won't affect running processes */ if ( kill(pid, 0) != -1 ) { Sagan_Log(ERROR, "[%s, line %d] It appears that Sagan is already running (pid: %d).", __FILE__, __LINE__, pid); } else { Sagan_Log(NORMAL, "[%s, line %d] Lock file is present, but Sagan isn't at pid %d (Removing stale %s file)", __FILE__, __LINE__, pid, config->sagan_lockfile); if (unlink(config->sagan_lockfile)) { Sagan_Log(ERROR, "Unable to delete %s. ", config->sagan_lockfile); } } } } else { /* No lock file present, so create it */ if (( lck = fopen(config->sagan_lockfile, "w" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Cannot create lock file (%s - %s)", __FILE__, __LINE__, config->sagan_lockfile, strerror(errno)); } else { fprintf(lck, "%d", getpid() ); fflush(lck); fclose(lck); } } } void Remove_Lock_File ( void ) { struct stat lckcheck; if ((stat(config->sagan_lockfile, &lckcheck) == 0) && unlink(config->sagan_lockfile) != 0 ) { Sagan_Log(ERROR, "[%s, line %d] Cannot remove lock file (%s - %s)\n", __FILE__, __LINE__, config->sagan_lockfile, strerror(errno)); } } sagan-1.2.0/src/liblognormalize.c0000644000175000017500000002562513310531444015701 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* liblognormalize.c * * These functions deal with liblognorm / data normalization. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBLOGNORM #include #include #include #include #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "liblognormalize.h" #include "sagan-config.h" struct _SaganConfig *config; struct _SaganDebug *debug; struct _SaganNormalizeLiblognorm *SaganNormalizeLiblognorm = NULL; pthread_mutex_t Lognorm_Mutex = PTHREAD_MUTEX_INITIALIZER; /************************************************************************ * liblognorm GLOBALS ************************************************************************/ struct stat liblognorm_fileinfo; struct liblognorm_toload_struct *liblognormtoloadstruct; int liblognorm_count; static ln_ctx ctx; struct _SaganCounters *counters; /************************************************************************ * Liblognorm_Load * * Load in the normalization files into memory ************************************************************************/ void Liblognorm_Load(char *infile) { SaganNormalizeLiblognorm = malloc(sizeof(struct _SaganNormalizeLiblognorm)); if ( SaganNormalizeLiblognorm == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to allocate memory for SaganNormalizeLiblognorm. Abort!", __FILE__, __LINE__); } memset(SaganNormalizeLiblognorm, 0, sizeof(_SaganNormalizeLiblognorm)); if((ctx = ln_initCtx()) == NULL) { Sagan_Log(ERROR, "[%s, line %d] Cannot initialize liblognorm context.", __FILE__, __LINE__); } Sagan_Log(NORMAL, "Loading %s for normalization.", infile); /* Remember - On reload, file access will be by the "sagan" user! */ if (stat(infile, &liblognorm_fileinfo)) { Sagan_Log(ERROR, "[%s, line %d] Error accessing '%s'. Abort.", __FILE__, __LINE__, infile); } ln_loadSamples(ctx, infile); } /*********************************************************************** * sagan_normalize_liblognom * * Locates interesting log data via Rainer's liblognorm library ***********************************************************************/ json_object *Normalize_Liblognorm(char *syslog_msg, struct _SaganNormalizeLiblognorm *SaganNormalizeLiblognorm) { char buf[10*1024] = { 0 }; char tmp_host[254] = { 0 }; int rc_normalize = 0; const char *cstr = NULL; const char *tmp = NULL; struct json_object *json = NULL; json_object *string_obj; SaganNormalizeLiblognorm->ip_src[0] = '0'; SaganNormalizeLiblognorm->ip_src[1] = '\0'; SaganNormalizeLiblognorm->ip_dst[0] = '0'; SaganNormalizeLiblognorm->ip_dst[1] = '\0'; SaganNormalizeLiblognorm->selector[0] = '\0'; SaganNormalizeLiblognorm->username[0] = '\0'; SaganNormalizeLiblognorm->src_host[0] = '\0'; SaganNormalizeLiblognorm->dst_host[0] = '\0'; SaganNormalizeLiblognorm->hash_sha1[0] = '\0'; SaganNormalizeLiblognorm->hash_sha256[0] = '\0'; SaganNormalizeLiblognorm->hash_md5[0] = '\0'; SaganNormalizeLiblognorm->http_uri[0] = '\0'; SaganNormalizeLiblognorm->http_hostname[0] = '\0'; SaganNormalizeLiblognorm->src_port = 0; SaganNormalizeLiblognorm->dst_port = 0; snprintf(buf, sizeof(buf),"%s", syslog_msg); /* int ln_normalize(ln_ctx ctx, const char *str, size_t strLen, struct json_object **json_p); */ rc_normalize = ln_normalize(ctx, buf, strlen(buf), &json); if (json == NULL) { return NULL; } cstr = (char*)json_object_to_json_string(json); /* Get source address information */ json_object_object_get_ex(json, "src-ip", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL) { snprintf(SaganNormalizeLiblognorm->ip_src, sizeof(SaganNormalizeLiblognorm->ip_src), "%s", tmp); } json_object_object_get_ex(json, "dst-ip", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { snprintf(SaganNormalizeLiblognorm->ip_dst, sizeof(SaganNormalizeLiblognorm->ip_dst), "%s", tmp); } /* Used for tracking in multi-tenant environment */ if (config->selector_flag) { json_object_object_get_ex(json, config->selector_name[0] != '\0' ? config->selector_name : "selector", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { snprintf(SaganNormalizeLiblognorm->selector, sizeof(SaganNormalizeLiblognorm->selector), "%s", tmp); } } /* Get username information - Will be used in the future */ json_object_object_get_ex(json, "username", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { snprintf(SaganNormalizeLiblognorm->username, sizeof(SaganNormalizeLiblognorm->username), "%s", tmp); } /* Do DNS lookup for source hostname */ json_object_object_get_ex(json, "src-host", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->src_host, tmp, sizeof(SaganNormalizeLiblognorm->src_host)); if ( SaganNormalizeLiblognorm->ip_src[0] == '0' && config->syslog_src_lookup) { if (!DNS_Lookup(SaganNormalizeLiblognorm->src_host, tmp_host, sizeof(tmp_host))) { strlcpy(SaganNormalizeLiblognorm->ip_src, tmp_host, sizeof(SaganNormalizeLiblognorm->ip_src)); } } } json_object_object_get_ex(json, "dst-host", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->dst_host, tmp, sizeof(SaganNormalizeLiblognorm->dst_host)); if ( SaganNormalizeLiblognorm->ip_dst[0] == '0' && config->syslog_src_lookup) { if (!DNS_Lookup(SaganNormalizeLiblognorm->dst_host, tmp_host, sizeof(tmp_host))) { strlcpy(SaganNormalizeLiblognorm->ip_dst, tmp_host, sizeof(SaganNormalizeLiblognorm->ip_dst)); } } } /* Get port information */ json_object_object_get_ex(json, "src-port", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { SaganNormalizeLiblognorm->src_port = atoi(tmp); } json_object_object_get_ex(json, "dst-port", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { SaganNormalizeLiblognorm->dst_port = atoi(tmp); } json_object_object_get_ex(json, "hash-md5", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->hash_md5, tmp, sizeof(SaganNormalizeLiblognorm->hash_md5)); } json_object_object_get_ex(json, "hash-sha1", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->hash_sha1, tmp, sizeof(SaganNormalizeLiblognorm->hash_sha1)); } json_object_object_get_ex(json, "hash-sha256", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->hash_sha256, tmp, sizeof(SaganNormalizeLiblognorm->hash_sha256)); } json_object_object_get_ex(json, "http_uri", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->http_uri, tmp, sizeof(SaganNormalizeLiblognorm->http_uri)); } json_object_object_get_ex(json, "http_hostname", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->http_hostname, tmp, sizeof(SaganNormalizeLiblognorm->http_hostname)); } json_object_object_get_ex(json, "filename", &string_obj); tmp = json_object_get_string(string_obj); if ( tmp != NULL ) { strlcpy(SaganNormalizeLiblognorm->filename, tmp, sizeof(SaganNormalizeLiblognorm->filename)); } if ( debug->debugnormalize ) { Sagan_Log(DEBUG, "Liblognorm DEBUG output: %d", rc_normalize); Sagan_Log(DEBUG, "---------------------------------------------------"); Sagan_Log(DEBUG, "Log message to normalize: |%s|", syslog_msg); Sagan_Log(DEBUG, "Parsed: %s", cstr); Sagan_Log(DEBUG, "Slector: %s", SaganNormalizeLiblognorm->selector); Sagan_Log(DEBUG, "Source IP: %s", SaganNormalizeLiblognorm->ip_src); Sagan_Log(DEBUG, "Destination IP: %s", SaganNormalizeLiblognorm->ip_dst); Sagan_Log(DEBUG, "Source Port: %d", SaganNormalizeLiblognorm->src_port); Sagan_Log(DEBUG, "Destination Port: %d", SaganNormalizeLiblognorm->dst_port); Sagan_Log(DEBUG, "Source Host: %s", SaganNormalizeLiblognorm->src_host); Sagan_Log(DEBUG, "Destination Host: %s", SaganNormalizeLiblognorm->dst_host); Sagan_Log(DEBUG, "Username: %s", SaganNormalizeLiblognorm->username); Sagan_Log(DEBUG, "MD5 Hash: %s", SaganNormalizeLiblognorm->hash_md5); Sagan_Log(DEBUG, "SHA1 Hash: %s", SaganNormalizeLiblognorm->hash_sha1); Sagan_Log(DEBUG, "SHA265 Hash: %s", SaganNormalizeLiblognorm->hash_sha256); Sagan_Log(DEBUG, "HTTP URI: %s", SaganNormalizeLiblognorm->http_uri); Sagan_Log(DEBUG, "HTTP HOSTNAME: %s", SaganNormalizeLiblognorm->http_hostname); Sagan_Log(DEBUG, "Filename: %s", SaganNormalizeLiblognorm->filename); Sagan_Log(DEBUG, ""); } if (0 != rc_normalize && json) { json_object_put(json); json = NULL; } return json; } #endif sagan-1.2.0/src/protocol-map.c0000644000175000017500000001317113310531444015115 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* gen-msg.c * * Reads in the sagan-gen-msg.map. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "protocol-map.h" struct _SaganCounters *counters; struct _SaganConfig *config; struct _SaganDebug *debug; struct _Sagan_Protocol_Map_Message *map_message; struct _Sagan_Protocol_Map_Program *map_program; void Load_Protocol_Map( const char *map ) { FILE *mapfile; char mapbuf[1024]; char *saveptr=NULL; char *map1=NULL; char *map2=NULL; char *map3=NULL; char *map4=NULL; counters->mapcount_message = 0; counters->mapcount_program = 0; Sagan_Log(NORMAL, "Loading protocol map file. [%s]", map); if (( mapfile = fopen(map, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open protocol map file (%s)", __FILE__, __LINE__, map); } while(fgets(mapbuf, 1024, mapfile) != NULL) { /* Skip comments and blank linkes */ if (mapbuf[0] == '#' || mapbuf[0] == 10 || mapbuf[0] == ';' || mapbuf[0] == 32) { continue; } else { /* Allocate memory for references, not comments */ map1 = strtok_r(mapbuf, "|", &saveptr); if ( map1 == NULL ) { Sagan_Log(ERROR, "%s is incorrect or not correctly formated (map1)", map); } Remove_Return(map1); Remove_Spaces(map1); map2 = strtok_r(NULL, "|", &saveptr); if ( map2 == NULL ) { Sagan_Log(ERROR, "%s is incorrect or not correctly formated (map2)", map); } Remove_Return(map2); Remove_Spaces(map2); map3 = strtok_r(NULL, "|", &saveptr); if ( map3 == NULL ) { Sagan_Log(ERROR, "%s is incorrect or not correctly formated (map3)", map); } Remove_Return(map3); Remove_Spaces(map3); map4 = strtok_r(NULL, "|", &saveptr); if ( map4 == NULL ) { Sagan_Log(ERROR, "%s is incorrect or not correctly formated (map4)", map); } Remove_Return(map4); Remove_Spaces(map4); if (!strcmp(map1, "message")) { map_message = (_Sagan_Protocol_Map_Message *) realloc(map_message, (counters->mapcount_message+1) * sizeof(_Sagan_Protocol_Map_Message)); if ( map_message == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for map_message. Abort!", __FILE__, __LINE__); } map_message[counters->mapcount_message].proto = atoi(map2); if (!strcmp(map3, "nocase")) map_message[counters->mapcount_message].nocase = 1; strlcpy(map_message[counters->mapcount_message].search, map4, sizeof(map_message[counters->mapcount_message].search)); counters->mapcount_message++; } if (!strcmp(map1, "program")) { map_program = (_Sagan_Protocol_Map_Program *) realloc(map_program, (counters->mapcount_program+1) * sizeof(_Sagan_Protocol_Map_Program)); if ( map_program == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for map_program. Abort!", __FILE__, __LINE__); } map_program[counters->mapcount_program].proto = atoi(map2); if (!strcmp(map3, "nocase")) map_program[counters->mapcount_program].nocase = 1; strlcpy(map_program[counters->mapcount_program].program, map4, sizeof(map_program[counters->mapcount_program].program)); counters->mapcount_program++; } } } fclose(mapfile); Sagan_Log(NORMAL, "%d protocols loaded [Message search: %d|Program search: %d]", counters->mapcount_message + counters->mapcount_program, counters->mapcount_message, counters->mapcount_program); } sagan-1.2.0/src/credits.c0000644000175000017500000001203313310531444014132 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* credit.c * * Give credit where credit is due * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include "sagan.h" #include "version.h" void Credits(void) { fprintf(stderr, "\n--[Sagan version %s | Credits]--------------------------------\n\n", VERSION); fprintf(stderr, "Champ Clark III (cclark@quadrantsec.com)\tLead developer.\n"); fprintf(stderr, "Robert Nunley (rnunley@quadrantsec.com)\t\tRules/Ideas.\n"); fprintf(stderr, "Brian Echeverry (becheverry@quadrantsec.com)\tRules/testing/bug report.\n"); fprintf(stderr, "Marcus Ranum\t\t\t\t\tplog.c code.\n"); fprintf(stderr, "\"DrForbin\"\t\t\t\t\tPatches/testing/bug fixes.\n"); fprintf(stderr, "Rainer Gerhards\t\t\t\t\tRsyslog/Liblognorm author.\n"); fprintf(stderr, "Bruce M. Wink (bwink@quadrantsec.com)\t\tIdeas.\n"); fprintf(stderr, "Daniel Koopmans\t\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"remydb\" (Github)\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"CyberTaoFlow\" (Github)\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"nix8\" (Github)\t\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"pitrpitr\" (Github)\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"ebayer\" (Github)\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"Juan Manuel (jmcabo - Github)\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"Stas Alekseev\" (salekseev - Github)\t\tSpec file for Redhat/Fedora.\n"); fprintf(stderr, "\"Alice Kaerast\" (kaerast - Github\t\trsyslog example in 'extra'.\n"); fprintf(stderr, "\"DigiAngel\" (Github)\t\t\t\t'content:!' idea.\n"); fprintf(stderr, "Robert Bridge (RobbieAB - Github)\t\t'flowbit/xbit' idea.\n"); fprintf(stderr, "Mathieu Parent (sathieu - Github)\t\tOld MySQL port fix.\n"); fprintf(stderr, "Pierre Chifflier (chifflier - Github)\t\tPatches/bug fixes/man page.\n"); fprintf(stderr, "Pierre Chifflier \t\t\t\tDebian/Ubuntu packages.\n"); fprintf(stderr, "\"miverson\" (Github)\t\t\t\tOSSEC converter/bug fixes.\n"); fprintf(stderr, "\"ekse\" (Github)\t\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"mtgxx\" (Github)\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "\"powertoaster\" (Github)\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "Pawel Hajdan jr (Gentoo)\t\t\tGentoo ebuild.\n"); fprintf(stderr, "James Lay\t\t\t\t\tRules.\n"); fprintf(stderr, "Brad Doctor\t\t\t\t\tRules.\n"); fprintf(stderr, "Sniffty Dugen\t\t\t\t\tRules.\n"); fprintf(stderr, "Iman Khosravi\t\t\t\t\tRules.\n"); fprintf(stderr, "Jon Schipp\t\t\t\t\tBug reports & testing.\n"); fprintf(stderr, "Aleksey Chudov\t\t\t\t\t\"logrotate\" fix/suggestion.\n"); fprintf(stderr, "DonPiekarz (Github)\t\t\t\tBug reports & fixes.\n"); fprintf(stderr, "rtkkdeng (Github)\t\t\t\tRules fixes.\n"); fprintf(stderr, "Adam Hall\t\t\t\t\tAetas & other bug fixes.\n"); fprintf(stderr, "Bruno Coudoin (Github:bdoin)\t\t\tBug fixes.\n"); fprintf(stderr, "Nuno Fernandes (Github)\t\t\t\tBug fixes & rule corrections.\n"); fprintf(stderr, "Alexandre Carrol Perales (Github:acabrol)\tBug fixes & features.\n"); fprintf(stderr, "Bruno Coudoin\t\t\t\t\tBug fixes & features.\n"); fprintf(stderr, "Steve Rawls (srawls@quadrantsec.com)\t\tBug reports & features.\n"); fprintf(stderr, "\"bhennigar\" (Github)\t\t\t\tBug reporting & testing.\n"); fprintf(stderr, "Corey Fisher (cfisher@quadrantsec.com)\t\tCode testing & debugging.\n"); fprintf(stderr, "\"Work-lako\" (Github)\t\t\t\tIdea/patch for syslog-handler.c.\n"); fprintf(stderr, "Jeremy A. Grove (jgrove@quadrantsec.com)\tBug reporting.\n"); fprintf(stderr, "Ray Ruvinskiy (Github: rtkrruvinskiy)\t\tDaemonization Fixes.\n"); fprintf(stderr, "\"YoichSec\" (Github) (Yoichi Sagawa)\t\tXbit track by src/dst port code.\n"); fprintf(stderr, "\"YoichSec\" (Github)\t\t\t\tChanging rules to match Suricata/Snort.\n"); fprintf(stderr, "\"3vilJohn\" (Twitter)\t\t\t\tVarious bug reports & testing.\n"); fprintf(stderr, "Kenneth Shelton (@netwatcher)\t\t\tIPv6 support, the 'selector', bug fixes.\n"); fprintf(stderr, "\n"); } sagan-1.2.0/src/util-time.h0000644000175000017500000000240213310531444014412 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ struct tm *Sagan_LocalTime(time_t , struct tm *); void CreateTimeString (const struct timeval *, char *, size_t , sbool ); void CreateIsoTimeString (const struct timeval *, char *, size_t ); void Return_Date( uint32_t, char *str, size_t size ); void Return_Time( uint32_t, char *str, size_t size ); void u32_Time_To_Human ( uint32_t, char *str, size_t size ); sagan-1.2.0/src/key.h0000644000175000017500000000200213310531444013265 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Key_Handler( void ); sagan-1.2.0/src/config-yaml.c0000644000175000017500000030052313310531444014706 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* config-yaml.c * * Loads the sagan.yaml configuration file into memory. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include "version.h" #include "sagan.h" #include "sagan-defs.h" #include "config-yaml.h" #include "rules.h" #include "sagan-config.h" #include "classifications.h" #include "gen-msg.h" #include "protocol-map.h" #include "references.h" #include "parsers/parsers.h" /* Processors */ #include "processors/blacklist.h" #include "processors/perfmon.h" #include "processors/bro-intel.h" #ifdef HAVE_LIBYAML #include #endif #ifdef WITH_BLUEDOT #include "processors/bluedot.h" sbool bluedot_load; #endif #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) #include "output-plugins/unified2.h" #endif #ifdef HAVE_LIBLOGNORM #include #include "liblognormalize.h" struct liblognorm_struct *liblognormstruct; int liblognorm_count; #endif #ifdef HAVE_LIBMAXMINDDB #include "geoip2.h" #endif struct _SaganConfig *config; struct _SaganDebug *debug; struct _SaganVar *var; struct _SaganCounters *counters; struct _Rules_Loaded *rules_loaded; struct _Rule_Struct *rulestruct; #ifndef HAVE_LIBYAML ** You must of LIBYAML installed! ** #endif sbool reload_rules; pthread_mutex_t SaganRulesLoadedMutex; pthread_mutex_t CounterLoadConfigGenericMutex=PTHREAD_MUTEX_INITIALIZER; #ifdef HAVE_LIBYAML void Load_YAML_Config( char *yaml_file ) { struct stat filecheck; yaml_parser_t parser; yaml_event_t event; sbool done = 0; int check = 0; unsigned char type = 0; unsigned char sub_type = 0; unsigned char toggle = 0; char *tok = NULL; char tmp[CONFBUF] = { 0 }; char last_pass[128] = { 0 }; int a; reload_rules = true; /* Set some system defaults */ if (!strcmp(config->sagan_config, yaml_file)) { strlcpy(config->sagan_sensor_name, SENSOR_NAME, sizeof(config->sagan_sensor_name)); strlcpy(config->sagan_lockfile, LOCKFILE, sizeof(config->sagan_lockfile)); strlcpy(config->sagan_log_path, SAGANLOGPATH, sizeof(config->sagan_log_path)); strlcpy(config->sagan_rule_path, RULE_PATH, sizeof(config->sagan_rule_path)); strlcpy(config->ipc_directory, IPC_DIRECTORY, sizeof(config->ipc_directory)); strlcpy(config->external_net, EXTERNAL_NET, sizeof(config->external_net)); strlcpy(config->home_net, HOME_NET, sizeof(config->home_net)); config->sagan_host[0] = '\0'; config->sagan_port = 514; /* Defaults for Parse_IP(); */ config->parse_ip_ipv6 = true; config->parse_ip_ipv4_mapped_ipv6 = false; config->max_threshold_by_src = DEFAULT_IPC_THRESH_BY_SRC; config->max_threshold_by_dst = DEFAULT_IPC_THRESH_BY_DST; config->max_threshold_by_srcport = DEFAULT_IPC_THRESH_BY_SRC_PORT; config->max_threshold_by_dstport = DEFAULT_IPC_THRESH_BY_DST_PORT; config->max_threshold_by_username = DEFAULT_IPC_THRESH_BY_USERNAME; config->max_after_by_src = DEFAULT_IPC_AFTER_BY_SRC; config->max_after_by_dst = DEFAULT_IPC_AFTER_BY_DST; config->max_after_by_srcport = DEFAULT_IPC_AFTER_BY_SRC_PORT; config->max_after_by_dstport = DEFAULT_IPC_AFTER_BY_DST_PORT; config->max_after_by_username = DEFAULT_IPC_AFTER_BY_USERNAME; config->max_track_clients = DEFAULT_IPC_CLIENT_TRACK_IPC; config->pp_sagan_track_clients = TRACK_TIME; config->sagan_proto = 17; /* Default to UDP */ config->max_processor_threads = MAX_PROCESSOR_THREADS; config->eve_fd = -1; config->sagan_alert_fd = -1; config->sagan_fast_fd = -1; config->sagan_log_fd = -1; config->perfmonitor_file_fd = -1; /* Copy default FIFO */ if ( config->sagan_is_file == false ) { config->sagan_fifo[0] = '\0'; strlcpy(config->sagan_fifo, FIFO, sizeof(config->sagan_fifo)); } #if defined(HAVE_GETPIPE_SZ) && defined(HAVE_SETPIPE_SZ) config->sagan_fifo_size = MAX_FIFO_SIZE; #endif #ifdef WITH_BLUEDOT /* Bluedot defaults */ strlcpy(config->bluedot_device_id, "NO_DEVICE_ID", sizeof(config->bluedot_device_id)); config->bluedot_timeout = 120; config->bluedot_cat[0] = '\0'; config->bluedot_uri[0] = '\0'; #endif #ifdef WITH_SYSLOG config->sagan_syslog_facility = DEFAULT_SYSLOG_FACILITY; config->sagan_syslog_priority = DEFAULT_SYSLOG_PRIORITY; config->sagan_syslog_options = LOG_PID; #endif #ifdef HAVE_LIBESMTP strlcpy(config->sagan_email_subject, DEFAULT_SMTP_SUBJECT, sizeof(config->sagan_email_subject)); config->sagan_esmtp_from[0] = '\0'; config->sagan_esmtp_server[0] = '\0'; #endif #ifdef HAVE_LIBPCAP strlcpy(config->plog_interface, PLOG_INTERFACE, sizeof(config->plog_interface)); strlcpy(config->plog_filter, PLOG_FILTER, sizeof(config->plog_filter)); strlcpy(config->plog_logdev, PLOG_LOGDEV, sizeof(config->plog_logdev)); #endif #ifdef HAVE_LIBHIREDIS #define DEFAULT_REDIS_MAX_WRITER_THREADS 10 config->redis_password[0] = '\0'; config->redis_max_writer_threads = DEFAULT_REDIS_MAX_WRITER_THREADS; #endif } if (stat(config->sagan_config, &filecheck) != false ) { Sagan_Log(ERROR, "[%s, line %d] The configuration file '%s' cannot be found! Abort!", __FILE__, __LINE__, config->sagan_config); } FILE *fh = fopen(yaml_file, "r"); if (!yaml_parser_initialize(&parser)) { Sagan_Log(ERROR, "[%s, line %d] Failed to initialize the libyaml parser. Abort!", __FILE__, __LINE__); } if (fh == NULL) { Sagan_Log(ERROR, "[%s, line %d] Failed to open the configuration file '%s' Abort!", __FILE__, __LINE__, yaml_file); } /* Set input file */ yaml_parser_set_input_file(&parser, fh); while(!done) { if (!yaml_parser_parse(&parser, &event)) { /* Useful YAML vars: parser.context_mark.line+1, parser.context_mark.column+1, parser.problem, parser.problem_mark.line+1, parser.problem_mark.column+1 */ Sagan_Log(ERROR, "[%s, line %d] libyam parse error at line %d in '%s'", __FILE__, __LINE__, parser.problem_mark.line+1, config->sagan_config); } if ( event.type == YAML_DOCUMENT_START_EVENT ) { if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] YAML_DOCUMENT_START_EVENT", __FILE__, __LINE__); } yaml_version_directive_t *ver = event.data.document_start.version_directive; if ( ver == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Invalid configuration file. Configuration must start with \"%%YAML 1.1\"", __FILE__, __LINE__); } int major = ver->major; int minor = ver->minor; if (! (major == YAML_VERSION_MAJOR && minor == YAML_VERSION_MINOR) ) { Sagan_Log(ERROR, "[%s, line %d] Configuration has a invalid YAML version. Must be 1.1 or above", __FILE__, __LINE__); } } else if ( event.type == YAML_STREAM_END_EVENT ) { done = true; if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] YAML_STREAM_END_EVENT", __FILE__, __LINE__); } } else if ( event.type == YAML_MAPPING_START_EVENT ) { toggle = 1; if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] YAML_MAPPING_START_EVENT", __FILE__, __LINE__); } } else if ( event.type == YAML_MAPPING_END_EVENT ) { toggle = 0; sub_type = 0; if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] YAML_MAPPING_END_EVENT", __FILE__, __LINE__); } } else if ( event.type == YAML_SCALAR_EVENT ) { char *value = (char *)event.data.scalar.value; if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] YAML_SCALAR_EVENT - Value: \"%s\"", __FILE__, __LINE__, value); } /****** Primary Types *******************************************/ /************************/ /**** Load variables ****/ /************************/ if ( type == YAML_TYPE_VAR ) { if ( toggle == 1 ) { var = (_SaganVar *) realloc(var, (counters->var_count+1) * sizeof(_SaganVar)); if ( var == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for var. Abort!", __FILE__, __LINE__); } snprintf(var[counters->var_count].var_name, sizeof(var[counters->var_count].var_name)-1, "$%s", value); var[counters->var_count].var_name[sizeof(var[counters->var_count].var_name)-1] = 0; toggle = 0; } else { if (strcmp(var[counters->var_count].var_name, "")) { /* If "file:/" is found, we load values from a file */ if (Sagan_strstr(value, "file:/")) { strtok_r(value, ":", &tok); char *filename; char tmpbuf[CONFBUF]; FILE *varfile; sbool check = 0; filename = strtok_r(NULL, ":", &tok); if ((varfile = fopen(filename, "r")) == NULL) { fprintf(stderr, "[E] [%s, line %d] Cannot open var file:%s\n", __FILE__, __LINE__, filename); exit(-1); } while(fgets(tmpbuf, sizeof(tmpbuf), varfile) != NULL) { /* Stuff to skip */ if (tmpbuf[0] == '#') continue; if (tmpbuf[0] == ';') continue; if (tmpbuf[0] == 10 ) continue; if (tmpbuf[0] == 32 ) continue; /* Simple check to see if this is the first entry or not. This is to keep our "," on mark */ Remove_Return(tmpbuf); if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] Variable from file \"%s\" var \"%s\" loaded: \"%s\"", __FILE__, __LINE__, filename, var[counters->var_count].var_name, tmpbuf); } if ( check == 0 ) { check = 1; } /* Append to the var */ strlcat(var[counters->var_count].var_value, tmpbuf, sizeof(var[counters->var_count].var_value)); } fclose(varfile); if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] Final load from file for \"%s\" value \"%s\"", __FILE__, __LINE__, var[counters->var_count].var_name, var[counters->var_count].var_value); } toggle = 1; } else { /* If "file:/" is not found, we load like a normal variable */ strlcpy(var[counters->var_count].var_value, value, sizeof(var[counters->var_count].var_value)); if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] Variable: \"%s == %s\"", __FILE__, __LINE__, var[counters->var_count].var_name, var[counters->var_count].var_value); } pthread_mutex_lock(&CounterLoadConfigGenericMutex); counters->var_count++; pthread_mutex_unlock(&CounterLoadConfigGenericMutex); toggle = 1; } } } } /* if type == YAML_TYPE_VAR */ else if ( type == YAML_TYPE_INCLUDES ) { if ( toggle == 1 ) { toggle = 0; } else { Var_To_Value(value, tmp, sizeof(tmp)); Sagan_Log(NORMAL, "Loading included file '%s'.", tmp); Load_YAML_Config(tmp); toggle = 1; } } else if ( type == YAML_TYPE_SAGAN_CORE ) { if (!strcmp(value, "core")) { sub_type = YAML_SAGAN_CORE_CORE; } else if (!strcmp(value, "parse-ip" )) { sub_type = YAML_SAGAN_CORE_PARSE_IP; } else if (!strcmp(value, "selector" )) { sub_type = YAML_SAGAN_CORE_SELECTOR; } else if (!strcmp(value, "redis-server" )) { sub_type = YAML_SAGAN_CORE_REDIS; } else if (!strcmp(value, "mmap-ipc" )) { sub_type = YAML_SAGAN_CORE_MMAP_IPC; } else if (!strcmp(value, "ignore_list" )) { sub_type = YAML_SAGAN_CORE_IGNORE_LIST; } else if (!strcmp(value, "geoip" )) { sub_type = YAML_SAGAN_CORE_GEOIP; } else if (!strcmp(value, "liblognorm" )) { sub_type = YAML_SAGAN_CORE_LIBLOGNORM; } else if (!strcmp(value, "plog" )) { sub_type = YAML_SAGAN_CORE_PLOG; } /* Enter sub-types */ if ( sub_type == YAML_SAGAN_CORE_CORE ) { if (!strcmp(last_pass, "sensor-name")) { strlcpy(config->sagan_sensor_name, value, sizeof(config->sagan_sensor_name)); } else if (!strcmp(last_pass, "default-host")) { strlcpy(config->sagan_host, value, sizeof(config->sagan_host)); } else if (!strcmp(last_pass, "default-port")) { Var_To_Value(value, tmp, sizeof(tmp)); config->sagan_port = atoi(tmp); if ( config->sagan_port == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan:core 'default-port' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "default-proto")) { if ( !strcasecmp(value, "udp") ) { config->sagan_proto = 17; } else if ( !strcasecmp(value, "tcp") ) { config->sagan_proto = 6; } else if ( !strcasecmp(value, "icmp") ) { config->sagan_proto = 1; } else if ( strcasecmp(value, "tcp") && strcasecmp(value, "udp") ) { Sagan_Log(ERROR, "[%s, line %d] 'default_proto' can only be TCP, UDP or ICMP.", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "dns-warnings")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->disable_dns_warnings = true; } } else if (!strcmp(last_pass, "source-lookup")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->syslog_src_lookup = true; } } #if defined(HAVE_GETPIPE_SZ) && defined(HAVE_SETPIPE_SZ) else if (!strcmp(last_pass, "fifo-size")) { Var_To_Value(value, tmp, sizeof(tmp)); config->sagan_fifo_size = atoi(tmp); if ( config->sagan_fifo_size == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan:core 'fifo-size' is set to zero. Abort!", __FILE__, __LINE__); } if ( config->sagan_fifo_size != 65536 && config->sagan_fifo_size != 131072 && config->sagan_fifo_size != 262144 && config->sagan_fifo_size != 524288 && config->sagan_fifo_size != 1048576 ) { Sagan_Log(ERROR, "[%s, line %d] sagan:core 'fifo-size' is invalid. Valid value are 65536, 131072, 262144, 524288, and 1048576. Abort!", __FILE__, __LINE__); } } #endif else if (!strcmp(last_pass, "max-threads")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_processor_threads = atoi(tmp); if ( config->max_processor_threads == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan:core 'max_threads' is zero/invalid. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "classification")) { Var_To_Value(value, tmp, sizeof(tmp)); Load_Classifications(tmp); } else if (!strcmp(last_pass, "reference")) { Var_To_Value(value, tmp, sizeof(tmp)); Load_Reference(tmp); } else if (!strcmp(last_pass, "gen-msg-map")) { Var_To_Value(value, tmp, sizeof(tmp)); Load_Gen_Map(tmp); } else if (!strcmp(last_pass, "protocol-map")) { Var_To_Value(value, tmp, sizeof(tmp)); Load_Protocol_Map(tmp); } else if (!strcmp(last_pass, "xbit-storage")) { Var_To_Value(value, tmp, sizeof(tmp)); if (strcmp(tmp, "mmap") && strcmp(tmp, "redis")) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|xbit-storage is set to an invalid type '%s'. It must be 'mmap' or 'redis'. Abort!", __FILE__, __LINE__, tmp); } if (!strcmp(tmp, "redis")) { config->xbit_storage = XBIT_STORAGE_REDIS; } else { config->xbit_storage = XBIT_STORAGE_MMAP; } } } /* if sub_type == YAML_SAGAN_CORE_CORE */ if ( sub_type == YAML_SAGAN_CORE_MMAP_IPC ) { if (!strcmp(last_pass, "ipc-directory")) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->ipc_directory, tmp, sizeof(config->ipc_directory)); } else if (!strcmp(last_pass, "xbit")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_xbits = atoi(tmp); if ( config->max_xbits == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'xbits' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "threshold-by-src")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_threshold_by_src = atoi(tmp); if ( config->max_threshold_by_src == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'threshold-by-src' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "threshold-by-dst")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_threshold_by_dst = atoi(tmp); if ( config->max_threshold_by_dst == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'threshold-by-dst' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "threshold-by-username")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_threshold_by_username = atoi(tmp); if ( config->max_threshold_by_username == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'threshold-by-username' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "after-by-src")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_after_by_src = atoi(tmp); if ( config->max_after_by_src == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'after-by-src' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "after-by-dst")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_after_by_dst = atoi(tmp); if ( config->max_after_by_dst == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'after-by-dst' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "after-by-username")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_after_by_username = atoi(tmp); if ( config->max_after_by_username == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'after-by-username' is set to zero. Abort!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "track-clients")) { Var_To_Value(value, tmp, sizeof(tmp)); config->max_track_clients = atoi(tmp); if ( config->max_track_clients == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|mmap-ipc - 'track-clients' is set to zero. Abort!", __FILE__, __LINE__); } } } /* if sub_type == YAML_SAGAN_CORE_MMAP_IPC */ if ( sub_type == YAML_SAGAN_CORE_IGNORE_LIST ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->sagan_droplist_flag = true; } } if (!strcmp(last_pass, "ignore_file")) { if (config->sagan_droplist_flag == true) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->sagan_droplistfile, tmp, sizeof(config->sagan_droplistfile)); } } } /* if sub_type == YAML_SAGAN_CORE_IGNORE_LIST */ #ifndef HAVE_LIBHIREDIS if ( sub_type == YAML_SAGAN_CORE_REDIS ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] Sagan was not compiled with hiredis (Redis) support!", __FILE__, __LINE__); } } } /* if sub_type == YAML_SAGAN_CORE_REDIS */ #endif #ifdef HAVE_LIBHIREDIS if ( sub_type == YAML_SAGAN_CORE_REDIS ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->redis_flag = true; } } if ( config->redis_flag == true ) { if (!strcmp(last_pass, "server")) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->redis_server, tmp, sizeof(config->redis_server)); } if (!strcmp(last_pass, "port")) { Var_To_Value(value, tmp, sizeof(tmp)); config->redis_port = atoi(tmp); if ( config->redis_port == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|redis-server - Redis 'port' is set to zero. Abort!", __FILE__, __LINE__); } } if (!strcmp(last_pass, "password")) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->redis_password, tmp, sizeof(config->redis_password)); } if (!strcmp(last_pass, "writer_threads")) { Var_To_Value(value, tmp, sizeof(tmp)); config->redis_max_writer_threads = atoi(tmp); if ( config->redis_max_writer_threads == 0 ) { Sagan_Log(ERROR, "[%s, line %d] sagan-core|redis-server - Redis 'writer_threads' is set to zero. Abort!", __FILE__, __LINE__); } } } } /* if sub_type == YAML_SAGAN_CORE_REDIS */ #endif #ifndef HAVE_LIBMAXMINDDB if ( sub_type == YAML_SAGAN_CORE_GEOIP ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] Sagan was not compiled with Maxmind's \"GeoIP2\" support!", __FILE__, __LINE__); } } } /* if sub_type == YAML_SAGAN_CORE_GEOIP */ #endif #ifdef HAVE_LIBMAXMINDDB if ( sub_type == YAML_SAGAN_CORE_GEOIP ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->have_geoip2 = true; } } if (!strcmp(last_pass, "country_database")) { if ( config->have_geoip2 == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->geoip2_country_file, tmp, sizeof(config->geoip2_country_file)); config->have_geoip2 = true; } } } /* if sub_type == YAML_SAGAN_CORE_GEOIP */ #endif #ifndef HAVE_LIBLOGNORM if ( sub_type == YAML_SAGAN_CORE_LIBLOGNORM ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] Sagan was not compiled with liblognorm support!", __FILE__, __LINE__); } } } /* if sub_type == YAML_SAGAN_CORE_GEOIP */ #endif #ifdef HAVE_LIBLOGNORM if ( sub_type == YAML_SAGAN_CORE_LIBLOGNORM ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->liblognorm_load = true; } } if (!strcmp(last_pass, "normalize_rulebase")) { if ( config->liblognorm_load == true ) { Var_To_Value(value, tmp, sizeof(tmp)); Liblognorm_Load(tmp); } } } #endif #ifndef HAVE_LIBPCAP if ( sub_type == YAML_SAGAN_CORE_PLOG ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] Sagan was not compiled with libpcap support!", __FILE__, __LINE__); } } } /* sub_type == YAML_SAGAN_CORE_PLOG */ #endif #ifdef HAVE_LIBPCAP if ( sub_type == YAML_SAGAN_CORE_PLOG ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->plog_flag = true; } } if ( config->plog_flag == true ) { if (!strcmp(last_pass, "interface")) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->plog_interface, tmp, sizeof(config->plog_interface)); } else if (!strcmp(last_pass, "bpf-filter")) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->plog_filter, tmp, sizeof(config->plog_filter)); } else if (!strcmp(last_pass, "log-device")) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->plog_logdev, tmp, sizeof(config->plog_logdev)); } else if (!strcmp(last_pass, "promiscuous")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->plog_promiscuous = 1; } } } } #endif if ( sub_type == YAML_SAGAN_CORE_PARSE_IP ) { if (!strcmp(last_pass, "ipv6" )) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") || !strcasecmp(value, "enabled" )) { config->parse_ip_ipv6 = true; } } else if (!strcmp(last_pass, "ipv4-mapped-ipv6" )) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") || !strcasecmp(value, "enabled" )) { config->parse_ip_ipv4_mapped_ipv6 = true; } } } if ( sub_type == YAML_SAGAN_CORE_SELECTOR ) { if (!strcmp(last_pass, "enabled")) { if (!strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->selector_flag = true; } } if ( config->selector_flag == true ) { if (!strcmp(last_pass, "name")) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->selector_name, tmp, sizeof(config->selector_name)); } } } /* if sub_type == YAML_SAGAN_CORE_SELECTOR */ } /* else if ( type == YAML_TYPE_SAGAN_CORE ) */ else if ( type == YAML_TYPE_PROCESSORS ) { if (!strcmp(value, "track-clients")) { sub_type = YAML_PROCESSORS_TRACK_CLIENTS; } else if (!strcmp(value, "perfmonitor")) { sub_type = YAML_PROCESSORS_PERFMON; } else if (!strcmp(value, "blacklist")) { sub_type = YAML_PROCESSORS_BLACKLIST; } else if (!strcmp(value, "bluedot")) { sub_type = YAML_PROCESSORS_BLUEDOT; } else if (!strcmp(value, "bro-intel")) { sub_type = YAML_PROCESSORS_BROINTEL; } else if (!strcmp(value, "dynamic_load")) { sub_type = YAML_PROCESSORS_DYNAMIC_LOAD; } if ( sub_type == YAML_PROCESSORS_TRACK_CLIENTS ) { if (!strcasecmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->sagan_track_clients_flag = true; } } else if ( !strcmp(last_pass, "timeout") && config->sagan_track_clients_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); config->pp_sagan_track_clients = atoi(tmp); if ( config->pp_sagan_track_clients == 0 ) { Sagan_Log(ERROR, "[%s, line %d] 'processor' : 'track_clients' - 'timeout' has to be a non-zero number. Abort!!", __FILE__, __LINE__); } } } else if ( sub_type == YAML_PROCESSORS_PERFMON ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->perfmonitor_flag = true; } } else if (!strcmp(last_pass, "time") && config->perfmonitor_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); config->perfmonitor_time = atoi(tmp); if ( config->perfmonitor_time == 0 ) { Sagan_Log(ERROR, "[%s, line %d] 'processor' : 'perfmonitor' - 'time' has to be a non-zero number. Abort!!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "filename") && config->perfmonitor_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->perfmonitor_file_name, tmp, sizeof(config->perfmonitor_file_name)); } } /* if sub_type == YAML_PROCESSORS_PERFMON */ else if ( sub_type == YAML_PROCESSORS_BLACKLIST ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->blacklist_flag = true; } } else if (!strcmp(last_pass, "filename") && config->blacklist_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->blacklist_files, tmp, sizeof(config->blacklist_files)); } } /* if sub_type == YAML_PROCESSORS_BLACKLIST */ #ifndef WITH_BLUEDOT else if ( sub_type == YAML_PROCESSORS_BLUEDOT ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] The Sagan's configuration file has Bluedot enabled, but Sagan wasn't compiled with Bluedot support! Abort!", __FILE__, __LINE__); } } } #endif #ifdef WITH_BLUEDOT else if ( sub_type == YAML_PROCESSORS_BLUEDOT ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->bluedot_flag = true; } } else if (!strcmp(last_pass, "device-id") && config->bluedot_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->bluedot_device_id, tmp, sizeof(config->bluedot_device_id)); } else if (!strcmp(last_pass, "host") && config->bluedot_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->bluedot_host, tmp, sizeof(config->bluedot_host)); } else if (!strcmp(last_pass, "cache-timeout") && config->bluedot_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); config->bluedot_timeout = atoi(tmp) * 60; if ( config->bluedot_timeout == 0 ) { Sagan_Log(ERROR, "[%s, line %d] 'processor' : 'bluedot' - 'cache-timeout' has to be a non-zero number. Abort!!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "categories") && config->bluedot_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->bluedot_cat, tmp, sizeof(config->bluedot_cat)); } else if (!strcmp(last_pass, "uri") && config->bluedot_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->bluedot_uri, tmp, sizeof(config->bluedot_uri)); } else if (!strcmp(last_pass, "ttl") && config->bluedot_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); config->bluedot_dns_ttl = atoi(tmp); } } /* if sub_type == YAML_PROCESSORS_BLUEDOT */ #endif else if ( sub_type == YAML_PROCESSORS_BROINTEL ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->brointel_flag = true; } } else if (!strcmp(last_pass, "filename") && config->brointel_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->brointel_files, tmp, sizeof(config->brointel_files)); } } /* if sub_type == YAML_PROCESSORS_BROINTEL */ else if ( sub_type == YAML_PROCESSORS_DYNAMIC_LOAD ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->dynamic_load_flag = true; } } else if (!strcmp(last_pass, "sample-rate") && config->dynamic_load_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); config->dynamic_load_sample_rate = atoi(tmp); if ( config->dynamic_load_sample_rate == 0 ) { Sagan_Log(ERROR, "[%s, line %d] 'processor' : 'dynamic_load' - 'sample_rate' has to be a non-zero number. Abort!!", __FILE__, __LINE__); } } else if (!strcmp(last_pass, "type") && config->dynamic_load_flag == true ) { if (!strcmp(value, "dynamic_load")) { config->dynamic_load_type = 0; } else if (!strcmp(value, "log_only")) { config->dynamic_load_type = 1; } else if (!strcmp(value, "alert")) { config->dynamic_load_type = 2; } } } /* if sub_type == YAML_PROCESSORS_DYNAMIC_LOAD */ } /* else if ( type == YAML_TYPE_PROCESSORS */ else if ( type == YAML_TYPE_OUTPUT ) { if (!strcmp(value, "eve-log")) { sub_type = YAML_OUTPUT_EVE; } else if (!strcmp(value, "alert")) { sub_type = YAML_OUTPUT_ALERT; } else if (!strcmp(value, "fast")) { sub_type = YAML_OUTPUT_FAST; } else if (!strcmp(value, "unified2")) { sub_type = YAML_OUTPUT_UNIFIED2; } else if (!strcmp(value, "external")) { sub_type = YAML_OUTPUT_EXTERNAL; } else if (!strcmp(value, "smtp")) { sub_type = YAML_OUTPUT_SMTP; } else if (!strcmp(value, "snortsam")) { sub_type = YAML_OUTPUT_SNORTSAM; } else if (!strcmp(value, "syslog")) { sub_type = YAML_OUTPUT_SYSLOG; } if ( sub_type == YAML_OUTPUT_EVE ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->eve_flag = true; strlcpy(config->eve_interface, "logs", sizeof(config->eve_interface)); /* Set a "default" value */ } } else if ( !strcmp(last_pass, "filetype") && config->eve_flag == true ) { if (!strcmp(value, "regular")) { config->eve_type = 0; } // if (!strcmp(value, "something")) { // } } else if ( !strcmp(last_pass, "interface") && config->eve_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->eve_interface, tmp, sizeof(config->eve_interface)); } else if ( !strcmp(last_pass, "filename") && config->eve_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->eve_filename, tmp, sizeof(config->eve_filename)); } else if ( !strcmp(last_pass, "alerts") && config->eve_flag == true ) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->eve_alerts = true; } } else if ( !strcmp(last_pass, "logs") && config->eve_flag == true ) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->eve_logs = true; } } } else if ( sub_type == YAML_OUTPUT_ALERT ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->alert_flag = true; } } else if (!strcmp(last_pass, "filename") && config->alert_flag == true) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->sagan_alert_filepath, tmp, sizeof(config->sagan_alert_filepath)); } } /* sub_type == YAML_OUTPUT_ALERT */ else if ( sub_type == YAML_OUTPUT_FAST ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->fast_flag = true; } } else if (!strcmp(last_pass, "filename") && config->fast_flag == true) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->fast_filename, tmp, sizeof(config->fast_filename)); } } /* sub_type == YAML_OUTPUT_FAST */ #if !defined(HAVE_DNET_H) && !defined(HAVE_DUMBNET_H) else if ( sub_type == YAML_OUTPUT_UNIFIED2 ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] 'unified2' output is enabled, but Sagan is not compiled with libdnet support. Abort!", __FILE__, __LINE__); } } } #endif #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) else if ( sub_type == YAML_OUTPUT_UNIFIED2 ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->sagan_unified2_flag = true; } } else if ( !strcmp(last_pass, "filename") && config->sagan_unified2_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->unified2_filepath, tmp, sizeof(config->unified2_filepath)); } else if ( !strcmp(last_pass, "limit") && config->sagan_unified2_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); config->unified2_limit = atoi(tmp) * 1024 * 1024; if ( config->unified2_limit == 0 ) { Sagan_Log(ERROR, "[%s, line %d] 'outputs' : 'unified2' - 'limit' has to be a non-zero number. Abort!!", __FILE__, __LINE__); } } else if ( !strcmp(last_pass, "force-ipv4") && config->sagan_unified2_flag == true ) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->unified2_force_ipv4 = true; } } } /* if sub_type == YAML_OUTPUT_UNIFIED2 */ #endif else if ( sub_type == YAML_OUTPUT_EXTERNAL ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->sagan_external_output_flag = true; } } else if (!strcmp(last_pass, "command") && config->sagan_external_output_flag == true) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->sagan_external_command, tmp, sizeof(config->sagan_external_command)); } } /* else if sub_type == YAML_OUTPUT_EXTERNAL ) */ #ifndef HAVE_LIBESMTP else if ( sub_type == YAML_OUTPUT_SMTP ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] 'smtp' output is enabled, but Sagan is not compiled with libesmtp support. Abort!", __FILE__, __LINE__); } } } #endif #ifdef HAVE_LIBESMTP else if ( sub_type == YAML_OUTPUT_SMTP ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->sagan_esmtp_flag = true; } } else if ( !strcmp(last_pass, "from") && config->sagan_esmtp_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->sagan_esmtp_from, tmp, sizeof(config->sagan_esmtp_from)); } else if ( !strcmp(last_pass, "server") && config->sagan_esmtp_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->sagan_esmtp_server, tmp, sizeof(config->sagan_esmtp_server)); } else if ( !strcmp(last_pass, "subject") && config->sagan_esmtp_flag == true ) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->sagan_email_subject, tmp, sizeof(config->sagan_email_subject)); } } /* else if sub_type == YAML_OUTPUT_SMTP ) */ #endif #ifndef WITH_SNORTSAM else if ( sub_type == YAML_OUTPUT_SNORTSAM ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] 'snortsam' output is enabled, but Sagan is not compiled with Snortsam support. Abort!", __FILE__, __LINE__); } } } #endif #ifdef WITH_SNORTSAM else if ( sub_type == YAML_OUTPUT_SNORTSAM ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->sagan_fwsam_flag = true; } } else if (!strcmp(last_pass, "server") && config->sagan_fwsam_flag == true) { Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(config->sagan_fwsam_info, tmp, sizeof(config->sagan_fwsam_info)); } } #endif #ifndef WITH_SYSLOG else if ( sub_type == YAML_OUTPUT_SYSLOG ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { Sagan_Log(ERROR, "[%s, line %d] 'syslog' output is enabled, but Sagan is not compiled with syslog support. Abort!", __FILE__, __LINE__); } } } #endif #ifdef WITH_SYSLOG else if ( sub_type == YAML_OUTPUT_SYSLOG ) { if (!strcmp(last_pass, "enabled")) { if ( !strcasecmp(value, "yes") || !strcasecmp(value, "true") ) { config->sagan_syslog_flag = true; } } else if (!strcmp(last_pass, "facility") && config->sagan_syslog_flag == true ) { #ifdef LOG_AUTH if (!strcmp(value, "LOG_AUTH")) { config->sagan_syslog_facility = LOG_AUTH; } #endif #ifdef LOG_AUTHPRIV if (!strcmp(value, "LOG_AUTHPRIV")) { config->sagan_syslog_facility = LOG_AUTHPRIV; } #endif #ifdef LOG_CRON if (!strcmp(value, "LOG_CRON")) { config->sagan_syslog_facility = LOG_CRON; } #endif #ifdef LOG_DAEMON if (!strcmp(value, "LOG_DAEMON")) { config->sagan_syslog_facility = LOG_DAEMON; } #endif #ifdef LOG_FTP if (!strcmp(value, "LOG_FTP")) { config->sagan_syslog_facility = LOG_FTP; } #endif #ifdef LOG_INSTALL if (!strcmp(value, "LOG_INSTALL")) { config->sagan_syslog_facility = LOG_INSTALL; } #endif #ifdef LOG_KERN if (!strcmp(value, "LOG_KERN")) { config->sagan_syslog_facility = LOG_KERN; } #endif #ifdef LOG_LPR if (!strcmp(value, "LOG_LPR")) { config->sagan_syslog_facility = LOG_LPR; } #endif #ifdef LOG_MAIL if (!strcmp(value, "LOG_MAIL")) { config->sagan_syslog_facility = LOG_MAIL; } #endif #ifdef LOG_NETINFO if (!strcmp(value, "LOG_NETINFO")) { config->sagan_syslog_facility = LOG_NETINFO; } #endif #ifdef LOG_RAS if (!strcmp(value, "LOG_RAS")) { config->sagan_syslog_facility = LOG_RAS; } #endif #ifdef LOG_REMOTEAUTH if (!strcmp(value, "LOG_REMOTEAUTH")) { config->sagan_syslog_facility = LOG_REMOTEAUTH; } #endif #ifdef LOG_NEWS if (!strcmp(value, "LOG_NEWS")) { config->sagan_syslog_facility = LOG_NEWS; } #endif #ifdef LOG_SYSLOG if (!strcmp(value, "LOG_SYSLOG")) { config->sagan_syslog_facility = LOG_SYSLOG; } #endif #ifdef LOG_USER if (!strcmp(value, "LOG_USER")) { config->sagan_syslog_facility = LOG_USER; } #endif #ifdef LOG_UUCP if (!strcmp(value, "LOG_UUCP")) { config->sagan_syslog_facility = LOG_UUCP; } #endif #ifdef LOG_LOCAL0 if (!strcmp(value, "LOG_LOCAL0")) { config->sagan_syslog_facility = LOG_LOCAL0; } #endif #ifdef LOG_LOCAL1 if (!strcmp(value, "LOG_LOCAL1")) { config->sagan_syslog_facility = LOG_LOCAL1; } #endif #ifdef LOG_LOCAL2 if (!strcmp(value, "LOG_LOCAL2")) { config->sagan_syslog_facility = LOG_LOCAL2; } #endif #ifdef LOG_LOCAL3 if (!strcmp(value, "LOG_LOCAL3")) { config->sagan_syslog_facility = LOG_LOCAL3; } #endif #ifdef LOG_LOCAL4 if (!strcmp(value, "LOG_LOCAL4")) { config->sagan_syslog_facility = LOG_LOCAL4; } #endif #ifdef LOG_LOCAL5 if (!strcmp(value, "LOG_LOCAL5")) { config->sagan_syslog_facility = LOG_LOCAL5; } #endif #ifdef LOG_LOCAL6 if (!strcmp(value, "LOG_LOCAL6")) { config->sagan_syslog_facility = LOG_LOCAL6; } #endif #ifdef LOG_LOCAL7 if (!strcmp(value, "LOG_LOCAL7")) { config->sagan_syslog_facility = LOG_LOCAL7; } #endif } /* !strcmp(last_pass, "facility") */ else if (!strcmp(last_pass, "priority") && config->sagan_syslog_flag == true ) { #ifdef LOG_EMERG if (!strcmp(value, "LOG_EMERG")) { config->sagan_syslog_priority = LOG_EMERG; } #endif #ifdef LOG_ALERT if (!strcmp(value, "LOG_ALERT")) { config->sagan_syslog_priority = LOG_ALERT; } #endif #ifdef LOG_CRIT if (!strcmp(value, "LOG_CRIT")) { config->sagan_syslog_priority = LOG_CRIT; } #endif #ifdef LOG_ERR if (!strcmp(value, "LOG_ERR")) { config->sagan_syslog_priority = LOG_ERR; } #endif #ifdef LOG_WARNING if (!strcmp(value, "LOG_WARNING")) { config->sagan_syslog_priority = LOG_WARNING; } #endif #ifdef LOG_NOTICE if (!strcmp(value, "LOG_NOTICE")) { config->sagan_syslog_priority = LOG_NOTICE; } #endif #ifdef LOG_INFO if (!strcmp(value, "LOG_INFO")) { config->sagan_syslog_priority = LOG_INFO; } #endif #ifdef LOG_DEBUG if (!strcmp(value, "LOG_DEBUG")) { config->sagan_syslog_priority = LOG_DEBUG; } #endif } /* !strcmp(last_pass, "priority") */ else if (!strcmp(last_pass, "extra") && config->sagan_syslog_flag == true ) { #ifdef LOG_CONS if (!strcmp(value, "LOG_CONS")) { config->sagan_syslog_options |= LOG_CONS; } #endif #ifdef LOG_NDELAY if (!strcmp(value, "LOG_NDELAY")) { config->sagan_syslog_options |= LOG_NDELAY; } #endif #ifdef LOG_PERROR if (!strcmp(value, "LOG_PERROR")) { config->sagan_syslog_options |= LOG_PERROR; } #endif #ifdef LOG_PID if (!strcmp(value, "LOG_PID")) { config->sagan_syslog_options |= LOG_PID; } #endif #ifdef LOG_NOWAIT if (!strcmp(value, "LOG_NOWAIT")) { config->sagan_syslog_options |= LOG_NOWAIT; } #endif } /* !strcmp(last_pass, "extra") */ } /* if sub_type == YAML_OUTPUT_SYSLOG */ #endif } /* else if ype == YAML_TYPE_OUTPUT */ else if ( type == YAML_TYPE_RULES ) { #ifdef WITH_BLUEDOT if ( config->bluedot_flag == true && bluedot_load == false ) { Sagan_Bluedot_Init(); Sagan_Bluedot_Load_Cat(); bluedot_load = true; } #endif Var_To_Value(value, tmp, sizeof(tmp)); Load_Rules( (char*)tmp ); rules_loaded = (_Rules_Loaded *) realloc(rules_loaded, (counters->rules_loaded_count+1) * sizeof(_Rules_Loaded)); if ( rules_loaded == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for rules_loaded. Abort!", __FILE__, __LINE__); } Var_To_Value(value, tmp, sizeof(tmp)); strlcpy(rules_loaded[counters->rules_loaded_count].ruleset, tmp, sizeof(rules_loaded[counters->rules_loaded_count].ruleset)); pthread_mutex_lock(&CounterLoadConfigGenericMutex); counters->rules_loaded_count++; pthread_mutex_unlock(&CounterLoadConfigGenericMutex); } strlcpy(last_pass, value, sizeof(last_pass)); /**** Tag types *************************************************/ /**************/ /**** vars ****/ /**************/ if (!strcmp(value, "vars") || !strcmp(value, "address-groups") || !strcmp(value, "port-groups") || !strcmp(value, "sagan-groups") || !strcmp(value, "misc-groups") || !strcmp(value, "aetas-groups")) { if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] **** Found variables ****", __FILE__, __LINE__); } type = YAML_TYPE_VAR; toggle = 0; } /* tag: var */ /*****************/ /**** include ****/ /*****************/ else if (!strcmp(value, "include")) { if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] **** Found include ****", __FILE__, __LINE__); } type = YAML_TYPE_INCLUDES; toggle = 0; } /* tag: include */ /********************/ /**** Sagan core ****/ /********************/ else if (!strcmp(value, "sagan-core")) { if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] **** Found Sagan Core ****", __FILE__, __LINE__); } type = YAML_TYPE_SAGAN_CORE; toggle = 0; } /* tag: sagan-core */ /********************/ /**** Processors ****/ /********************/ else if (!strcmp(value, "processors")) { if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] **** Found Processors ****", __FILE__, __LINE__); } type = YAML_TYPE_PROCESSORS; toggle = 0; } /* tag: processors: */ /*****************/ /**** Outputs ****/ /*****************/ else if (!strcmp(value, "outputs")) { if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] **** Found Output ****", __FILE__, __LINE__); } type = YAML_TYPE_OUTPUT; toggle = 0; } /* tag: outputs: */ /****************/ /**** Rules *****/ /****************/ else if (!strcmp(value, "rules-files")) { if ( debug->debugload ) { Sagan_Log(DEBUG, "[%s, line %d] **** Found Rule-Files ****", __FILE__, __LINE__); } type = YAML_TYPE_RULES; toggle = 0; } /* tag: rule-files */ } /* else if ( event.type == YAML_SCALAR_EVENT */ } /* End of while(!done) */ /* libyaml clean up */ yaml_event_delete(&event); yaml_parser_delete(&parser); fclose(fh); /* Load required var's info config array */ for (a = 0; avar_count; a++) { if ( !strcmp(var[a].var_name, "$FIFO") && config->sagan_is_file == 0 ) { strlcpy(config->sagan_fifo, var[a].var_value, sizeof(config->sagan_fifo)); } else if ( !strcmp(var[a].var_name, "$LOCKFILE" ) ) { strlcpy(config->sagan_lockfile, var[a].var_value, sizeof(config->sagan_lockfile)); } else if ( !strcmp(var[a].var_name, "$SAGANLOGPATH" ) ) { strlcpy(config->sagan_log_path, var[a].var_value, sizeof(config->sagan_log_path)); } } /**********************/ /* Sanity checks here */ /**********************/ /* Check rules for duplicate sid. We can't have that! */ for (a = 0; a < counters->rulecount; a++) { for ( check = a+1; check < counters->rulecount; check++) { if (!strcmp (rulestruct[check].s_sid, rulestruct[a].s_sid )) { Sagan_Log(ERROR, "[%s, line %d] Detected duplicate signature id [sid] number %s. Please correct this.", __FILE__, __LINE__, rulestruct[check].s_sid, rulestruct[a].s_sid); } } } if ( config->sagan_is_file == false && config->sagan_fifo[0] == '\0' ) { Sagan_Log(ERROR, "[%s, line %d] No FIFO option found which is required! Aborting!", __FILE__, __LINE__); } if ( config->sagan_host[0] == '\0' ) { Sagan_Log(ERROR, "[%s, line %d] The 'sagan_host' option was not found and is required.", __FILE__, __LINE__); } #ifdef HAVE_LIBESMTP if ( config->sagan_esmtp_flag == true ) { if ( config->sagan_esmtp_from[0] == '\0' ) { Sagan_Log(ERROR, "[%s, line %d] SMTP output is enabled but no 'from' address is specified. Abort!"); } else if ( config->sagan_esmtp_server[0] == '\0' ) { Sagan_Log(ERROR, "[%s, line %d] SMTP output is enabled but not 'server' address is specified. Abort!"); } } #endif #ifdef HAVE_LIBMAXMINDDB if ( config->have_geoip2 == true ) { if ( Check_Var("$HOME_COUNTRY") == false ) { Sagan_Log(ERROR, "[%s, line %d] GeoIP2 is enabled, but the $HOME_COUNTRY variable is not set. . Abort!", __FILE__, __LINE__); } Sagan_Log(NORMAL, "Loading GeoIP2 database. [%s]", config->geoip2_country_file); Open_GeoIP2_Database(); } #endif #ifdef HAVE_LIBLOGNORM if ( config->liblognorm_load == false ) { Sagan_Log(ERROR, "[%s, line %d] liblognorm is in use but is not set up. Abort.", __FILE__, __LINE__); } #endif #ifdef WITH_BLUEDOT if ( config->bluedot_flag == true ) { if ( config->bluedot_cat[0] == '\0' ) { Sagan_Log(ERROR, "[%s, line %d] Bluedot \"catagories\" option is missing.", __FILE__, __LINE__); } if ( config->bluedot_uri[0] == '\0' ) { Sagan_Log(ERROR, "[%s, line %d] Bluedot \"uri\" option is missing.", __FILE__, __LINE__); } } #endif reload_rules = false; } #endif sagan-1.2.0/src/xbit.c0000644000175000017500000000764013310531444013453 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* * xbit.c - Functions used for tracking events over multiple log * lines. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "xbit.h" #include "xbit-mmap.h" #ifdef HAVE_LIBHIREDIS #include "redis.h" #include "xbit-redis.h" #endif struct _SaganConfig *config; sbool Xbit_Condition(int rule_position, char *ip_src_char, char *ip_dst_char, int src_port, int dst_port, char *selector ) { #ifdef HAVE_LIBHIREDIS if ( config->redis_flag && config->xbit_storage == XBIT_STORAGE_REDIS ) { return(Xbit_Condition_Redis(rule_position, ip_src_char, ip_dst_char, src_port, dst_port, selector)); } #endif return(Xbit_Condition_MMAP(rule_position, ip_src_char, ip_dst_char, src_port, dst_port, selector)); } sbool Xbit_Count( int rule_position, char *ip_src_char, char *ip_dst_char, char *selector ) { return(Xbit_Count_MMAP(rule_position, ip_src_char, ip_dst_char, selector )); } void Xbit_Set(int rule_position, char *ip_src_char, char *ip_dst_char, int src_port, int dst_port, char *selector, _Sagan_Proc_Syslog *SaganProcSyslog_LOCAL ) { #ifdef HAVE_LIBHIREDIS if ( config->redis_flag && config->xbit_storage == XBIT_STORAGE_REDIS ) { Xbit_Set_Redis(rule_position, ip_src_char, ip_dst_char, src_port, dst_port, selector, SaganProcSyslog_LOCAL ); return; } #endif Xbit_Set_MMAP(rule_position, ip_src_char, ip_dst_char, src_port, dst_port, selector, SaganProcSyslog_LOCAL->syslog_message ); } int Xbit_Type ( char *type, int linecount, const char *ruleset ) { if (!strcmp(type, "none")) { return(0); } if (!strcmp(type, "both")) { return(1); } if (!strcmp(type, "by_src")) { return(2); } if (!strcmp(type, "by_dst")) { return(3); } if (!strcmp(type, "reverse")) { return(4); } if (!strcmp(type, "src_xbitdst")) { return(5); } if (!strcmp(type, "dst_xbitsrc")) { return(6); } if (!strcmp(type, "both_p")) { return(7); } if (!strcmp(type, "by_src_p")) { return(8); } if (!strcmp(type, "by_dst_p")) { return(9); } if (!strcmp(type, "reverse_p")) { return(10); } if (!strcmp(type, "src_xbitdst_p")) { return(11); } if (!strcmp(type, "dst_xbitsrc_p")) { return(12); } Sagan_Log(ERROR, "[%s, line %d] Expected 'none', 'both', by_src', 'by_dst', 'reverse', 'src_xbitdst', 'dst_xbitsrc','both_p', by_src_p', 'by_dst_p', 'reverse_p', 'src_xbitdst_p', or 'dst_xbitsrc_p'. Got '%s' at line %d.", __FILE__, __LINE__, type, linecount, ruleset); return(0); /* Should never make it here */ } sagan-1.2.0/src/sagan-config.h0000644000175000017500000001535313310531444015046 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBHIREDIS #include #endif /* Sagan configuration struct (global) */ typedef struct _SaganConfig _SaganConfig; struct _SaganConfig { /* Non-dependent var's */ sbool sagan_reload; sbool daemonize; sbool quiet; sbool liblognorm_load; const char *sagan_runas; char sagan_config[MAXPATH]; /* Master Sagan configuration file */ sbool selector_flag; char selector_name[MAXSELECTOR]; sbool alert_flag; sbool eve_flag; /* 0 = file */ unsigned char eve_type; char eve_interface[32]; char eve_filename[MAXPATH]; FILE *eve_stream; int eve_fd; sbool eve_alerts; sbool eve_logs; char sagan_alert_filepath[MAXPATH]; char sagan_sensor_name[64]; char sagan_interface[50]; FILE *sagan_alert_stream; int sagan_alert_fd; FILE *sagan_fast_stream; int sagan_fast_fd; char sagan_log_filepath[MAXPATH]; FILE *sagan_log_stream; int sagan_log_fd; char sagan_lockfile[MAXPATH]; char sagan_fifo[MAXPATH]; sbool sagan_is_file; /* FIFO or FILE */ char sagan_log_path[MAXPATH]; char sagan_rule_path[MAXPATH]; char sagan_host[MAXHOST]; char sagan_startutime[20]; /* Records utime at startup */ char home_net[MAXPATH]; char external_net[MAXPATH]; char xbit_storage; /* 0 == mmap, 1 == redis */ char sagan_droplistfile[MAXPATH]; /* Log lines to "ignore" */ sbool sagan_droplist_flag; sbool output_thread_flag; int max_processor_threads; sbool sagan_external_output_flag; /* For calling external commands */ char sagan_external_command[MAXPATH]; int sagan_port; sbool disable_dns_warnings; sbool syslog_src_lookup; int sagan_proto; sbool pcre_jit; /* For PCRE JIT support testing */ sbool endian; sbool fast_flag; char fast_filename[MAXPATH]; sbool parse_ip_ipv6; sbool parse_ip_ipv4_mapped_ipv6; /* Processors */ int pp_sagan_track_clients; sbool sagan_track_clients_flag; sbool blacklist_flag; char blacklist_files[2048]; sbool perfmonitor_flag; int perfmonitor_time; char perfmonitor_file_name[MAXPATH]; FILE *perfmonitor_file_stream; int perfmonitor_file_fd; sbool sagan_fwsam_flag; char sagan_fwsam_info[1024]; /* Dynamic rule loading and reporting */ sbool dynamic_load_flag; int dynamic_load_sample_rate; unsigned char dynamic_load_type; /* Syslog output */ sbool sagan_syslog_flag; int sagan_syslog_facility; int sagan_syslog_priority; int sagan_syslog_options; int shm_counters; int shm_xbit; int shm_thresh_by_src; int shm_thresh_by_dst; int shm_thresh_by_dstport; int shm_thresh_by_srcport; int shm_thresh_by_username; int shm_after_by_src; int shm_after_by_dst; int shm_after_by_srcport; int shm_after_by_dstport; int shm_after_by_username; int shm_track_clients; /* IPC sizes for threshold, after, etc */ char ipc_directory[MAXPATH]; int max_xbits; int max_threshold_by_src; int max_threshold_by_dst; int max_threshold_by_srcport; int max_threshold_by_dstport; int max_threshold_by_username; int max_after_by_src; int max_after_by_dst; int max_after_by_srcport; int max_after_by_dstport; int max_after_by_username; int max_track_clients; #ifdef HAVE_LIBPCAP char plog_interface[50]; char plog_logdev[50]; char plog_filter[256]; sbool plog_flag; int plog_promiscuous; #endif /* Redis/hiredis support */ #ifdef HAVE_LIBHIREDIS redisContext *c_reader_redis; sbool redis_flag; char redis_server[255]; int redis_port; char redis_password[255]; int redis_max_writer_threads; #endif /* libesmtp/SMTP support */ #ifdef HAVE_LIBESMTP sbool sagan_sendto_flag; char sagan_esmtp_from[255]; char sagan_esmtp_server[255]; sbool sagan_esmtp_flag; char sagan_email_subject[64]; #endif /* libdnet - Used for unified2 support */ #if defined(HAVE_DNET_H) || defined(HAVE_DUMBNET_H) char unified2_filepath[MAXPATH]; uint32_t unified2_timestamp; FILE *unified2_stream; int unified2_fd; unsigned int unified2_limit; unsigned int unified2_current; int unified2_nostamp; sbool sagan_unified2_flag; sbool unified2_force_ipv4; #endif /* Bluedot */ #ifdef WITH_BLUEDOT sbool bluedot_flag; char bluedot_device_id[64]; char bluedot_host[128]; char bluedot_ip[64]; int bluedot_dns_ttl; uint64_t bluedot_dns_last_lookup; char bluedot_uri[256]; char bluedot_auth[64]; char bluedot_cat[MAXPATH]; int bluedot_timeout; // uint64_t bluedot_max_cache; uint64_t bluedot_last_time; /* For cache cleaning */ #endif /* Bro Intel Framework Support */ sbool brointel_flag; char brointel_files[2048]; /* For Maxmind GeoIP2 address lookup */ #ifdef HAVE_LIBMAXMINDDB MMDB_s geoip2; char geoip2_country_file[MAXPATH]; sbool have_geoip2; #endif /* Used for altering pipe size (if supported) */ #if defined(HAVE_GETPIPE_SZ) && defined(HAVE_SETPIPE_SZ) int sagan_fifo_size; #endif }; sagan-1.2.0/src/util-time.c0000644000175000017500000001322513310531444014412 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* util-time.c * * Time functions. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include "sagan.h" #include "util-time.h" #include "parsers/strstr-asm/strstr-hook.h" struct tm *Sagan_LocalTime(time_t timep, struct tm *result) { return localtime_r(&timep, result); } /***************************************************************************/ /* CreateTimeString - Used in fast.log, etc. Based off Suricata source. */ /***************************************************************************/ void CreateTimeString (const struct timeval *ts, char *str, size_t size, sbool type) { time_t time = ts->tv_sec; struct tm local_tm; struct tm *t = (struct tm*)Sagan_LocalTime(time, &local_tm); if ( type == 0 ) { /* Suricata / Snort "fast.log" type */ snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u", t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour, t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec); } else { /* Old "alert log" type */ snprintf(str, size, "%02d-%02d-%02d %02d:%02d:%02d.%06u", t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour, t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec); } } /*************************************************************************** * CreateIsoTimeString - Used in EVE & alert output. Based off Suricata * source. ***************************************************************************/ void CreateIsoTimeString (const struct timeval *ts, char *str, size_t size) { time_t time = ts->tv_sec; struct tm local_tm; struct tm *t = (struct tm*)Sagan_LocalTime(time, &local_tm); char time_fmt[64] = { 0 }; strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S.%%06u%z", t); snprintf(str, size, time_fmt, ts->tv_usec); } /************************************************ * This function should be removed and replaced ************************************************/ void Return_Date( uint32_t utime, char *str, size_t size ) { struct tm tm; char tmp[80]; char time_buf[80]; memset(&tm, 0, sizeof(struct tm)); snprintf(tmp, sizeof(tmp) - 1, "%lu", (unsigned long)utime); strptime(tmp, "%s", &tm); strftime(time_buf, sizeof(time_buf), "%F", &tm); snprintf(str, size, "%s", time_buf); } /******************************************************************************** * Return the "old" (non ISO) time - This function should be removed || replaced ********************************************************************************/ void Return_Time( uint32_t utime, char *str, size_t size ) { struct tm tm; char time_buf[80]; char tmp[80]; memset(&tm, 0, sizeof(struct tm)); snprintf(tmp, sizeof(tmp) - 1, "%lu", (unsigned long)utime); strptime(tmp, "%s", &tm); strftime(time_buf, sizeof(time_buf), "%T", &tm); snprintf(str, size, "%s", time_buf); } /**************************************************************************** * u32_Time_To_Human - Converts a 32/64 bit epoch time into a human * "readable" format. ****************************************************************************/ void u32_Time_To_Human ( uint32_t utime, char *str, size_t size ) { struct tm tm; char time_buf[80]; char tmp[80]; memset(&tm, 0, sizeof(struct tm)); snprintf(tmp, sizeof(tmp) - 1, "%lu", (unsigned long)utime); strptime(tmp, "%s", &tm); strftime(time_buf, sizeof(time_buf), "%b %d %H:%M:%S %Y", &tm); snprintf(str, size, "%s", time_buf); } /************************************************************* * Returns the numbers of seconds. For example, "1 hour" == * 3600 *************************************************************/ uint64_t Value_To_Seconds(char *type, uint64_t number) { /* Covers both plural and non-plural (ie - minute/minutes) */ if (Sagan_strstr(type, "second")) { return(number); } if (Sagan_strstr(type, "minute")) { return(number * 60); } if (Sagan_strstr(type, "hour")) { return(number * 60 * 60); } if (Sagan_strstr(type, "day")) { return(number * 60 * 60 * 24); } if (Sagan_strstr(type, "week")) { return(number * 60 * 60 * 24 * 7); } if (Sagan_strstr(type, "month")) { return(number * 60 * 60 * 24 * 7 * 4); } if (Sagan_strstr(type, "year")) { return(number * 60 * 60 * 24 * 365); } Sagan_Log(WARN, "'%s' type is unknown!", type); return(0); } sagan-1.2.0/src/version.h0000644000175000017500000000003013310533371014162 0ustar champchamp#define VERSION "1.2.0" sagan-1.2.0/src/lockfile.h0000644000175000017500000000204613310531444014275 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Remove_Lock_File ( void ); void CheckLockFile ( void ); sagan-1.2.0/src/signal-handler.h0000644000175000017500000000200313310531444015366 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Sig_Handler( void ); sagan-1.2.0/src/liblognormalize.h0000644000175000017500000000373613310531444015705 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBLOGNORM #include #include "sagan-defs.h" /* liblognorm struct */ typedef struct liblognorm_struct liblognorm_struct; struct liblognorm_struct { char type[50]; char filepath[MAXPATH]; }; typedef struct liblognorm_toload_struct liblognorm_toload_struct; struct liblognorm_toload_struct { char type[50]; char filepath[MAXPATH]; }; typedef struct _SaganNormalizeLiblognorm { char ip_src[MAXIP]; char ip_dst[MAXIP]; char src_host[MAXHOST]; char dst_host[MAXHOST]; char selector[MAXSELECTOR]; int src_port; int dst_port; char username[MAX_USERNAME_SIZE]; char filename[MAX_FILENAME_SIZE]; char hash_md5[MD5_HASH_SIZE+1]; char hash_sha1[SHA1_HASH_SIZE+1]; char hash_sha256[SHA256_HASH_SIZE+1]; char http_uri[MAX_URL_SIZE]; char http_hostname[MAX_HOSTNAME_SIZE]; } _SaganNormalizeLiblognorm; #endif void Liblognorm_Load( char * ); json_object *Normalize_Liblognorm(char *, struct _SaganNormalizeLiblognorm *); sagan-1.2.0/src/processor.h0000644000175000017500000000200213310531444014514 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Processor ( void ); sagan-1.2.0/src/aetas.h0000644000175000017500000000204113310531444013575 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif int Check_Time(int); int Check_Day(unsigned char, int); sagan-1.2.0/src/meta-content.c0000644000175000017500000000730213310531444015076 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* meta-content.c - This allows content style "searching" that * involve variables. For example, if we wanted to search for "bob", * "frank" and "mary", we'd typically need three content rules. * This allows one rule with the $USER variable for "bob", "frank" and * "mary". * * meta_content: "Username: %sagan%", $USERNAME"; meta_nocase; * * The %sagan% becomes whatever the variable holds. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include "sagan.h" #include "sagan-defs.h" #include "meta-content.h" #include "rules.h" #include "parsers/parsers.h" struct _Rule_Struct *rulestruct; int Meta_Content_Search(char *syslog_msg, int rule_position , int meta_content_count) { int z = meta_content_count; int i; /* Normal "meta_content" search */ if ( rulestruct[rule_position].meta_content_not[z] == 0 ) { for ( i=0; i ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Output( _Sagan_Event * ); sagan-1.2.0/src/plog.c0000644000175000017500000001576213310531444013452 0ustar champchamp/* - sagan-plog.c is largely based of Marcus J. Ranum (2004) work known as plog.c. The original source can be located at: http://www.ranum.com/security/computer_security/code/plog.tar This code (sagan-plog.c) is redistributed under the same license Marcus J. Ranum specified in his original work. -- From the plog.c source code and applies to sagan-plog.c as well: Marcus J. Ranum, 2004 - All rights reserved This software may be used and redistributed free of charge, but may not be incorporated into a commercial product or offering without the author's permission. Plog - promiscuous syslog injector. Listens to a pcap/bpf interface, sucks up UDP syslog messages, finds the message within the packet, and injects it into /dev/log. -- Permission to implement the plog functionality was obtain by Champ Clark III from Marcus J. Ranum on Jan. 6th, 2011. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBPCAP #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_SYS_PRCTL_H #include #endif #include "sagan.h" #include "sagan-defs.h" #include "sagan-config.h" #include "signal-handler.h" #include "lockfile.h" #include "plog.h" struct _SaganDebug *debug; struct _SaganConfig *config; struct my_udphdr { u_int16_t uh_sport; /* source port */ u_int16_t uh_dport; /* destination port */ u_int16_t uh_ulen; /* udp length */ u_int16_t uh_sum; /* udp checksum */ }; static void logpkt(u_char *,const struct pcap_pkthdr *,const u_char *); static int wiredevlog( _SaganConfig *); static int outf; void Plog_Handler( void ) { (void)SetThreadName("SaganPlog"); pcap_t *bp; struct bpf_program filtr; char *iface=NULL; char eb[PCAP_ERRBUF_SIZE]; iface = config->plog_interface; Sagan_Log(NORMAL, ""); Sagan_Log(NORMAL, "Initalizing Sagan syslog sniffer thread (PLOG)"); Sagan_Log(NORMAL, "Interface: %s", iface); Sagan_Log(NORMAL, "Packet filter: \"%s\"", config->plog_filter); Sagan_Log(NORMAL, "Log device: %s", config->plog_logdev); if ( config->plog_promiscuous ) { Sagan_Log(NORMAL, "Promiscuous is enabled."); } Sagan_Log(NORMAL, ""); if(iface == (char *)0) { if((iface = pcap_lookupdev(eb)) == (char *)0) Sagan_Log(ERROR, "[%s, line %d] Cannot get device: %s", __FILE__, __LINE__, eb); } bp = pcap_open_live(iface,4096,config->plog_promiscuous,0,eb); if(bp == (pcap_t *)0) { Sagan_Log(ERROR, "[%s, line %d] Cannot open interface %s: %s", __FILE__, __LINE__, iface, eb); } /* Apply user defined filter */ if(pcap_compile(bp,&filtr,config->plog_filter,1,0)) { Sagan_Log(ERROR, "[%s, line %d] Cannot compile filter: %s", __FILE__, __LINE__, eb); } if(pcap_setfilter(bp,&filtr)) { Sagan_Log(ERROR, "[%s, line %d] Cannot install filter in %s: %s", __FILE__, __LINE__, iface, eb); } /* wireup /dev/log; we can't use openlog() because these are going to be raw inputs */ if(wiredevlog(config)) { Remove_Lock_File(); Sagan_Log(ERROR, "[%s, line %d] Cannot open %s (Syslog not using SOCK_DGRAM?)", __FILE__, __LINE__, config->plog_logdev); } /* endless loop */ (void)pcap_loop(bp,-1,logpkt, NULL); pcap_close(bp); exit(0); } /* take a raw packet and write it to /dev/log... we are evil! */ static void logpkt(u_char *pass_args,const struct pcap_pkthdr *p,const u_char *pkt) { struct ether_header *eh; struct ip *ih; struct my_udphdr *u; int off; int len; char *l; if ( config->plog_flag ) { /* crack the ethernet header */ eh = (struct ether_header *)pkt; if(ntohs(eh->ether_type) != ETHERTYPE_IP) goto bad; /* crack the IP header */ ih = (struct ip *)(pkt + sizeof(struct ether_header)); off = ntohs(ih->ip_off); len = ntohs(ih->ip_len); /* short packet */ if(len > p->len) { goto bad; } /* frags we don't deal with */ if((off & 0x1fff) != 0) { goto bad; } /* weird - we ASKED for UDP */ if(ih->ip_p != IPPROTO_UDP) { goto bad; } /* line the UDP header up */ u = (struct my_udphdr *)(pkt + sizeof(struct ether_header) + (ih->ip_hl * 4)); if(ntohs(u->uh_ulen < 8)) { goto bad; } /* our log message ought to be just past the UDP header now... */ l = (char *)u + sizeof(struct udphdr); len = ntohs(u->uh_ulen) - sizeof(struct udphdr); if(debug->debugplog) { int x; /* I can't use Sagan_Log() here, so we dump to strerr. * have the check the tty (isatty()) before dumping or * strange things happen if detached and threaded * - Champ Clark III Jan 7th 2011 */ for(x = 0; x < len; x++) { if(isprint(l[x]) && (isatty(1)) ) fprintf(stderr,"%c",(int)(l[x])); else fprintf(stderr,"[0x%x]",(int)(l[x])); } if (isatty(1)) fprintf(stderr,"\n"); } /* send it! */ if(send(outf,l,len,0) < 0) { Sagan_Log(ERROR, "[%s, line %d] Send error", __FILE__, __LINE__); } return; bad: Sagan_Log(WARN, "[%s, line %d] Malformed packet received.", __FILE__, __LINE__); } } static int wiredevlog( _SaganConfig *config ) { struct sockaddr s; s.sa_family = AF_UNIX; (void)strncpy(s.sa_data,config->plog_logdev,sizeof(s.sa_data)); /* Might want to investigate SOCK_STREAM (see syslog-ng) in the future. * Right now, the syslog server must use SOCK_DGRAM */ if((outf = socket(AF_UNIX,SOCK_DGRAM,0)) < 0) { return(true); } if(connect(outf,&s,sizeof(s))) { return(true); } return(false); } #endif sagan-1.2.0/src/send-alert.h0000644000175000017500000000224013310531444014537 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include "sagan-defs.h" void Send_Alert ( _Sagan_Proc_Syslog *, json_object *, _Sagan_Processor_Info *, char *, char *, char *, char *, int, int, int, int, int, struct timeval tp ); sagan-1.2.0/src/gen-msg.h0000644000175000017500000000246113310531444014043 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif /* Storage for sagan-gen-msg.map */ typedef struct _Sagan_Processor_Generator _Sagan_Processor_Generator; struct _Sagan_Processor_Generator { unsigned long generatorid; unsigned long alertid; char generator_msg[512]; }; void Load_Gen_Map( const char * ); void Generator_Lookup( int, int, char *str, size_t size ); sagan-1.2.0/src/config-yaml.h0000644000175000017500000000450513310531444014714 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #ifdef HAVE_LIBYAML /************************/ /* Minimum YAML version */ /************************/ #define YAML_VERSION_MAJOR 1 #define YAML_VERSION_MINOR 1 /*****************/ /* Primary types */ /*****************/ #define YAML_TYPE_VAR 1 #define YAML_TYPE_SAGAN_CORE 2 #define YAML_TYPE_PROCESSORS 3 #define YAML_TYPE_OUTPUT 4 #define YAML_TYPE_RULES 5 #define YAML_TYPE_INCLUDES 6 /*******************/ /* Secondary types */ /*******************/ /* Sagan core */ #define YAML_SAGAN_CORE_CORE 1 #define YAML_SAGAN_CORE_MMAP_IPC 2 #define YAML_SAGAN_CORE_IGNORE_LIST 3 #define YAML_SAGAN_CORE_GEOIP 4 #define YAML_SAGAN_CORE_LIBLOGNORM 5 #define YAML_SAGAN_CORE_PLOG 6 #define YAML_SAGAN_CORE_REDIS 7 #define YAML_SAGAN_CORE_SELECTOR 8 #define YAML_SAGAN_CORE_PARSE_IP 9 /* Processors */ #define YAML_PROCESSORS_TRACK_CLIENTS 7 #define YAML_PROCESSORS_PERFMON 8 #define YAML_PROCESSORS_BLACKLIST 9 #define YAML_PROCESSORS_BLUEDOT 10 #define YAML_PROCESSORS_BROINTEL 11 #define YAML_PROCESSORS_DYNAMIC_LOAD 12 /* Outputs */ #define YAML_OUTPUT_UNIFIED2 13 #define YAML_OUTPUT_EXTERNAL 14 #define YAML_OUTPUT_SMTP 15 #define YAML_OUTPUT_SNORTSAM 16 #define YAML_OUTPUT_SYSLOG 17 #define YAML_OUTPUT_FAST 18 #define YAML_OUTPUT_ALERT 19 #define YAML_OUTPUT_EVE 20 void Load_YAML_Config( char * ); #endif sagan-1.2.0/src/references.c0000644000175000017500000001411713310531444014623 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* references.c * * Loads the references into memory. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include "version.h" #include "sagan.h" #include "sagan-defs.h" #include "references.h" #include "rules.h" struct _SaganCounters *counters; struct _SaganDebug *debug; struct _SaganConfig *config; struct _Ref_Struct *refstruct; struct _Rule_Struct *rulestruct; void Load_Reference( const char *ruleset ) { FILE *reffile; char refbuf[1024]; char *saveptr=NULL; char *tmptoken=NULL; char *laststring=NULL; int linecount=0; counters->refcount = 0; Sagan_Log(NORMAL, "Loading references.conf file. [%s]" , ruleset); if (( reffile = fopen(ruleset, "r" )) == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Cannot open rule file %s. [%s]", __FILE__, __LINE__, ruleset, strerror(errno)); } while(fgets(refbuf, 1024, reffile) != NULL) { linecount++; /* Skip comments and blank linkes */ if (refbuf[0] == '#' || refbuf[0] == 10 || refbuf[0] == ';' || refbuf[0] == 32) { continue; } /* Allocate memory for references, not comments */ refstruct = (_Ref_Struct *) realloc(refstruct, (counters->refcount+1) * sizeof(_Ref_Struct)); if ( refstruct == NULL ) { Sagan_Log(ERROR, "[%s, line %d] Failed to reallocate memory for refstruct. Abort!", __FILE__, __LINE__); } strtok_r(refbuf, ":", &saveptr); tmptoken = strtok_r(NULL, " " , &saveptr); laststring = strtok_r(tmptoken, ",", &saveptr); if ( laststring == NULL ) { Sagan_Log(ERROR, "[%s, line %d] The file %s at line %d is improperly formated. Abort!", __FILE__, __LINE__, ruleset, linecount); } strlcpy(refstruct[counters->refcount].s_refid, laststring, sizeof(refstruct[counters->refcount].s_refid)); laststring = strtok_r(NULL, ",", &saveptr); if ( laststring == NULL ) { Sagan_Log(ERROR, "[%s, line %d] The file %s at line %d is improperly formated. Abort!", __FILE__, __LINE__, ruleset, linecount); } strlcpy(refstruct[counters->refcount].s_refurl, laststring, sizeof(refstruct[counters->refcount].s_refurl)); refstruct[counters->refcount].s_refurl[strlen(refstruct[counters->refcount].s_refurl)-1] = '\0'; if (debug->debugload) { Sagan_Log(DEBUG, "[D-%d] Reference: %s|%s", counters->refcount, refstruct[counters->refcount].s_refid, refstruct[counters->refcount].s_refurl); } counters->refcount++; } fclose(reffile); Sagan_Log(NORMAL, "%d references loaded.", counters->refcount); } /****************************************************************************/ /* This simple looks up references and returns a string with them formatted */ /* properly. It gets passed the location of the rule in memory (based on */ /* the rulecount. This is used for sagan-alert.c and sagan-esmtp.c */ /****************************************************************************/ // 0 == alert // 1 == parsable. void Reference_Lookup( int rulemem, int type, char *str, size_t size ) { char reftmp[256] = { 0 }; int i=0; int b=0; char *tmptok=NULL; char *tmp=NULL; char reftype[25]; char url[255]; char refinfo[512]; char refinfo2[512]; for (i=0; i < rulestruct[rulemem].ref_count + 1 ; i++ ) { strlcpy(refinfo, rulestruct[rulemem].s_reference[i], sizeof(refinfo)); tmp = strtok_r(refinfo, ",", &tmptok); if ( tmp != NULL ) { strlcpy(reftype, tmp, sizeof(reftype)); } else { strlcpy(str, "", 1); return; } tmp = strtok_r(NULL, ",", &tmptok); if ( tmp != NULL ) { strlcpy(url, tmp, sizeof(url)); } else { strlcpy(str, "", 1); return; } for ( b=0; b < counters->refcount; b++) { if (!strcmp(refstruct[b].s_refid, reftype)) { if ( type == 0 ) { snprintf(refinfo2, sizeof(refinfo2)-1, "[Xref => %s%s]", refstruct[b].s_refurl, url); } if ( type == 1 ) { snprintf(refinfo2, sizeof(refinfo2)-1, "Reference:%s%s\n", refstruct[b].s_refurl, url); } strlcat(reftmp, refinfo2, sizeof(reftmp)); } } } snprintf(str, size, "%s", reftmp); } sagan-1.2.0/src/sagan.h0000644000175000017500000003572513310531444013610 0ustar champchamp/* $Id$ */ /* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan.h * * Sagan prototypes and definitions. * */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include "sagan-defs.h" #ifdef HAVE_LIBMAXMINDDB #include #endif #ifndef HAVE_STRLCAT size_t strlcat(char *, const char *, size_t ); #endif #ifndef HAVE_STRLCPY size_t strlcpy(char *, const char *, size_t ); #endif /* * OS specific macro's for setting the thread name. "top" can display * this name. This was largely taken from Suricata. */ #if defined __FreeBSD__ /* FreeBSD */ /** \todo Add implementation for FreeBSD */ #define SetThreadName(n) ({ \ char tname[16] = ""; \ if (strlen(n) > 16) \ Sagan_Log(WARN, "Thread name is too long, truncating it..."); \ strlcpy(tname, n, 16); \ pthread_set_name_np(pthread_self(), tname); \ 0; \ }) #elif defined __OpenBSD__ /* OpenBSD */ /** \todo Add implementation for OpenBSD */ #define SetThreadName(n) (0) #elif defined OS_WIN32 /* Windows */ /** \todo Add implementation for Windows */ #define SetThreadName(n) (0) #elif defined OS_DARWIN /* Mac OS X */ /** \todo Add implementation for MacOS */ #define SetThreadName(n) (0) #elif defined HAVE_SYS_PRCTL_H /* PR_SET_NAME */ /** * \brief Set the threads name */ #define SetThreadName(n) ({ \ char tname[THREAD_NAME_LEN + 1] = ""; \ if (strlen(n) > THREAD_NAME_LEN) \ Sagan_Log(WARN, "Thread name is too long, truncating it..."); \ strlcpy(tname, n, THREAD_NAME_LEN); \ int ret = 0; \ if ((ret = prctl(PR_SET_NAME, tname, 0, 0, 0)) < 0) \ Sagan_Log(WARN, "Error setting thread name \"%s\": %s", tname, strerror(errno)); \ ret; \ }) #else #define SetThreadName(n) (0) #endif typedef char sbool; /* From rsyslog. 'bool' causes compatiablity problems on OSX. "(small bool) I intentionally use char, to keep it slim so that many fit into the CPU cache!". */ sbool Is_Numeric (char *); void To_UpperC(char* const ); void To_LowerC(char* const ); sbool Check_Endian( void ); void Usage( void ); void Chroot( const char * ); void Remove_Return(char *); int Classtype_Lookup( const char *, char *, size_t size ); void Remove_Spaces(char *); void Between_Quotes( char *, char *str, size_t size ); double CalcPct(uint64_t, uint64_t); void Replace_String(char *, char *, char *, char *str, size_t size); uint64_t Value_To_Seconds (char *, uint64_t); void Sagan_Log( int, const char *, ... ); void Droppriv( void ); int DNS_Lookup( char *, char *str, size_t size ); void Var_To_Value(char *, char *str, size_t size); sbool IP2Bit (char *, unsigned char * ); sbool Mask2Bit (int, unsigned char * ); const char *Bit2IP(unsigned char *, char *str, size_t size); sbool Validate_HEX (const char *); void Content_Pipe(char *, int, const char *, char *, size_t size); sbool is_notroutable ( unsigned char * ); sbool is_inrange ( unsigned char *, unsigned char *, int ); void Replace_Sagan( char *, char *, char *str, size_t size); int Character_Count ( char *, char *); sbool Wildcard( char *, char *); void Open_Log_File( sbool, int ); int Check_Var(const char *); int Netaddr_To_Range( char *, unsigned char * ); void Strip_Chars(const char *string, const char *chars, char *str); sbool Is_IP (char *str); sbool Is_IPv6 (char *str); sbool File_Lock ( int ); sbool File_Unlock ( int ); sbool Check_Content_Not( char * ); uint32_t Djb2_Hash( char * ); sbool Starts_With(const char *str, const char *prefix); char *strrpbrk(const char *str, const char *accept); #if defined(F_GETPIPE_SZ) && defined(F_SETPIPE_SZ) void Set_Pipe_Size( FILE * ); #endif #ifdef __OpenBSD__ /* OpenBSD won't allow for this test: * "suricata(...): mprotect W^X violation" */ #ifndef PageSupportsRWX() #define PageSupportsRWX() 0 #endif #else #ifndef HAVE_SYS_MMAN_H #define PageSupportsRWX() 1 #else int PageSupportsRWX(void); #endif /* HAVE_SYS_MMAN_H */ #endif typedef struct _SaganDNSCache _SaganDNSCache; struct _SaganDNSCache { char hostname[64]; char src_ip[20]; }; typedef struct _Sagan_IPC_Counters _Sagan_IPC_Counters; struct _Sagan_IPC_Counters { int xbit_count; int thresh_count_by_src; int thresh_count_by_dst; int thresh_count_by_dstport; int thresh_count_by_srcport; int thresh_count_by_username; int after_count_by_src; int after_count_by_dst; int after_count_by_srcport; int after_count_by_dstport; int after_count_by_username; int track_client_count; int track_clients_client_count; int track_clients_down; }; typedef struct _SaganCounters _SaganCounters; struct _SaganCounters { uint64_t threshold_total; uint64_t after_total; uint64_t sagantotal; uint64_t saganfound; uint64_t sagan_output_drop; uint64_t sagan_processor_drop; uint64_t sagan_log_drop; uint64_t dns_cache_count; uint64_t dns_miss_count; uint64_t fwsam_count; uint64_t ignore_count; uint64_t blacklist_count; uint64_t alert_total; uint64_t malformed_host; uint64_t malformed_facility; uint64_t malformed_priority; uint64_t malformed_level; uint64_t malformed_tag; uint64_t malformed_date; uint64_t malformed_time; uint64_t malformed_program; uint64_t malformed_message; uint64_t worker_thread_exhaustion; uint64_t blacklist_hit_count; uint64_t blacklist_lookup_count; int thread_output_counter; int thread_processor_counter; int xbit_total_counter; int var_count; int dynamic_rule_count; int classcount; int rulecount; int refcount; int ruletotal; int genmapcount; int mapcount_message; int mapcount_program; int droplist_count; int brointel_addr_count; int brointel_domain_count; int brointel_file_hash_count; int brointel_url_count; int brointel_software_count; int brointel_email_count; int brointel_user_name_count; int brointel_file_name_count; int brointel_cert_hash_count; int brointel_dups; int rules_loaded_count; uint64_t follow_flow_total; /* This will only be needed if follow_flow is an option */ uint64_t follow_flow_drop; /* Amount of flows that did not match and were dropped */ #ifdef HAVE_LIBMAXMINDDB uint64_t geoip2_hit; /* GeoIP2 hit count */ uint64_t geoip2_lookup; /* Total lookups */ uint64_t geoip2_miss; /* Misses (country not found) */ #endif #ifdef WITH_BLUEDOT uint64_t bluedot_ip_cache_count; /* Bluedot cache processor */ uint64_t bluedot_ip_cache_hit; /* Bluedot hit's from Cache */ uint64_t bluedot_ip_positive_hit; uint64_t bluedot_ip_total; uint64_t bluedot_mdate; /* Hits , but where over a modification date */ uint64_t bluedot_cdate; /* Hits , but where over a creation date */ uint64_t bluedot_mdate_cache; /* Hits from cache , but where over a modification date */ uint64_t bluedot_cdate_cache; /* Hits from cache , but where over a create date */ uint64_t bluedot_error_count; uint64_t bluedot_hash_cache_count; uint64_t bluedot_hash_cache_hit; uint64_t bluedot_hash_positive_hit; uint64_t bluedot_hash_total; uint64_t bluedot_url_cache_count; uint64_t bluedot_url_cache_hit; uint64_t bluedot_url_positive_hit; uint64_t bluedot_url_total; uint64_t bluedot_filename_cache_count; uint64_t bluedot_filename_cache_hit; uint64_t bluedot_filename_positive_hit; uint64_t bluedot_filename_total; int bluedot_cat_count; #endif #ifdef HAVE_LIBESMTP uint64_t esmtp_count_success; uint64_t esmtp_count_failed; #endif #ifdef HAVE_LIBHIREDIS uint64_t redis_writer_threads_drop; #endif }; typedef struct _SaganDebug _SaganDebug; struct _SaganDebug { sbool debugsyslog; sbool debugload; sbool debugfwsam; sbool debugexternal; sbool debugthreads; sbool debugxbit; sbool debugengine; sbool debugbrointel; sbool debugmalformed; sbool debuglimits; sbool debugipc; sbool debugjson; sbool debugparse_ip; #ifdef HAVE_LIBMAXMINDDB sbool debuggeoip2; #endif #ifdef HAVE_LIBLOGNORM sbool debugnormalize; #endif #ifdef HAVE_LIBESMTP sbool debugesmtp; #endif #ifdef HAVE_LIBPCAP sbool debugplog; #endif #ifdef WITH_BLUEDOT sbool debugbluedot; #endif #ifdef HAVE_LIBHIREDIS sbool debugredis; #endif }; #ifdef HAVE_LIBHIREDIS typedef struct _Sagan_Redis _Sagan_Redis; struct _Sagan_Redis { char redis_command[2048]; }; #endif typedef struct _Sagan_Proc_Syslog _Sagan_Proc_Syslog; struct _Sagan_Proc_Syslog { char syslog_host[50]; char syslog_facility[50]; char syslog_priority[50]; char syslog_level[50]; char syslog_tag[50]; char syslog_date[50]; char syslog_time[50]; char syslog_program[50]; char syslog_message[MAX_SYSLOGMSG]; }; typedef struct _Sagan_Event _Sagan_Event; struct _Sagan_Event { char *ip_src; char *ip_dst; int dst_port; int src_port; char *selector; struct timeval event_time; int found; char *fpri; /* *priority */ sbool endian; sbool drop; char *f_msg; /* message information */ char *time; char *date; char *priority; /* Syslog priority */ char *host; char *facility; char *level; char *tag; char *program; char *message; char *sid; char *rev; char *class; int pri; int ip_proto; char *normalize_http_uri; char *normalize_http_hostname; unsigned long generatorid; unsigned long alertid; json_object *json_normalize; }; /* Thresholding structure by source */ typedef struct thresh_by_src_ipc thresh_by_src_ipc; struct thresh_by_src_ipc { unsigned char ipsrc[MAXIPBIT]; int count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; char syslog_message[MAX_SYSLOGMSG]; char signature_msg[MAX_SAGAN_MSG]; }; /* Thresholding structure by destination */ typedef struct thresh_by_dst_ipc thresh_by_dst_ipc; struct thresh_by_dst_ipc { unsigned char ipdst[MAXIPBIT]; int count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; char syslog_message[MAX_SYSLOGMSG]; char signature_msg[MAX_SAGAN_MSG]; }; /* Thresholding structure by source port */ typedef struct thresh_by_srcport_ipc thresh_by_srcport_ipc; struct thresh_by_srcport_ipc { uint32_t ipsrcport; int count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; }; /* Thresholding structure by destination port */ typedef struct thresh_by_dstport_ipc thresh_by_dstport_ipc; struct thresh_by_dstport_ipc { uint32_t ipdstport; int count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; }; /* Thesholding structure by username */ typedef struct thresh_by_username_ipc thresh_by_username_ipc; struct thresh_by_username_ipc { char username[128]; int count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; char syslog_message[MAX_SYSLOGMSG]; char signature_msg[MAX_SAGAN_MSG]; }; /* After structure by source */ typedef struct after_by_src_ipc after_by_src_ipc; struct after_by_src_ipc { unsigned char ipsrc[MAXIPBIT]; uint64_t count; uint64_t total_count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; char syslog_message[MAX_SYSLOGMSG]; char signature_msg[MAX_SAGAN_MSG]; }; /* After structure by destination */ typedef struct after_by_dst_ipc after_by_dst_ipc; struct after_by_dst_ipc { unsigned char ipdst[MAXIPBIT]; int count; uint64_t total_count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; char syslog_message[MAX_SYSLOGMSG]; char signature_msg[MAX_SAGAN_MSG]; }; /* After structure by source port */ typedef struct after_by_srcport_ipc after_by_srcport_ipc; struct after_by_srcport_ipc { uint32_t ipsrcport; uint64_t count; uint64_t total_count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; }; /* After structure by destination port */ typedef struct after_by_dstport_ipc after_by_dstport_ipc; struct after_by_dstport_ipc { uint32_t ipdstport; uint64_t count; uint64_t total_count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; }; /* After structure by username */ typedef struct after_by_username_ipc after_by_username_ipc; struct after_by_username_ipc { char username[128]; uint64_t count; uint64_t total_count; uint64_t utime; char sid[20]; int expire; char selector[MAXSELECTOR]; char syslog_message[MAX_SYSLOGMSG]; char signature_msg[MAX_SAGAN_MSG]; }; typedef struct _SaganVar _SaganVar; struct _SaganVar { char var_name[MAX_VAR_NAME_SIZE]; char var_value[MAX_VAR_VALUE_SIZE]; }; typedef struct _Sagan_Processor_Info _Sagan_Processor_Info; struct _Sagan_Processor_Info { char *processor_name; char *processor_facility; char *processor_priority; /* Syslog priority */ int processor_pri; /* Sagan priority */ char *processor_class; char *processor_tag; char *processor_rev; int processor_generator_id; }; /* IP Lookup cache */ typedef struct _Sagan_Lookup_Cache_Entry _Sagan_Lookup_Cache_Entry; struct _Sagan_Lookup_Cache_Entry { char ip[MAXIP]; unsigned char ip_bits[MAXIPBIT]; int port; unsigned char proto; sbool status; }; typedef struct _Sagan_Lookup_Cache_Entry _Sagan_Lookup_Cache_Other; struct _Sagan_Lookup_Cache_Other { int proto; }; /* Function that require the above arrays */ int64_t FlowGetId( _Sagan_Event *); void Escape_Chars( char *str_in, char *str, size_t size); sagan-1.2.0/src/stats.h0000644000175000017500000000200113310531444013632 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif void Statistics( void ); sagan-1.2.0/.travis.yml0000644000175000017500000000413313310531444013655 0ustar champchamp# Default parameters, even this default build is excluded in the build # matrix below. We define so Travis doesn't think this is a Ruby # project. os: linux language: c compiler: gcc # Define the default CFLAGS used by all builds as a YAML anchor. default-cflags: &default-cflags CFLAGS="-Wall -Wno-unused-parameter -Wno-unused-function" #CFLAGS="-Wall -Wextra -Werror -Wno-unused-parameter -Wno-unused-function" # The default build is Linux with gcc. Add additional builds to the # matrix here. matrix: # Exclude the default build so any the builds in the matrix will be done. exclude: - os: linux compiler: gcc include: # Linux, gcc, tests enabled. - os: linux compiler: gcc env: - NAME="linux,gcc" - *default-cflags # Linux, clang. For this build we'll also enable -Wshadow. - os: linux compiler: clang env: - NAME="linux,clang" - *default-cflags - EXTRA_CFLAGS="-Wshadow" # Change this to your needs script: - ./autogen.sh - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then ./configure || { echo "!!!! ERROR !!!!"; cat config.log && false; } fi - make - cd tools - make before_install: - | if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then sudo apt-get update -qq sudo apt-get install -y libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libyaml-0-2 libyaml-dev \ libdumbnet1 libdumbnet-dev pkg-config libhiredis-dev git clone https://github.com/rsyslog/libfastjson cd libfastjson ./autogen.sh && ./configure --prefix=/usr && make sudo make install sudo ldconfig cd .. git clone https://github.com/rsyslog/libestr cd libestr autoreconf -vfi ./configure --prefix=/usr && make sudo make install sudo ldconfig cd .. git clone https://github.com/rsyslog/liblognorm cd liblognorm autoreconf -vfi ./configure --prefix=/usr --disable-docs && make sudo make install sudo ldconfig cd .. fi sagan-1.2.0/autogen.sh0000755000175000017500000000012013310531444013535 0ustar champchamp#!/bin/sh # This generates Makefiles, ./configure, etc. autoreconf -vfi -I m4 sagan-1.2.0/configure0000755000175000017500000117551713310533434013474 0ustar champchamp#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for sagan 1.2.0. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 as_fn_exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes else as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir/$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : CONFIG_SHELL=$as_shell as_have_required=yes if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : break 2 fi fi done;; esac as_found=false done $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : CONFIG_SHELL=$SHELL as_have_required=yes fi; } IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno; then : $as_echo "$0: This script requires a shell more modern than all" $as_echo "$0: the shells that I found on your system." if test x${ZSH_VERSION+set} = xset ; then $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, $0: including any error possibly output before this $0: message. Then install a modern shell, or manually run $0: the script under such a shell if you do have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sagan' PACKAGE_TARNAME='sagan' PACKAGE_VERSION='1.2.0' PACKAGE_STRING='sagan 1.2.0' PACKAGE_BUGREPORT='' PACKAGE_URL='' ac_unique_file="src" # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef STDC_HEADERS # include # include #else # ifdef HAVE_STDLIB_H # include # endif #endif #ifdef HAVE_STRING_H # if !defined STDC_HEADERS && defined HAVE_MEMORY_H # include # endif # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_subst_vars='am__EXEEXT_FALSE am__EXEEXT_TRUE LTLIBOBJS LIBLOGNORM_LIBS LIBLOGNORM_CFLAGS LIBESTR_LIBS LIBESTR_CFLAGS LIBFASTJSON_LIBS LIBFASTJSON_CFLAGS LIBPCREVERSION_LIBS LIBPCREVERSION_CFLAGS am__fastdepCCAS_FALSE am__fastdepCCAS_TRUE CCASDEPMODE CCASFLAGS CCAS SIMD_FLAGS LIBOBJS PKG_CONFIG_LIBDIR PKG_CONFIG_PATH PKG_CONFIG AM_BACKSLASH AM_DEFAULT_VERBOSITY AM_DEFAULT_V AM_V am__fastdepCC_FALSE am__fastdepCC_TRUE CCDEPMODE am__nodep AMDEPBACKSLASH AMDEP_FALSE AMDEP_TRUE am__quote am__include DEPDIR am__untar am__tar AMTAR am__leading_dot SET_MAKE AWK mkdir_p MKDIR_P INSTALL_STRIP_PROGRAM STRIP install_sh MAKEINFO AUTOHEADER AUTOMAKE AUTOCONF ACLOCAL PACKAGE CYGPATH_W am__isrc INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM VERSION ENDIAN MAINT MAINTAINER_MODE_FALSE MAINTAINER_MODE_TRUE EGREP GREP CPP OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC target_os target_vendor target_cpu target host_os host_vendor host_cpu host build_os build_vendor build_cpu build target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking enable_maintainer_mode enable_snortsam enable_bluedot enable_esmtp enable_geoip2 enable_syslog enable_system_strstr enable_redis with_esmtp_includes with_esmtp_libraries with_geoip2_includes with_geoip2_libraries enable_lognorm with_lognorm_includes with_lognorm_libraries enable_libfastjson with_libfastjson_includes with_libfastjson_c_libraries enable_libpcap with_libpcap_includes with_libpcap_libraries enable_libdnet with_libdnet_includes with_libdnet_libraries enable_dependency_tracking enable_silent_rules with_libpthread_includes with_libpthread_libraries with_libyaml_includes with_libyaml_libraries with_libpcre_includes with_libpcre_libraries ' ac_precious_vars='build_alias host_alias target_alias CC CFLAGS LDFLAGS LIBS CPPFLAGS CPP PKG_CONFIG PKG_CONFIG_PATH PKG_CONFIG_LIBDIR CCAS CCASFLAGS LIBPCREVERSION_CFLAGS LIBPCREVERSION_LIBS LIBFASTJSON_CFLAGS LIBFASTJSON_LIBS LIBESTR_CFLAGS LIBESTR_LIBS LIBLOGNORM_CFLAGS LIBLOGNORM_LIBS' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures sagan 1.2.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/sagan] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF Program names: --program-prefix=PREFIX prepend PREFIX to installed program names --program-suffix=SUFFIX append SUFFIX to installed program names --program-transform-name=PROGRAM run sed PROGRAM on installed program names System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] --target=TARGET configure for building compilers for TARGET [HOST] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of sagan 1.2.0:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-maintainer-mode enable make rules and dependencies not useful (and sometimes confusing) to the casual installer --disable-snortsam Disable Snortsam support. --enable-bluedot Enable Quadrant\'s "Bluedot" lookups. --enable-esmtp Enable libesmtp support. --enable-geoip2 Enable Maxmind GeoIP2 support. --disable-syslog Disable syslog support. --enable-system-strstr Enable system strstr. --enable-redis Enable Redis support. --disable-lognorm Disable Lognorm (liblognorm) support. --disable-libfastjson Disable libfastjson support. --disable-libpcap Disable libpcap (plog) support. --enable-libdnet Disable libdnet (unified2) support. --enable-dependency-tracking do not reject slow dependency extractors --disable-dependency-tracking speeds up one-time build --enable-silent-rules less verbose build output (undo: "make V=1") --disable-silent-rules verbose build output (undo: "make V=0") Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-esmtp-includes=DIR libesmtp include directory --with-esmtp-libraries=DIR libesmtp library directory --with-geoip2-includes=DIR Maxmind GeoIP2 include directory --with-geoip2-libraries=DIR Maxmind GeoIP2 library directory --with-lognorm-includes=DIR liblognorm include directory --with-lognorm-libraries=DIR liblognorm library directory --with-libfastjson-includes=DIR libfastjson include directory --with-libfastjson-libraries=DIR libfastjson library directory --with-libpcap-includes=DIR libpcap include directory --with-libpcap-libraries=DIR libpcap library directory --with-libdnet-includes=DIR libdnet include directory --with-libdnet-libraries=DIR libdnet library directory --with-libpthread-includes=DIR libpthread include directory --with-libpthread-libraries=DIR libpthread library directory --with-libyaml-includes=DIR libyaml include directory --with-libyaml-libraries=DIR libyaml library directory --with-libpcre-includes=DIR libpcre include directory --with-libpcre-libraries=DIR libpcre library directory Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor PKG_CONFIG path to pkg-config utility PKG_CONFIG_PATH directories to add to pkg-config's search path PKG_CONFIG_LIBDIR path overriding pkg-config's built-in search path CCAS assembler compiler command (defaults to CC) CCASFLAGS assembler compiler flags (defaults to CFLAGS) LIBPCREVERSION_CFLAGS C compiler flags for LIBPCREVERSION, overriding pkg-config LIBPCREVERSION_LIBS linker flags for LIBPCREVERSION, overriding pkg-config LIBFASTJSON_CFLAGS C compiler flags for LIBFASTJSON, overriding pkg-config LIBFASTJSON_LIBS linker flags for LIBFASTJSON, overriding pkg-config LIBESTR_CFLAGS C compiler flags for LIBESTR, overriding pkg-config LIBESTR_LIBS linker flags for LIBESTR, overriding pkg-config LIBLOGNORM_CFLAGS C compiler flags for LIBLOGNORM, overriding pkg-config LIBLOGNORM_LIBS linker flags for LIBLOGNORM, overriding pkg-config Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to the package provider. _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for guested configure. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF sagan configure 1.2.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_cpp () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } > conftest.i && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp # ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists, giving a warning if it cannot be compiled using # the include files in INCLUDES and setting the cache variable VAR # accordingly. ac_fn_c_check_header_mongrel () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if eval \${$3+:} false; then : { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } else # Is the header compilable? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 $as_echo_n "checking $2 usability... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_header_compiler=yes else ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 $as_echo "$ac_header_compiler" >&6; } # Is the header present? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 $as_echo_n "checking $2 presence... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include <$2> _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : ac_header_preproc=yes else ac_header_preproc=no fi rm -f conftest.err conftest.i conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 $as_echo "$ac_header_preproc" >&6; } # So? What about this header? case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( yes:no: ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 $as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ;; no:yes:* ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 $as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 $as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=\$ac_header_compiler" fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_mongrel # ac_fn_c_try_run LINENO # ---------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. Assumes # that executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then : ac_retval=0 else $as_echo "$as_me: program exited with status $ac_status" >&5 $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_compute_int LINENO EXPR VAR INCLUDES # -------------------------------------------- # Tries to find the compile-time value of EXPR in a program that includes # INCLUDES, setting VAR accordingly. Returns whether the value could be # computed ac_fn_c_compute_int () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) >= 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_lo=0 ac_mid=0 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=$ac_mid; break else as_fn_arith $ac_mid + 1 && ac_lo=$as_val if test $ac_lo -le $ac_mid; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) < 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=-1 ac_mid=-1 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) >= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_lo=$ac_mid; break else as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val if test $ac_mid -le $ac_hi; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else ac_lo= ac_hi= fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext # Binary search between lo and hi bounds. while test "x$ac_lo" != "x$ac_hi"; do as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=$ac_mid else as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done case $ac_lo in #(( ?*) eval "$3=\$ac_lo"; ac_retval=0 ;; '') ac_retval=1 ;; esac else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 static long int longval () { return $2; } static unsigned long int ulongval () { return $2; } #include #include int main () { FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; if (($2) < 0) { long int i = longval (); if (i != ($2)) return 1; fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); if (i != ($2)) return 1; fprintf (f, "%lu", i); } /* Do not output a trailing newline, as this causes \r\n confusion on some platforms. */ return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : echo >>conftest.val; read $3 &5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly ac_fn_c_check_func () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (); below. Prefer to if __STDC__ is defined, since exists even on freestanding compilers. */ #ifdef __STDC__ # include #else # include #endif #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main () { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache # variable VAR accordingly. ac_fn_c_check_type () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof ($2)) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof (($2))) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else eval "$3=yes" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by sagan $as_me 1.2.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. $as_echo "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Save into config.log some information that might help in debugging. { echo $as_echo "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo $as_echo "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then $as_echo "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then $as_echo "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && $as_echo "$as_me: caught signal $ac_signal" $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h $as_echo "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_URL "$PACKAGE_URL" _ACEOF # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. ac_site_file1=NONE ac_site_file2=NONE if test -n "$CONFIG_SITE"; then # We do not want a PATH search for config.site. case $CONFIG_SITE in #(( -*) ac_site_file1=./$CONFIG_SITE;; */*) ac_site_file1=$CONFIG_SITE;; *) ac_site_file1=./$CONFIG_SITE;; esac elif test "x$prefix" != xNONE; then ac_site_file1=$prefix/share/config.site ac_site_file2=$prefix/etc/config.site else ac_site_file1=$ac_default_prefix/share/config.site ac_site_file2=$ac_default_prefix/etc/config.site fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break elif test -f "$ac_dir/install.sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install.sh -c" break elif test -f "$ac_dir/shtool"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/shtool install -c" break fi done if test -z "$ac_aux_dir"; then as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } if ${ac_cv_build+:} false; then : $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } if ${ac_cv_host+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking target system type" >&5 $as_echo_n "checking target system type... " >&6; } if ${ac_cv_target+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$target_alias" = x; then ac_cv_target=$ac_cv_host else ac_cv_target=`$SHELL "$ac_aux_dir/config.sub" $target_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $target_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_target" >&5 $as_echo "$ac_cv_target" >&6; } case $ac_cv_target in *-*-*) ;; *) as_fn_error $? "invalid value of canonical target" "$LINENO" 5;; esac target=$ac_cv_target ac_save_IFS=$IFS; IFS='-' set x $ac_cv_target shift target_cpu=$1 target_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: target_os=$* IFS=$ac_save_IFS case $target_os in *\ *) target_os=`echo "$target_os" | sed 's/ /-/g'`;; esac # The aliases save the names the user supplied, while $host etc. # will get canonicalized. test -n "$target_alias" && test "$program_prefix$program_suffix$program_transform_name" = \ NONENONEs,x,x, && program_prefix=${target_alias}- # Expand $ac_aux_dir to an absolute path. am_aux_dir=`cd "$ac_aux_dir" && pwd` ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 $as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an `-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else ac_file='' fi if test -z "$ac_file"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See \`config.log' for more details" "$LINENO" 5; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 $as_echo_n "checking for C compiler default output file name... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 $as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with # `rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { FILE *f = fopen ("conftest.out", "w"); return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 $as_echo_n "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details" "$LINENO" 5; } fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 $as_echo "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } if ${ac_cv_objext+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5 $as_echo_n "checking whether $CC understands -c and -o together... " >&6; } if ${am_cv_prog_cc_c_o+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF # Make sure it works both with $CC and with simple cc. # Following AC_PROG_CC_C_O, we do the test twice because some # compilers refuse to overwrite an existing .o file with -o, # though they will create one. am_cv_prog_cc_c_o=yes for am_i in 1 2; do if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5 ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5 ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } \ && test -f conftest2.$ac_objext; then : OK else am_cv_prog_cc_c_o=no break fi done rm -f core conftest* unset am_i fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5 $as_echo "$am_cv_prog_cc_c_o" >&6; } if test "$am_cv_prog_cc_c_o" != yes; then # Losing compiler, so override with the script. # FIXME: It is wrong to rewrite CC. # But if we don't then we get into trouble of one sort or another. # A longer-term fix would be to have automake use am__CC in this case, # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" CC="$am_aux_dir/compile $CC" fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : break fi done ac_cv_prog_CPP=$CPP fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } if ${ac_cv_path_GREP+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then ac_path_GREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_GREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 $as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } if ${ac_cv_path_EGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else if test -z "$EGREP"; then ac_path_EGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_EGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 $as_echo "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi # On IRIX 5.3, sys/types and inttypes.h are conflicting. for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ inttypes.h stdint.h unistd.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default " if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done ac_fn_c_check_header_mongrel "$LINENO" "minix/config.h" "ac_cv_header_minix_config_h" "$ac_includes_default" if test "x$ac_cv_header_minix_config_h" = xyes; then : MINIX=yes else MINIX= fi if test "$MINIX" = yes; then $as_echo "#define _POSIX_SOURCE 1" >>confdefs.h $as_echo "#define _POSIX_1_SOURCE 2" >>confdefs.h $as_echo "#define _MINIX 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether it is safe to define __EXTENSIONS__" >&5 $as_echo_n "checking whether it is safe to define __EXTENSIONS__... " >&6; } if ${ac_cv_safe_to_define___extensions__+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ # define __EXTENSIONS__ 1 $ac_includes_default int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_safe_to_define___extensions__=yes else ac_cv_safe_to_define___extensions__=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_safe_to_define___extensions__" >&5 $as_echo "$ac_cv_safe_to_define___extensions__" >&6; } test $ac_cv_safe_to_define___extensions__ = yes && $as_echo "#define __EXTENSIONS__ 1" >>confdefs.h $as_echo "#define _ALL_SOURCE 1" >>confdefs.h $as_echo "#define _GNU_SOURCE 1" >>confdefs.h $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable maintainer-specific portions of Makefiles" >&5 $as_echo_n "checking whether to enable maintainer-specific portions of Makefiles... " >&6; } # Check whether --enable-maintainer-mode was given. if test "${enable_maintainer_mode+set}" = set; then : enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval else USE_MAINTAINER_MODE=no fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USE_MAINTAINER_MODE" >&5 $as_echo "$USE_MAINTAINER_MODE" >&6; } if test $USE_MAINTAINER_MODE = yes; then MAINTAINER_MODE_TRUE= MAINTAINER_MODE_FALSE='#' else MAINTAINER_MODE_TRUE='#' MAINTAINER_MODE_FALSE= fi MAINT=$MAINTAINER_MODE_TRUE # Check OS { $as_echo "$as_me:${as_lineno-$LINENO}: checking host os" >&5 $as_echo_n "checking host os... " >&6; } # If no host OS, try uname if test -z "$host" ; then host="`uname`" fi echo -n "installation for $host OS... " case "$host" in *-*-*freebsd*) CFLAGS="${CFLAGS} -D__FreeBSD__" CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/usr/local/include/libnet11" LDFLAGS="${LDFLAGS} -L/usr/local/lib -L/usr/local/lib/libnet11" ;; *-*-openbsd*) CFLAGS="${CFLAGS} -D__OpenBSD__" CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/usr/local/include/libnet-1.1" LDFLAGS="${LDFLAGS} -L/usr/local/lib -I/usr/local/lib/libnet-1.1" ;; *darwin*|*Darwin*) CFLAGS="${CFLAGS} -D__Darwin__" CPPFLAGS="${CPPFLAGS} -I/opt/local/include" LDFLAGS="${LDFLAGS} -L/opt/local/lib" ;; *-*-linux*) CFLAGS="${CFLAGS} -D__Linux__" #for now do nothing ;; # *-*-mingw32*) # CFLAGS="${CFLAGS} -DOS_WIN32" # LDFLAGS="${LDFLAGS} -lws2_32" # WINDOWS_PATH="yes" # ;; # *-*-cygwin) # WINDOWS_PATH="yes" # ;; # *-*-solaris*) # AC_MSG_WARN([support for Solaris/Illumos/SunOS is experimental]) # LDFLAGS="${LDFLAGS} -lsocket -lnsl" # ;; *) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unsupported OS this may or may not work" >&5 $as_echo "$as_me: WARNING: unsupported OS this may or may not work" >&2;} ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 $as_echo "ok" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 $as_echo_n "checking whether byte ordering is bigendian... " >&6; } if ${ac_cv_c_bigendian+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_c_bigendian=unknown # See if we're dealing with a universal compiler. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __APPLE_CC__ not a universal capable compiler #endif typedef int dummy; _ACEOF if ac_fn_c_try_compile "$LINENO"; then : # Check for potential -arch flags. It is not universal unless # there are at least two -arch flags with different values. ac_arch= ac_prev= for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do if test -n "$ac_prev"; then case $ac_word in i?86 | x86_64 | ppc | ppc64) if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then ac_arch=$ac_word else ac_cv_c_bigendian=universal break fi ;; esac ac_prev= elif test "x$ac_word" = "x-arch"; then ac_prev=arch fi done fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_c_bigendian = unknown; then # See if sys/param.h defines the BYTE_ORDER macro. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { #if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ && LITTLE_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : # It does; now see whether it defined to BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { #if BYTE_ORDER != BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_bigendian=yes else ac_cv_c_bigendian=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { #if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : # It does; now see whether it defined to _BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { #ifndef _BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_bigendian=yes else ac_cv_c_bigendian=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # Compile a test program. if test "$cross_compiling" = yes; then : # Try to guess by grepping values from an object file. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; int use_ascii (int i) { return ascii_mm[i] + ascii_ii[i]; } short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; int use_ebcdic (int i) { return ebcdic_mm[i] + ebcdic_ii[i]; } extern int foo; int main () { return use_ascii (foo) == use_ebcdic (foo); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then ac_cv_c_bigendian=yes fi if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then if test "$ac_cv_c_bigendian" = unknown; then ac_cv_c_bigendian=no else # finding both strings is unlikely to happen, but who knows? ac_cv_c_bigendian=unknown fi fi fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { /* Are we little or big endian? From Harbison&Steele. */ union { long int l; char c[sizeof (long int)]; } u; u.l = 1; return u.c[sizeof (long int) - 1] == 1; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_c_bigendian=no else ac_cv_c_bigendian=yes fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 $as_echo "$ac_cv_c_bigendian" >&6; } case $ac_cv_c_bigendian in #( yes) ENDIAN=big ;; #( no) ENDIAN=little ;; #( universal) $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h ;; #( *) as_fn_error $? "unknown endianness presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; esac # Check whether --enable-snortsam was given. if test "${enable_snortsam+set}" = set; then : enableval=$enable_snortsam; SNORTSAM="$enableval" else SNORTSAM="yes" fi # Check whether --enable-bluedot was given. if test "${enable_bluedot+set}" = set; then : enableval=$enable_bluedot; BLUEDOT="$enableval" else BLUEDOT="no" fi # Check whether --enable-esmtp was given. if test "${enable_esmtp+set}" = set; then : enableval=$enable_esmtp; ESMTP="$enableval" else ESMTP="no" fi # Check whether --enable-geoip2 was given. if test "${enable_geoip2+set}" = set; then : enableval=$enable_geoip2; GEOIP2="$enableval" else GEOIP2="no" fi # Check whether --enable-syslog was given. if test "${enable_syslog+set}" = set; then : enableval=$enable_syslog; SYSLOG="$enableval" else SYSLOG="yes" fi # Check whether --enable-system-strstr was given. if test "${enable_system_strstr+set}" = set; then : enableval=$enable_system_strstr; SYSSTRSTR="$enableval" else SYSSTRSTR="no" fi # Check whether --enable-redis was given. if test "${enable_redis+set}" = set; then : enableval=$enable_redis; REDIS="$enableval" else REDIS="no" fi # Check whether --with-esmtp_includes was given. if test "${with_esmtp_includes+set}" = set; then : withval=$with_esmtp_includes; with_esmtp_includes="$withval" else with_esmtp_includes="no" fi # Check whether --with-esmtp_libraries was given. if test "${with_esmtp_libraries+set}" = set; then : withval=$with_esmtp_libraries; with_esmtp_libraries="$withval" else with_esmtp_libraries="no" fi if test "x$with_esmtp_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_esmtp_includes}" fi if test "x$with_esmtp_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_esmtp_libraries}" fi # Check whether --with-geoip2_includes was given. if test "${with_geoip2_includes+set}" = set; then : withval=$with_geoip2_includes; with_geoip2_includes="$withval" else with_geoip2_includes="no" fi # Check whether --with-geoip2_libraries was given. if test "${with_geoip2_libraries+set}" = set; then : withval=$with_geoip2_libraries; with_geoip2_libraries="$withval" else with_geoip2_libraries="no" fi if test "x$with_geoip2_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_geoip2_includes}" fi if test "x$with_geoip2_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_geoip2_libraries}" fi # Check whether --enable-lognorm was given. if test "${enable_lognorm+set}" = set; then : enableval=$enable_lognorm; LOGNORM="$enableval" else LOGNORM="yes" fi # Check whether --with-lognorm_includes was given. if test "${with_lognorm_includes+set}" = set; then : withval=$with_lognorm_includes; with_lognorm_includes="$withval" else with_lognorm_includes="no" fi # Check whether --with-lognorm_libraries was given. if test "${with_lognorm_libraries+set}" = set; then : withval=$with_lognorm_libraries; with_lognorm_libraries="$withval" else with_lognorm_libraries="no" fi if test "x$with_lognorm_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_lognorm_includes}" fi if test "x$with_lognorm_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_lognorm_libraries}" fi # -- # Check whether --enable-libfastjson was given. if test "${enable_libfastjson+set}" = set; then : enableval=$enable_libfastjson; FASTJSON="$enableval" else FASTJSON="yes" fi # Check whether --with-libfastjson_includes was given. if test "${with_libfastjson_includes+set}" = set; then : withval=$with_libfastjson_includes; with_libfastjson_includes="$withval" else with_libfastjson_includes="no" fi # Check whether --with-libfastjson_c_libraries was given. if test "${with_libfastjson_c_libraries+set}" = set; then : withval=$with_libfastjson_c_libraries; with_libfastjson_libraries="$withval" else with_libfastjson_libraries="no" fi if test "x$with_libfastjson_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libfastjson_includes}" fi if test "x$with_libfastjson_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libfastjson_libraries}" fi # -- # Check whether --enable-libpcap was given. if test "${enable_libpcap+set}" = set; then : enableval=$enable_libpcap; LIBPCAP="$enableval" else LIBPCAP="no" fi # Check whether --with-libpcap_includes was given. if test "${with_libpcap_includes+set}" = set; then : withval=$with_libpcap_includes; with_libpcap_includes="$withval" else with_libpcap_includes="no" fi # Check whether --with-libpcap_libraries was given. if test "${with_libpcap_libraries+set}" = set; then : withval=$with_libpcap_libraries; with_libpcap_libraries="$withval" else with_libpcap_libraries="no" fi if test "x$with_libpcap_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}" fi if test "x$with_libpcap_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" fi # Check whether --enable-libdnet was given. if test "${enable_libdnet+set}" = set; then : enableval=$enable_libdnet; LIBDNET="$enableval" else LIBDNET="no" fi # Check whether --with-libdnet_includes was given. if test "${with_libdnet_includes+set}" = set; then : withval=$with_libdnet_includes; with_libdnet_includes="$withval" else with_libdnet_includes="no" fi # Check whether --with-libdnet_libraries was given. if test "${with_libdnet_libraries+set}" = set; then : withval=$with_libdnet_libraries; with_libdnet_libraries="$withval" else with_libdnet_libraries="no" fi if test "x$with_libdnet_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libdnet_includes}" fi if test "x$with_libdnet_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libdnet_libraries}" fi am__api_version='1.14' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. # Account for people who put trailing slashes in PATH elements. case $as_dir/ in #(( ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 $as_echo_n "checking whether build environment is sane... " >&6; } # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[\\\"\#\$\&\'\`$am_lf]*) as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;; esac case $srcdir in *[\\\"\#\$\&\'\`$am_lf\ \ ]*) as_fn_error $? "unsafe srcdir value: '$srcdir'" "$LINENO" 5;; esac # Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( am_has_slept=no for am_try in 1 2; do echo "timestamp, slept: $am_has_slept" > conftest.file set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$*" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi if test "$*" != "X $srcdir/configure conftest.file" \ && test "$*" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". as_fn_error $? "ls -t appears to fail. Make sure there is not a broken alias in your environment" "$LINENO" 5 fi if test "$2" = conftest.file || test $am_try -eq 2; then break fi # Just in case. sleep 1 am_has_slept=yes done test "$2" = conftest.file ) then # Ok. : else as_fn_error $? "newly created file is older than distributed files! Check your system clock" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } # If we didn't sleep, we still need to ensure time stamps of config.status and # generated files are strictly newer. am_sleep_pid= if grep 'slept: no' conftest.file >/dev/null 2>&1; then ( sleep 1 ) & am_sleep_pid=$! fi rm -f conftest.file test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" # Use a double $ so make ignores it. test "$program_suffix" != NONE && program_transform_name="s&\$&$program_suffix&;$program_transform_name" # Double any \ or $. # By default was `s,x,x', remove it if useless. ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then am_missing_run="$MISSING " else am_missing_run= { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: 'missing' script is too old or missing" >&5 $as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;} fi if test x"${install_sh}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi # Installed binaries are usually stripped using 'strip' when the user # run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the 'STRIP' environment variable to overrule this program. if test "$cross_compiling" != no; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then ac_cv_prog_STRIP="$STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_STRIP"; then ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_STRIP" = x; then STRIP=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac STRIP=$ac_ct_STRIP fi else STRIP="$ac_cv_prog_STRIP" fi fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if ${ac_cv_path_mkdir+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir (GNU coreutils) '* | \ 'mkdir (coreutils) '* | \ 'mkdir (fileutils) '4.1*) ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext break 3;; esac done done done IFS=$as_save_IFS fi test -d ./--version && rmdir ./--version if test "${ac_cv_path_mkdir+set}" = set; then MKDIR_P="$ac_cv_path_mkdir -p" else # As a last resort, use the slow shell script. Don't cache a # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. MKDIR_P="$ac_install_sh -d" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 $as_echo "$MKDIR_P" >&6; } for ac_prog in gawk mawk nawk awk do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AWK+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AWK"; then ac_cv_prog_AWK="$AWK" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AWK=$ac_cv_prog_AWK if test -n "$AWK"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 $as_echo "$AWK" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$AWK" && break done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null DEPDIR="${am__leading_dot}deps" ac_config_commands="$ac_config_commands depfiles" am_make=${MAKE-make} cat > confinc << 'END' am__doit: @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 $as_echo_n "checking for style of include used by $am_make... " >&6; } am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf # Ignore all kinds of additional output from 'make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include am__quote= _am_result=GNU ;; esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=.include am__quote="\"" _am_result=BSD ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 $as_echo "$_am_result" >&6; } rm -f confinc confmf # Check whether --enable-dependency-tracking was given. if test "${enable_dependency_tracking+set}" = set; then : enableval=$enable_dependency_tracking; fi if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' am__nodep='_no' fi if test "x$enable_dependency_tracking" != xno; then AMDEP_TRUE= AMDEP_FALSE='#' else AMDEP_TRUE='#' AMDEP_FALSE= fi # Check whether --enable-silent-rules was given. if test "${enable_silent_rules+set}" = set; then : enableval=$enable_silent_rules; fi case $enable_silent_rules in # ((( yes) AM_DEFAULT_VERBOSITY=0;; no) AM_DEFAULT_VERBOSITY=1;; *) AM_DEFAULT_VERBOSITY=1;; esac am_make=${MAKE-make} { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5 $as_echo_n "checking whether $am_make supports nested variables... " >&6; } if ${am_cv_make_support_nested_variables+:} false; then : $as_echo_n "(cached) " >&6 else if $as_echo 'TRUE=$(BAR$(V)) BAR0=false BAR1=true V=1 am__doit: @$(TRUE) .PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then am_cv_make_support_nested_variables=yes else am_cv_make_support_nested_variables=no fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5 $as_echo "$am_cv_make_support_nested_variables" >&6; } if test $am_cv_make_support_nested_variables = yes; then AM_V='$(V)' AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' else AM_V=$AM_DEFAULT_VERBOSITY AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY fi AM_BACKSLASH='\' if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." am__isrc=' -I$(srcdir)' # test to see if srcdir already configured if test -f $srcdir/config.status; then as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5 fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi # Define the identity of the package. PACKAGE='sagan' VERSION='1.2.0' cat >>confdefs.h <<_ACEOF #define PACKAGE "$PACKAGE" _ACEOF cat >>confdefs.h <<_ACEOF #define VERSION "$VERSION" _ACEOF # Some tools Automake needs. ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: # # mkdir_p='$(MKDIR_P)' # We need awk for the "check" target. The system "awk" is bad on # some platforms. # Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AMTAR='$${TAR-tar}' # We'll loop over all known methods to create a tar archive until one works. _am_tools='gnutar pax cpio none' am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -' depcc="$CC" am_compiler_list= { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } if ${am_cv_CC_dependencies_compiler_type+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up # making a dummy file named 'D' -- because '-MD' means "put the output # in D". rm -rf conftest.dir mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. cp "$am_depcomp" conftest.dir cd conftest.dir # We will build objects and dependencies in a subdirectory because # it helps to detect inapplicable dependency modes. For instance # both Tru64's cc and ICC support -MD to output dependencies as a # side effect of compilation, but ICC will put the dependencies in # the current directory while Tru64 will put them in the object # directory. mkdir sub am_cv_CC_dependencies_compiler_type=none if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` fi am__universal=false case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and # we should not choose a depcomp mode which is confused by this. # # We need to recreate these files for each test, as the compiler may # overwrite some of them when testing with obscure command lines. # This happens at least with the AIX C compiler. : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with # Solaris 10 /bin/sh. echo '/* dummy */' > sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf # We check with '-c' and '-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly # handle '-M -o', and we need to detect this. Also, some Intel # versions had trouble with output in subdirs. am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in gcc) # This depmode causes a compiler race in universal mode. test "$am__universal" = false || continue ;; nosideeffect) # After this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested. if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; msvc7 | msvc7msys | msvisualcpp | msvcmsys) # This compiler won't grok '-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} am__minus_obj= ;; none) break ;; esac if depmode=$depmode \ source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message # that says an option was ignored or not supported. # When given -MP, icc 7.0 and 7.1 complain thusly: # icc: Command line warning: ignoring option '-M'; no argument required # The diagnosis changed in icc 8.0: # icc: Command line remark: option '-MP' not supported if (grep 'ignoring option' conftest.err || grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else am_cv_CC_dependencies_compiler_type=$depmode break fi fi done cd .. rm -rf conftest.dir else am_cv_CC_dependencies_compiler_type=none fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5 $as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type if test "x$enable_dependency_tracking" != xno \ && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then am__fastdepCC_TRUE= am__fastdepCC_FALSE='#' else am__fastdepCC_TRUE='#' am__fastdepCC_FALSE= fi # POSIX will say in a future version that running "rm -f" with no argument # is OK; and we want to be able to make that assumption in our Makefile # recipes. So use an aggressive probe to check that the usage we want is # actually supported "in the wild" to an acceptable degree. # See automake bug#10828. # To make any issue more visible, cause the running configure to be aborted # by default if the 'rm' program in use doesn't match our expectations; the # user can still override this though. if rm -f && rm -fr && rm -rf; then : OK; else cat >&2 <<'END' Oops! Your 'rm' program seems unable to run without file operands specified on the command line, even when the '-f' option is present. This is contrary to the behaviour of most rm programs out there, and not conforming with the upcoming POSIX standard: Please tell bug-automake@gnu.org about your system, including the value of your $PATH and any error possibly output before this message. This can help us improve future automake versions. END if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then echo 'Configuration will proceed anyway, since you have set the' >&2 echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 echo >&2 else cat >&2 <<'END' Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM to "yes", and re-run configure. END as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 fi fi ac_config_headers="$ac_config_headers config.h" # Checks for programs. ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5 $as_echo_n "checking whether $CC understands -c and -o together... " >&6; } if ${am_cv_prog_cc_c_o+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF # Make sure it works both with $CC and with simple cc. # Following AC_PROG_CC_C_O, we do the test twice because some # compilers refuse to overwrite an existing .o file with -o, # though they will create one. am_cv_prog_cc_c_o=yes for am_i in 1 2; do if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5 ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5 ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&5 (exit $ac_status); } \ && test -f conftest2.$ac_objext; then : OK else am_cv_prog_cc_c_o=no break fi done rm -f core conftest* unset am_i fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5 $as_echo "$am_cv_prog_cc_c_o" >&6; } if test "$am_cv_prog_cc_c_o" != yes; then # Losing compiler, so override with the script. # FIXME: It is wrong to rewrite CC. # But if we don't then we get into trouble of one sort or another. # A longer-term fix would be to have automake use am__CC in this case, # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" CC="$am_aux_dir/compile $CC" fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_PKG_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else case $PKG_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi PKG_CONFIG=$ac_cv_path_PKG_CONFIG if test -n "$PKG_CONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 $as_echo "$PKG_CONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_path_PKG_CONFIG"; then ac_pt_PKG_CONFIG=$PKG_CONFIG # Extract the first word of "pkg-config", so it can be a program name with args. set dummy pkg-config; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else case $ac_pt_PKG_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG if test -n "$ac_pt_PKG_CONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 $as_echo "$ac_pt_PKG_CONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_pt_PKG_CONFIG" = x; then PKG_CONFIG="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac PKG_CONFIG=$ac_pt_PKG_CONFIG fi else PKG_CONFIG="$ac_cv_path_PKG_CONFIG" fi fi if test -n "$PKG_CONFIG"; then _pkg_min_version=0.9.0 { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 $as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } PKG_CONFIG="" fi fi # Checks for header files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sys/wait.h that is POSIX.1 compatible" >&5 $as_echo_n "checking for sys/wait.h that is POSIX.1 compatible... " >&6; } if ${ac_cv_header_sys_wait_h+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #ifndef WEXITSTATUS # define WEXITSTATUS(stat_val) ((unsigned int) (stat_val) >> 8) #endif #ifndef WIFEXITED # define WIFEXITED(stat_val) (((stat_val) & 255) == 0) #endif int main () { int s; wait (&s); s = WIFEXITED (s) ? WEXITSTATUS (s) : 1; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_sys_wait_h=yes else ac_cv_header_sys_wait_h=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_sys_wait_h" >&5 $as_echo "$ac_cv_header_sys_wait_h" >&6; } if test $ac_cv_header_sys_wait_h = yes; then $as_echo "#define HAVE_SYS_WAIT_H 1" >>confdefs.h fi for ac_header in stdio.h stdlib.h sys/types.h unistd.h stdint.h inttypes.h ctype.h errno.h fcntl.h sys/stat.h string.h getopt.h time.h stdarg.h limits.h stdbool.h arpa/inet.h netinet/in.h sys/time.h sys/socket.h sys/mmap.h sys/mman.h sys/prctl.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 $as_echo_n "checking size of size_t... " >&6; } if ${ac_cv_sizeof_size_t+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then : else if test "$ac_cv_type_size_t" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (size_t) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_size_t=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 $as_echo "$ac_cv_sizeof_size_t" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_SIZE_T $ac_cv_sizeof_size_t _ACEOF # F_SETPIPE_SZ in fcntl.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking for F_SETPIPE_SZ in fcntl.h" >&5 $as_echo_n "checking for F_SETPIPE_SZ in fcntl.h... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define _GNU_SOURCE #include #ifdef F_SETPIPE_SZ yes_have_f_setpipe_sz #endif _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "yes_have_f_setpipe_sz" >/dev/null 2>&1; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } $as_echo "#define HAVE_SETPIPE_SZ /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: F_SETPIPE_SZ not found, cannot alter FIFO" >&5 $as_echo "$as_me: F_SETPIPE_SZ not found, cannot alter FIFO" >&6;} fi rm -f conftest* # F_GETPIPE_SZ in fcntl.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking for F_GETPIPE_SZ in fcntl.h" >&5 $as_echo_n "checking for F_GETPIPE_SZ in fcntl.h... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define _GNU_SOURCE #include #ifdef F_GETPIPE_SZ yes_have_f_getpipe_sz #endif _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "yes_have_f_getpipe_sz" >/dev/null 2>&1; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } $as_echo "#define HAVE_GETPIPE_SZ /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: F_GETPIPE_SZ not found, cannot alter FIFO" >&5 $as_echo "$as_me: F_GETPIPE_SZ not found, cannot alter FIFO" >&6;} fi rm -f conftest* # Checks for typedefs, structures, and compiler characteristics. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 $as_echo_n "checking for an ANSI C-conforming const... " >&6; } if ${ac_cv_c_const+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __cplusplus /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; /* NEC SVR4.0.2 mips cc rejects this. */ struct point {int x, y;}; static struct point const zero = {0,0}; /* AIX XL C 1.02.0.0 rejects this. It does not let you subtract one const X* pointer from another in an arm of an if-expression whose if-part is not a constant expression */ const char *g = "string"; pcpcc = &g + (g ? g-g : 0); /* HPUX 7.0 cc rejects these. */ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; { /* SCO 3.2v4 cc rejects this sort of thing. */ char tx; char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; if (s) return 0; } { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ int x[] = {25, 17}; const int *foo = &x[0]; ++foo; } { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ typedef const int *iptr; iptr p = 0; ++p; } { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ struct s { int j; const int *ap[3]; } bx; struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; if (!foo) return 0; } return !cs[0] && !zero.x; #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_const=yes else ac_cv_c_const=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 $as_echo "$ac_cv_c_const" >&6; } if test $ac_cv_c_const = no; then $as_echo "#define const /**/" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5 $as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; } if ${ac_cv_header_time+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include int main () { if ((struct tm *) 0) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_time=yes else ac_cv_header_time=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5 $as_echo "$ac_cv_header_time" >&6; } if test $ac_cv_header_time = yes; then $as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h fi # Checks for library functions. if test $ac_cv_c_compiler_gnu = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC needs -traditional" >&5 $as_echo_n "checking whether $CC needs -traditional... " >&6; } if ${ac_cv_prog_gcc_traditional+:} false; then : $as_echo_n "(cached) " >&6 else ac_pattern="Autoconf.*'x'" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Autoconf TIOCGETP _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "$ac_pattern" >/dev/null 2>&1; then : ac_cv_prog_gcc_traditional=yes else ac_cv_prog_gcc_traditional=no fi rm -f conftest* if test $ac_cv_prog_gcc_traditional = no; then cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Autoconf TCGETA _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "$ac_pattern" >/dev/null 2>&1; then : ac_cv_prog_gcc_traditional=yes fi rm -f conftest* fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_gcc_traditional" >&5 $as_echo "$ac_cv_prog_gcc_traditional" >&6; } if test $ac_cv_prog_gcc_traditional = yes; then CC="$CC -traditional" fi fi for ac_header in stdlib.h do : ac_fn_c_check_header_mongrel "$LINENO" "stdlib.h" "ac_cv_header_stdlib_h" "$ac_includes_default" if test "x$ac_cv_header_stdlib_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STDLIB_H 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU libc compatible malloc" >&5 $as_echo_n "checking for GNU libc compatible malloc... " >&6; } if ${ac_cv_func_malloc_0_nonnull+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_malloc_0_nonnull=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined STDC_HEADERS || defined HAVE_STDLIB_H # include #else char *malloc (); #endif int main () { return ! malloc (0); ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_malloc_0_nonnull=yes else ac_cv_func_malloc_0_nonnull=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_malloc_0_nonnull" >&5 $as_echo "$ac_cv_func_malloc_0_nonnull" >&6; } if test $ac_cv_func_malloc_0_nonnull = yes; then : $as_echo "#define HAVE_MALLOC 1" >>confdefs.h else $as_echo "#define HAVE_MALLOC 0" >>confdefs.h case " $LIBOBJS " in *" malloc.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS malloc.$ac_objext" ;; esac $as_echo "#define malloc rpl_malloc" >>confdefs.h fi for ac_header in sys/select.h sys/socket.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking types of arguments for select" >&5 $as_echo_n "checking types of arguments for select... " >&6; } if ${ac_cv_func_select_args+:} false; then : $as_echo_n "(cached) " >&6 else for ac_arg234 in 'fd_set *' 'int *' 'void *'; do for ac_arg1 in 'int' 'size_t' 'unsigned long int' 'unsigned int'; do for ac_arg5 in 'struct timeval *' 'const struct timeval *'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default #ifdef HAVE_SYS_SELECT_H # include #endif #ifdef HAVE_SYS_SOCKET_H # include #endif int main () { extern int select ($ac_arg1, $ac_arg234, $ac_arg234, $ac_arg234, $ac_arg5); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_func_select_args="$ac_arg1,$ac_arg234,$ac_arg5"; break 3 fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done done done # Provide a safe default value. : "${ac_cv_func_select_args=int,int *,struct timeval *}" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_select_args" >&5 $as_echo "$ac_cv_func_select_args" >&6; } ac_save_IFS=$IFS; IFS=',' set dummy `echo "$ac_cv_func_select_args" | sed 's/\*/\*/g'` IFS=$ac_save_IFS shift cat >>confdefs.h <<_ACEOF #define SELECT_TYPE_ARG1 $1 _ACEOF cat >>confdefs.h <<_ACEOF #define SELECT_TYPE_ARG234 ($2) _ACEOF cat >>confdefs.h <<_ACEOF #define SELECT_TYPE_ARG5 ($3) _ACEOF rm -f conftest* { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether lstat correctly handles trailing slash" >&5 $as_echo_n "checking whether lstat correctly handles trailing slash... " >&6; } if ${ac_cv_func_lstat_dereferences_slashed_symlink+:} false; then : $as_echo_n "(cached) " >&6 else rm -f conftest.sym conftest.file echo >conftest.file if test "$as_ln_s" = "ln -s" && ln -s conftest.file conftest.sym; then if test "$cross_compiling" = yes; then : ac_cv_func_lstat_dereferences_slashed_symlink=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { struct stat sbuf; /* Linux will dereference the symlink and fail, as required by POSIX. That is better in the sense that it means we will not have to compile and use the lstat wrapper. */ return lstat ("conftest.sym/", &sbuf) == 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_lstat_dereferences_slashed_symlink=yes else ac_cv_func_lstat_dereferences_slashed_symlink=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi else # If the `ln -s' command failed, then we probably don't even # have an lstat function. ac_cv_func_lstat_dereferences_slashed_symlink=no fi rm -f conftest.sym conftest.file fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5 $as_echo "$ac_cv_func_lstat_dereferences_slashed_symlink" >&6; } test $ac_cv_func_lstat_dereferences_slashed_symlink = yes && cat >>confdefs.h <<_ACEOF #define LSTAT_FOLLOWS_SLASHED_SYMLINK 1 _ACEOF if test "x$ac_cv_func_lstat_dereferences_slashed_symlink" = xno; then case " $LIBOBJS " in *" lstat.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS lstat.$ac_objext" ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stat accepts an empty string" >&5 $as_echo_n "checking whether stat accepts an empty string... " >&6; } if ${ac_cv_func_stat_empty_string_bug+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_stat_empty_string_bug=yes else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { struct stat sbuf; return stat ("", &sbuf) == 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_stat_empty_string_bug=no else ac_cv_func_stat_empty_string_bug=yes fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_stat_empty_string_bug" >&5 $as_echo "$ac_cv_func_stat_empty_string_bug" >&6; } if test $ac_cv_func_stat_empty_string_bug = yes; then case " $LIBOBJS " in *" stat.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS stat.$ac_objext" ;; esac cat >>confdefs.h <<_ACEOF #define HAVE_STAT_EMPTY_STRING_BUG 1 _ACEOF fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5 $as_echo_n "checking return type of signal handlers... " >&6; } if ${ac_cv_type_signal+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { return *(signal (0, 0)) (0) == 1; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_type_signal=int else ac_cv_type_signal=void fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_signal" >&5 $as_echo "$ac_cv_type_signal" >&6; } cat >>confdefs.h <<_ACEOF #define RETSIGTYPE $ac_cv_type_signal _ACEOF for ac_func in strftime do : ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime" if test "x$ac_cv_func_strftime" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRFTIME 1 _ACEOF else # strftime is in -lintl on SCO UNIX. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for strftime in -lintl" >&5 $as_echo_n "checking for strftime in -lintl... " >&6; } if ${ac_cv_lib_intl_strftime+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lintl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char strftime (); int main () { return strftime (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_intl_strftime=yes else ac_cv_lib_intl_strftime=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_intl_strftime" >&5 $as_echo "$ac_cv_lib_intl_strftime" >&6; } if test "x$ac_cv_lib_intl_strftime" = xyes; then : $as_echo "#define HAVE_STRFTIME 1" >>confdefs.h LIBS="-lintl $LIBS" fi fi done ac_fn_c_check_type "$LINENO" "pid_t" "ac_cv_type_pid_t" "$ac_includes_default" if test "x$ac_cv_type_pid_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define pid_t int _ACEOF fi for ac_header in vfork.h do : ac_fn_c_check_header_mongrel "$LINENO" "vfork.h" "ac_cv_header_vfork_h" "$ac_includes_default" if test "x$ac_cv_header_vfork_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_VFORK_H 1 _ACEOF fi done for ac_func in fork vfork do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done if test "x$ac_cv_func_fork" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working fork" >&5 $as_echo_n "checking for working fork... " >&6; } if ${ac_cv_func_fork_works+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_fork_works=cross else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { /* By Ruediger Kuhlmann. */ return fork () < 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_fork_works=yes else ac_cv_func_fork_works=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_fork_works" >&5 $as_echo "$ac_cv_func_fork_works" >&6; } else ac_cv_func_fork_works=$ac_cv_func_fork fi if test "x$ac_cv_func_fork_works" = xcross; then case $host in *-*-amigaos* | *-*-msdosdjgpp*) # Override, as these systems have only a dummy fork() stub ac_cv_func_fork_works=no ;; *) ac_cv_func_fork_works=yes ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&5 $as_echo "$as_me: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&2;} fi ac_cv_func_vfork_works=$ac_cv_func_vfork if test "x$ac_cv_func_vfork" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working vfork" >&5 $as_echo_n "checking for working vfork... " >&6; } if ${ac_cv_func_vfork_works+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_vfork_works=cross else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Thanks to Paul Eggert for this test. */ $ac_includes_default #include #ifdef HAVE_VFORK_H # include #endif /* On some sparc systems, changes by the child to local and incoming argument registers are propagated back to the parent. The compiler is told about this with #include , but some compilers (e.g. gcc -O) don't grok . Test for this by using a static variable whose address is put into a register that is clobbered by the vfork. */ static void #ifdef __cplusplus sparc_address_test (int arg) # else sparc_address_test (arg) int arg; #endif { static pid_t child; if (!child) { child = vfork (); if (child < 0) { perror ("vfork"); _exit(2); } if (!child) { arg = getpid(); write(-1, "", 0); _exit (arg); } } } int main () { pid_t parent = getpid (); pid_t child; sparc_address_test (0); child = vfork (); if (child == 0) { /* Here is another test for sparc vfork register problems. This test uses lots of local variables, at least as many local variables as main has allocated so far including compiler temporaries. 4 locals are enough for gcc 1.40.3 on a Solaris 4.1.3 sparc, but we use 8 to be safe. A buggy compiler should reuse the register of parent for one of the local variables, since it will think that parent can't possibly be used any more in this routine. Assigning to the local variable will thus munge parent in the parent process. */ pid_t p = getpid(), p1 = getpid(), p2 = getpid(), p3 = getpid(), p4 = getpid(), p5 = getpid(), p6 = getpid(), p7 = getpid(); /* Convince the compiler that p..p7 are live; otherwise, it might use the same hardware register for all 8 local variables. */ if (p != p1 || p != p2 || p != p3 || p != p4 || p != p5 || p != p6 || p != p7) _exit(1); /* On some systems (e.g. IRIX 3.3), vfork doesn't separate parent from child file descriptors. If the child closes a descriptor before it execs or exits, this munges the parent's descriptor as well. Test for this by closing stdout in the child. */ _exit(close(fileno(stdout)) != 0); } else { int status; struct stat st; while (wait(&status) != child) ; return ( /* Was there some problem with vforking? */ child < 0 /* Did the child fail? (This shouldn't happen.) */ || status /* Did the vfork/compiler bug occur? */ || parent != getpid() /* Did the file descriptor bug occur? */ || fstat(fileno(stdout), &st) != 0 ); } } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_vfork_works=yes else ac_cv_func_vfork_works=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_vfork_works" >&5 $as_echo "$ac_cv_func_vfork_works" >&6; } fi; if test "x$ac_cv_func_fork_works" = xcross; then ac_cv_func_vfork_works=$ac_cv_func_vfork { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&5 $as_echo "$as_me: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&2;} fi if test "x$ac_cv_func_vfork_works" = xyes; then $as_echo "#define HAVE_WORKING_VFORK 1" >>confdefs.h else $as_echo "#define vfork fork" >>confdefs.h fi if test "x$ac_cv_func_fork_works" = xyes; then $as_echo "#define HAVE_WORKING_FORK 1" >>confdefs.h fi for ac_header in stdlib.h do : ac_fn_c_check_header_mongrel "$LINENO" "stdlib.h" "ac_cv_header_stdlib_h" "$ac_includes_default" if test "x$ac_cv_header_stdlib_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STDLIB_H 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU libc compatible realloc" >&5 $as_echo_n "checking for GNU libc compatible realloc... " >&6; } if ${ac_cv_func_realloc_0_nonnull+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_realloc_0_nonnull=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined STDC_HEADERS || defined HAVE_STDLIB_H # include #else char *realloc (); #endif int main () { return ! realloc (0, 0); ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_realloc_0_nonnull=yes else ac_cv_func_realloc_0_nonnull=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_realloc_0_nonnull" >&5 $as_echo "$ac_cv_func_realloc_0_nonnull" >&6; } if test $ac_cv_func_realloc_0_nonnull = yes; then : $as_echo "#define HAVE_REALLOC 1" >>confdefs.h else $as_echo "#define HAVE_REALLOC 0" >>confdefs.h case " $LIBOBJS " in *" realloc.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS realloc.$ac_objext" ;; esac $as_echo "#define realloc rpl_realloc" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "pid_t" "ac_cv_type_pid_t" "$ac_includes_default" if test "x$ac_cv_type_pid_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define pid_t int _ACEOF fi ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" if test "x$ac_cv_type_size_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define size_t unsigned int _ACEOF fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether struct tm is in sys/time.h or time.h" >&5 $as_echo_n "checking whether struct tm is in sys/time.h or time.h... " >&6; } if ${ac_cv_struct_tm+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { struct tm tm; int *p = &tm.tm_sec; return !p; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_struct_tm=time.h else ac_cv_struct_tm=sys/time.h fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_struct_tm" >&5 $as_echo "$ac_cv_struct_tm" >&6; } if test $ac_cv_struct_tm = sys/time.h; then $as_echo "#define TM_IN_SYS_TIME 1" >>confdefs.h fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for x86 cpuid output" >&5 $as_echo_n "checking for x86 cpuid output... " >&6; } if ${ax_cv_gcc_x86_cpuid_+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ax_cv_gcc_x86_cpuid_=unknown else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int op = , eax, ebx, ecx, edx; FILE *f; __asm__("cpuid" : "=a" (eax), "=b" (ebx), "=c" (ecx), "=d" (edx) : "a" (op)); f = fopen("conftest_cpuid", "w"); if (!f) return 1; fprintf(f, "%x:%x:%x:%x\n", eax, ebx, ecx, edx); fclose(f); return 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ax_cv_gcc_x86_cpuid_=`cat conftest_cpuid`; rm -f conftest_cpuid else ax_cv_gcc_x86_cpuid_=unknown; rm -f conftest_cpuid fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_gcc_x86_cpuid_" >&5 $as_echo "$ax_cv_gcc_x86_cpuid_" >&6; } ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for x86-AVX xgetbv output" >&5 $as_echo_n "checking for x86-AVX xgetbv output... " >&6; } if ${ax_cv_gcc_x86_avx_xgetbv_+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ax_cv_gcc_x86_avx_xgetbv_=unknown else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int op = , eax, edx; FILE *f; /* Opcodes for xgetbv */ __asm__(".byte 0x0f, 0x01, 0xd0" : "=a" (eax), "=d" (edx) : "c" (op)); f = fopen("conftest_xgetbv", "w"); if (!f) return 1; fprintf(f, "%x:%x\n", eax, edx); fclose(f); return 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ax_cv_gcc_x86_avx_xgetbv_=`cat conftest_xgetbv`; rm -f conftest_xgetbv else ax_cv_gcc_x86_avx_xgetbv_=unknown; rm -f conftest_xgetbv fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_gcc_x86_avx_xgetbv_" >&5 $as_echo "$ax_cv_gcc_x86_avx_xgetbv_" >&6; } ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu case $host_cpu in powerpc*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether altivec is supported" >&5 $as_echo_n "checking whether altivec is supported... " >&6; } if ${ax_cv_have_altivec_ext+:} false; then : $as_echo_n "(cached) " >&6 else if test `/usr/sbin/sysctl -a 2>/dev/null| grep -c hw.optional.altivec` != 0; then if test `/usr/sbin/sysctl -n hw.optional.altivec` = 1; then ax_cv_have_altivec_ext=yes fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_altivec_ext" >&5 $as_echo "$ax_cv_have_altivec_ext" >&6; } if test "$ax_cv_have_altivec_ext" = yes; then $as_echo "#define HAVE_ALTIVEC /**/" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -faltivec" >&5 $as_echo_n "checking whether C compiler accepts -faltivec... " >&6; } if ${ax_cv_check_cflags___faltivec+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -faltivec" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___faltivec=yes else ax_cv_check_cflags___faltivec=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___faltivec" >&5 $as_echo "$ax_cv_check_cflags___faltivec" >&6; } if test x"$ax_cv_check_cflags___faltivec" = xyes; then : SIMD_FLAGS="$SIMD_FLAGS -faltivec" else : fi fi ;; i[3456]86*|x86_64*|amd64*) ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for x86 cpuid 0x00000001 output" >&5 $as_echo_n "checking for x86 cpuid 0x00000001 output... " >&6; } if ${ax_cv_gcc_x86_cpuid_0x00000001+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ax_cv_gcc_x86_cpuid_0x00000001=unknown else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int op = 0x00000001, eax, ebx, ecx, edx; FILE *f; __asm__("cpuid" : "=a" (eax), "=b" (ebx), "=c" (ecx), "=d" (edx) : "a" (op)); f = fopen("conftest_cpuid", "w"); if (!f) return 1; fprintf(f, "%x:%x:%x:%x\n", eax, ebx, ecx, edx); fclose(f); return 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ax_cv_gcc_x86_cpuid_0x00000001=`cat conftest_cpuid`; rm -f conftest_cpuid else ax_cv_gcc_x86_cpuid_0x00000001=unknown; rm -f conftest_cpuid fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_gcc_x86_cpuid_0x00000001" >&5 $as_echo "$ax_cv_gcc_x86_cpuid_0x00000001" >&6; } ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ecx=0 edx=0 if test "$ax_cv_gcc_x86_cpuid_0x00000001" != "unknown"; then ecx=`echo $ax_cv_gcc_x86_cpuid_0x00000001 | cut -d ":" -f 3` edx=`echo $ax_cv_gcc_x86_cpuid_0x00000001 | cut -d ":" -f 4` fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether mmx is supported" >&5 $as_echo_n "checking whether mmx is supported... " >&6; } if ${ax_cv_have_mmx_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_mmx_ext=no if test "$((0x$edx>>23&0x01))" = 1; then ax_cv_have_mmx_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_mmx_ext" >&5 $as_echo "$ax_cv_have_mmx_ext" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether sse is supported" >&5 $as_echo_n "checking whether sse is supported... " >&6; } if ${ax_cv_have_sse_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_sse_ext=no if test "$((0x$edx>>25&0x01))" = 1; then ax_cv_have_sse_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_sse_ext" >&5 $as_echo "$ax_cv_have_sse_ext" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether sse2 is supported" >&5 $as_echo_n "checking whether sse2 is supported... " >&6; } if ${ax_cv_have_sse2_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_sse2_ext=no if test "$((0x$edx>>26&0x01))" = 1; then ax_cv_have_sse2_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_sse2_ext" >&5 $as_echo "$ax_cv_have_sse2_ext" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether sse3 is supported" >&5 $as_echo_n "checking whether sse3 is supported... " >&6; } if ${ax_cv_have_sse3_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_sse3_ext=no if test "$((0x$ecx&0x01))" = 1; then ax_cv_have_sse3_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_sse3_ext" >&5 $as_echo "$ax_cv_have_sse3_ext" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ssse3 is supported" >&5 $as_echo_n "checking whether ssse3 is supported... " >&6; } if ${ax_cv_have_ssse3_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_ssse3_ext=no if test "$((0x$ecx>>9&0x01))" = 1; then ax_cv_have_ssse3_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_ssse3_ext" >&5 $as_echo "$ax_cv_have_ssse3_ext" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether sse4.1 is supported" >&5 $as_echo_n "checking whether sse4.1 is supported... " >&6; } if ${ax_cv_have_sse41_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_sse41_ext=no if test "$((0x$ecx>>19&0x01))" = 1; then ax_cv_have_sse41_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_sse41_ext" >&5 $as_echo "$ax_cv_have_sse41_ext" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether sse4.2 is supported" >&5 $as_echo_n "checking whether sse4.2 is supported... " >&6; } if ${ax_cv_have_sse42_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_sse42_ext=no if test "$((0x$ecx>>20&0x01))" = 1; then ax_cv_have_sse42_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_sse42_ext" >&5 $as_echo "$ax_cv_have_sse42_ext" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether avx is supported by processor" >&5 $as_echo_n "checking whether avx is supported by processor... " >&6; } if ${ax_cv_have_avx_cpu_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_avx_cpu_ext=no if test "$((0x$ecx>>28&0x01))" = 1; then ax_cv_have_avx_cpu_ext=yes fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_avx_cpu_ext" >&5 $as_echo "$ax_cv_have_avx_cpu_ext" >&6; } if test x"$ax_cv_have_avx_cpu_ext" = x"yes"; then ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for x86-AVX xgetbv 0x00000000 output" >&5 $as_echo_n "checking for x86-AVX xgetbv 0x00000000 output... " >&6; } if ${ax_cv_gcc_x86_avx_xgetbv_0x00000000+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ax_cv_gcc_x86_avx_xgetbv_0x00000000=unknown else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int op = 0x00000000, eax, edx; FILE *f; /* Opcodes for xgetbv */ __asm__(".byte 0x0f, 0x01, 0xd0" : "=a" (eax), "=d" (edx) : "c" (op)); f = fopen("conftest_xgetbv", "w"); if (!f) return 1; fprintf(f, "%x:%x\n", eax, edx); fclose(f); return 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ax_cv_gcc_x86_avx_xgetbv_0x00000000=`cat conftest_xgetbv`; rm -f conftest_xgetbv else ax_cv_gcc_x86_avx_xgetbv_0x00000000=unknown; rm -f conftest_xgetbv fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_gcc_x86_avx_xgetbv_0x00000000" >&5 $as_echo "$ax_cv_gcc_x86_avx_xgetbv_0x00000000" >&6; } ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu xgetbv_eax="0" if test x"$ax_cv_gcc_x86_avx_xgetbv_0x00000000" != x"unknown"; then xgetbv_eax=`echo $ax_cv_gcc_x86_avx_xgetbv_0x00000000 | cut -d ":" -f 1` fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether avx is supported by operating system" >&5 $as_echo_n "checking whether avx is supported by operating system... " >&6; } if ${ax_cv_have_avx_ext+:} false; then : $as_echo_n "(cached) " >&6 else ax_cv_have_avx_ext=no if test "$((0x$ecx>>27&0x01))" = 1; then if test "$((0x$xgetbv_eax&0x6))" = 6; then ax_cv_have_avx_ext=yes fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_have_avx_ext" >&5 $as_echo "$ax_cv_have_avx_ext" >&6; } if test x"$ax_cv_have_avx_ext" = x"no"; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports AVX, but your operating system doesn't" >&5 $as_echo "$as_me: WARNING: Your processor supports AVX, but your operating system doesn't" >&2;} fi fi if test "$ax_cv_have_mmx_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mmmx" >&5 $as_echo_n "checking whether C compiler accepts -mmmx... " >&6; } if ${ax_cv_check_cflags___mmmx+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -mmmx" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___mmmx=yes else ax_cv_check_cflags___mmmx=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mmmx" >&5 $as_echo "$ax_cv_check_cflags___mmmx" >&6; } if test x"$ax_cv_check_cflags___mmmx" = xyes; then : ax_cv_support_mmx_ext=yes else : fi if test x"$ax_cv_support_mmx_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -mmmx" $as_echo "#define HAVE_MMX /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports mmx instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports mmx instructions but not your compiler, can you try another compiler?" >&2;} fi fi if test "$ax_cv_have_sse_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -msse" >&5 $as_echo_n "checking whether C compiler accepts -msse... " >&6; } if ${ax_cv_check_cflags___msse+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -msse" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___msse=yes else ax_cv_check_cflags___msse=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___msse" >&5 $as_echo "$ax_cv_check_cflags___msse" >&6; } if test x"$ax_cv_check_cflags___msse" = xyes; then : ax_cv_support_sse_ext=yes else : fi if test x"$ax_cv_support_sse_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse" $as_echo "#define HAVE_SSE /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports sse instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports sse instructions but not your compiler, can you try another compiler?" >&2;} fi fi if test "$ax_cv_have_sse2_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -msse2" >&5 $as_echo_n "checking whether C compiler accepts -msse2... " >&6; } if ${ax_cv_check_cflags___msse2+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -msse2" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___msse2=yes else ax_cv_check_cflags___msse2=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___msse2" >&5 $as_echo "$ax_cv_check_cflags___msse2" >&6; } if test x"$ax_cv_check_cflags___msse2" = xyes; then : ax_cv_support_sse2_ext=yes else : fi if test x"$ax_cv_support_sse2_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse2" $as_echo "#define HAVE_SSE2 /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports sse2 instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports sse2 instructions but not your compiler, can you try another compiler?" >&2;} fi fi if test "$ax_cv_have_sse3_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -msse3" >&5 $as_echo_n "checking whether C compiler accepts -msse3... " >&6; } if ${ax_cv_check_cflags___msse3+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -msse3" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___msse3=yes else ax_cv_check_cflags___msse3=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___msse3" >&5 $as_echo "$ax_cv_check_cflags___msse3" >&6; } if test x"$ax_cv_check_cflags___msse3" = xyes; then : ax_cv_support_sse3_ext=yes else : fi if test x"$ax_cv_support_sse3_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse3" $as_echo "#define HAVE_SSE3 /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports sse3 instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports sse3 instructions but not your compiler, can you try another compiler?" >&2;} fi fi if test "$ax_cv_have_ssse3_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mssse3" >&5 $as_echo_n "checking whether C compiler accepts -mssse3... " >&6; } if ${ax_cv_check_cflags___mssse3+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -mssse3" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___mssse3=yes else ax_cv_check_cflags___mssse3=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mssse3" >&5 $as_echo "$ax_cv_check_cflags___mssse3" >&6; } if test x"$ax_cv_check_cflags___mssse3" = xyes; then : ax_cv_support_ssse3_ext=yes else : fi if test x"$ax_cv_support_ssse3_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -mssse3" $as_echo "#define HAVE_SSSE3 /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports ssse3 instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports ssse3 instructions but not your compiler, can you try another compiler?" >&2;} fi fi if test "$ax_cv_have_sse41_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -msse4.1" >&5 $as_echo_n "checking whether C compiler accepts -msse4.1... " >&6; } if ${ax_cv_check_cflags___msse4_1+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -msse4.1" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___msse4_1=yes else ax_cv_check_cflags___msse4_1=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___msse4_1" >&5 $as_echo "$ax_cv_check_cflags___msse4_1" >&6; } if test x"$ax_cv_check_cflags___msse4_1" = xyes; then : ax_cv_support_sse41_ext=yes else : fi if test x"$ax_cv_support_sse41_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse4.1" $as_echo "#define HAVE_SSE4_1 /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports sse4.1 instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports sse4.1 instructions but not your compiler, can you try another compiler?" >&2;} fi fi if test "$ax_cv_have_sse42_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -msse4.2" >&5 $as_echo_n "checking whether C compiler accepts -msse4.2... " >&6; } if ${ax_cv_check_cflags___msse4_2+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -msse4.2" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___msse4_2=yes else ax_cv_check_cflags___msse4_2=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___msse4_2" >&5 $as_echo "$ax_cv_check_cflags___msse4_2" >&6; } if test x"$ax_cv_check_cflags___msse4_2" = xyes; then : ax_cv_support_sse42_ext=yes else : fi if test x"$ax_cv_support_sse42_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse4.2" $as_echo "#define HAVE_SSE4_2 /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports sse4.2 instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports sse4.2 instructions but not your compiler, can you try another compiler?" >&2;} fi fi if test "$ax_cv_have_avx_ext" = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mavx" >&5 $as_echo_n "checking whether C compiler accepts -mavx... " >&6; } if ${ax_cv_check_cflags___mavx+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS CFLAGS="$CFLAGS -mavx" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ax_cv_check_cflags___mavx=yes else ax_cv_check_cflags___mavx=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS=$ax_check_save_flags fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mavx" >&5 $as_echo "$ax_cv_check_cflags___mavx" >&6; } if test x"$ax_cv_check_cflags___mavx" = xyes; then : ax_cv_support_avx_ext=yes else : fi if test x"$ax_cv_support_avx_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -mavx" $as_echo "#define HAVE_AVX /**/" >>confdefs.h else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Your processor supports avx instructions but not your compiler, can you try another compiler?" >&5 $as_echo "$as_me: WARNING: Your processor supports avx instructions but not your compiler, can you try another compiler?" >&2;} fi fi ;; esac # By default we simply use the C compiler to build assembly code. test "${CCAS+set}" = set || CCAS=$CC test "${CCASFLAGS+set}" = set || CCASFLAGS=$CFLAGS depcc="$CCAS" am_compiler_list= { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } if ${am_cv_CCAS_dependencies_compiler_type+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up # making a dummy file named 'D' -- because '-MD' means "put the output # in D". rm -rf conftest.dir mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. cp "$am_depcomp" conftest.dir cd conftest.dir # We will build objects and dependencies in a subdirectory because # it helps to detect inapplicable dependency modes. For instance # both Tru64's cc and ICC support -MD to output dependencies as a # side effect of compilation, but ICC will put the dependencies in # the current directory while Tru64 will put them in the object # directory. mkdir sub am_cv_CCAS_dependencies_compiler_type=none if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` fi am__universal=false for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and # we should not choose a depcomp mode which is confused by this. # # We need to recreate these files for each test, as the compiler may # overwrite some of them when testing with obscure command lines. # This happens at least with the AIX C compiler. : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with # Solaris 10 /bin/sh. echo '/* dummy */' > sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf # We check with '-c' and '-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly # handle '-M -o', and we need to detect this. Also, some Intel # versions had trouble with output in subdirs. am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in gcc) # This depmode causes a compiler race in universal mode. test "$am__universal" = false || continue ;; nosideeffect) # After this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested. if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; msvc7 | msvc7msys | msvisualcpp | msvcmsys) # This compiler won't grok '-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} am__minus_obj= ;; none) break ;; esac if depmode=$depmode \ source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message # that says an option was ignored or not supported. # When given -MP, icc 7.0 and 7.1 complain thusly: # icc: Command line warning: ignoring option '-M'; no argument required # The diagnosis changed in icc 8.0: # icc: Command line remark: option '-MP' not supported if (grep 'ignoring option' conftest.err || grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else am_cv_CCAS_dependencies_compiler_type=$depmode break fi fi done cd .. rm -rf conftest.dir else am_cv_CCAS_dependencies_compiler_type=none fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CCAS_dependencies_compiler_type" >&5 $as_echo "$am_cv_CCAS_dependencies_compiler_type" >&6; } CCASDEPMODE=depmode=$am_cv_CCAS_dependencies_compiler_type if test "x$enable_dependency_tracking" != xno \ && test "$am_cv_CCAS_dependencies_compiler_type" = gcc3; then am__fastdepCCAS_TRUE= am__fastdepCCAS_FALSE='#' else am__fastdepCCAS_TRUE='#' am__fastdepCCAS_FALSE= fi for ac_func in select strstr strchr strcmp strlen sizeof write snprintf strncat strlcat strlcpy getopt_long gethostbyname socket htons connect send recv dup2 strspn strdup memset access ftruncate strerror mmap shm_open gettimeofday do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lm" >&5 $as_echo_n "checking for main in -lm... " >&6; } if ${ac_cv_lib_m_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lm $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_m_main=yes else ac_cv_lib_m_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_main" >&5 $as_echo "$ac_cv_lib_m_main" >&6; } if test "x$ac_cv_lib_m_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBM 1 _ACEOF LIBS="-lm $LIBS" else as_fn_error $? "Sagan needs libm!" "$LINENO" 5 fi # OSX doesn't have librt - this needs to be fixed! { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lrt" >&5 $as_echo_n "checking for main in -lrt... " >&6; } if ${ac_cv_lib_rt_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lrt $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_rt_main=yes else ac_cv_lib_rt_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_main" >&5 $as_echo "$ac_cv_lib_rt_main" >&6; } if test "x$ac_cv_lib_rt_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBRT 1 _ACEOF LIBS="-lrt $LIBS" else as_fn_error $? "Sagan needs librt!" "$LINENO" 5 fi # libpthread # Check whether --with-libpthread_includes was given. if test "${with_libpthread_includes+set}" = set; then : withval=$with_libpthread_includes; with_libpthread_includes="$withval" else with_libpthread_includes=no fi # Check whether --with-libpthread_libraries was given. if test "${with_libpthread_libraries+set}" = set; then : withval=$with_libpthread_libraries; with_libpthread_libraries="$withval" else with_libpthread_libraries="no" fi if test "$with_libpthread_includes" != "no"; then CPPFLAGS="${CPPFLAGS} -I${with_libpthread_includes}" fi if test "$with_libpthread_libraries" != "no"; then LDFLAGS="${LDFLAGS} -L${with_libpthread_libraries}" fi PTHREAD="" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 $as_echo_n "checking for pthread_create in -lpthread... " >&6; } if ${ac_cv_lib_pthread_pthread_create+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpthread $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char pthread_create (); int main () { return pthread_create (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pthread_pthread_create=yes else ac_cv_lib_pthread_pthread_create=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5 $as_echo "$ac_cv_lib_pthread_pthread_create" >&6; } if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBPTHREAD 1 _ACEOF LIBS="-lpthread $LIBS" else PTHREAD="no" fi if test "$PTHREAD" = "no"; then echo echo " ERROR! libpthread library not found," echo exit 1 fi # libyaml # Check whether --with-libyaml_includes was given. if test "${with_libyaml_includes+set}" = set; then : withval=$with_libyaml_includes; with_libyaml_includes="$withval" else with_libyaml_includes=no fi # Check whether --with-libyaml_libraries was given. if test "${with_libyaml_libraries+set}" = set; then : withval=$with_libyaml_libraries; with_libyaml_libraries="$withval" else with_libyaml_libraries="no" fi if test "$with_libyaml_includes" != "no"; then CPPFLAGS="${CPPFLAGS} -I${with_libyaml_includes}" fi ac_fn_c_check_header_mongrel "$LINENO" "yaml.h" "ac_cv_header_yaml_h" "$ac_includes_default" if test "x$ac_cv_header_yaml_h" = xyes; then : else LIBYAML="no" fi if test "$with_libyaml_libraries" != "no"; then LDFLAGS="${LDFLAGS} -L${with_libyaml_libraries}" fi LIBYAML="" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for yaml_parser_initialize in -lyaml" >&5 $as_echo_n "checking for yaml_parser_initialize in -lyaml... " >&6; } if ${ac_cv_lib_yaml_yaml_parser_initialize+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lyaml $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char yaml_parser_initialize (); int main () { return yaml_parser_initialize (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_yaml_yaml_parser_initialize=yes else ac_cv_lib_yaml_yaml_parser_initialize=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_yaml_yaml_parser_initialize" >&5 $as_echo "$ac_cv_lib_yaml_yaml_parser_initialize" >&6; } if test "x$ac_cv_lib_yaml_yaml_parser_initialize" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBYAML 1 _ACEOF LIBS="-lyaml $LIBS" else LIBYAML="no" fi if test "$LIBYAML" = "no"; then echo echo " ERROR! libyaml library not found, go get it" echo " from http://pyyaml.org/wiki/LibYAML " echo " or your distribution:" echo echo " Debian/Ubuntu: apt-get install libyaml-dev" echo " Fedora: yum install libyaml-devel" echo exit 1 fi ############################################################################## # libpcre - This section was taken from the Suricata configure.ac. It does # some extra checks and enabled PCRE JIT - 2016/11/01 ############################################################################## # Check whether --with-libpcre_includes was given. if test "${with_libpcre_includes+set}" = set; then : withval=$with_libpcre_includes; with_libpcre_includes="$withval" else with_libpcre_includes=no fi # Check whether --with-libpcre_libraries was given. if test "${with_libpcre_libraries+set}" = set; then : withval=$with_libpcre_libraries; with_libpcre_libraries="$withval" else with_libpcre_libraries="no" fi if test "$with_libpcre_includes" != "no"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" fi ac_fn_c_check_header_mongrel "$LINENO" "pcre.h" "ac_cv_header_pcre_h" "$ac_includes_default" if test "x$ac_cv_header_pcre_h" = xyes; then : else as_fn_error $? "pcre.h not found ..." "$LINENO" 5 fi if test "$with_libpcre_libraries" != "no"; then LDFLAGS="${LDFLAGS} -L${with_libpcre_libraries}" fi PCRE="" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcre_get_substring in -lpcre" >&5 $as_echo_n "checking for pcre_get_substring in -lpcre... " >&6; } if ${ac_cv_lib_pcre_pcre_get_substring+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcre $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char pcre_get_substring (); int main () { return pcre_get_substring (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pcre_pcre_get_substring=yes else ac_cv_lib_pcre_pcre_get_substring=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcre_pcre_get_substring" >&5 $as_echo "$ac_cv_lib_pcre_pcre_get_substring" >&6; } if test "x$ac_cv_lib_pcre_pcre_get_substring" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBPCRE 1 _ACEOF LIBS="-lpcre $LIBS" else PCRE="no" fi if test "$PCRE" = "no"; then echo echo " ERROR! pcre library not found, go get it" echo " from www.pcre.org." echo exit 1 fi # libpcre 8.35 (especially on debian) has a known issue that results in segfaults if test "$with_libpcre_libraries" = "no"; then pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBPCREVERSION" >&5 $as_echo_n "checking for LIBPCREVERSION... " >&6; } if test -n "$LIBPCREVERSION_CFLAGS"; then pkg_cv_LIBPCREVERSION_CFLAGS="$LIBPCREVERSION_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpcre = 8.35\""; } >&5 ($PKG_CONFIG --exists --print-errors "libpcre = 8.35") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBPCREVERSION_CFLAGS=`$PKG_CONFIG --cflags "libpcre = 8.35" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$LIBPCREVERSION_LIBS"; then pkg_cv_LIBPCREVERSION_LIBS="$LIBPCREVERSION_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpcre = 8.35\""; } >&5 ($PKG_CONFIG --exists --print-errors "libpcre = 8.35") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBPCREVERSION_LIBS=`$PKG_CONFIG --libs "libpcre = 8.35" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then LIBPCREVERSION_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libpcre = 8.35" 2>&1` else LIBPCREVERSION_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libpcre = 8.35" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LIBPCREVERSION_PKG_ERRORS" >&5 libprce_buggy_found="no" elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } libprce_buggy_found="no" else LIBPCREVERSION_CFLAGS=$pkg_cv_LIBPCREVERSION_CFLAGS LIBPCREVERSION_LIBS=$pkg_cv_LIBPCREVERSION_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } libpcre_buggy_found="yes" fi if test "$libpcre_buggy_found" = "yes"; then echo echo " Warning! vulnerable libpcre version 8.35 found" echo " This version has a known issue that could result in segfaults" echo " please upgrade to a newer version of pcre which you can get from" echo " www.pcre.org. For more information, see issue #1693" echo echo " Continuing for now with JIT disabled..." echo fi fi # To prevent duping the lib link we reset LIBS after this check. Setting action-if-found to NULL doesn't seem to work # see: http://blog.flameeyes.eu/2008/04/29/i-consider-ac_check_lib-harmful PCRE="" TMPLIBS="${LIBS}" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcre_dfa_exec in -lpcre" >&5 $as_echo_n "checking for pcre_dfa_exec in -lpcre... " >&6; } if ${ac_cv_lib_pcre_pcre_dfa_exec+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcre $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char pcre_dfa_exec (); int main () { return pcre_dfa_exec (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pcre_pcre_dfa_exec=yes else ac_cv_lib_pcre_pcre_dfa_exec=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcre_pcre_dfa_exec" >&5 $as_echo "$ac_cv_lib_pcre_pcre_dfa_exec" >&6; } if test "x$ac_cv_lib_pcre_pcre_dfa_exec" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBPCRE 1 _ACEOF LIBS="-lpcre $LIBS" else PCRE="no" fi if test "$PCRE" = "no"; then echo echo " ERROR! pcre library was found but version was < 6.0" echo " please upgrade to a newer version of pcre which you can get from" echo " www.pcre.org." echo exit 1 fi LIBS="${TMPLIBS}" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int eo = 0; eo |= PCRE_EXTRA_MATCH_LIMIT_RECURSION; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : pcre_match_limit_recursion_available=yes else : fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test "$pcre_match_limit_recursion_available" != "yes"; then echo echo " Warning! pcre extra opt PCRE_EXTRA_MATCH_LIMIT_RECURSION not found" echo " This could lead to potential DoS please upgrade to pcre >= 6.5" echo " from www.pcre.org." echo " Continuing for now...." echo $as_echo "#define NO_PCRE_MATCH_RLIMIT 1" >>confdefs.h fi TMPCFLAGS="${CFLAGS}" CFLAGS="-O0 -g -Werror -Wall" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { pcre_extra *extra = NULL; pcre_free_study(extra); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : $as_echo "#define HAVE_PCRE_FREE_STUDY 1" >>confdefs.h else : fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS="${TMPCFLAGS}" #enable support for PCRE-jit available since pcre-8.20 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PCRE JIT support" >&5 $as_echo_n "checking for PCRE JIT support... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int jit = 0; pcre_config(PCRE_CONFIG_JIT, &jit); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : pcre_jit_available=yes else pcre_jit_available=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext # bug 1693, libpcre 8.35 is broken and debian jessie is still using that if test "$libpcre_buggy_found" = "yes"; then pcre_jit_available="no, libpcre 8.35 blacklisted" fi if test "x$pcre_jit_available" = "xyes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } $as_echo "#define PCRE_HAVE_JIT 1" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PCRE JIT support usability" >&5 $as_echo_n "checking for PCRE JIT support usability... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { const char* regexstr = "(a|b|c|d)"; pcre *re; const char *error; pcre_extra *extra; int err_offset; re = pcre_compile(regexstr,0, &error, &err_offset,NULL); extra = pcre_study(re, PCRE_STUDY_JIT_COMPILE, &error); if (extra == NULL) exit(EXIT_FAILURE); int jit = 0; int ret = pcre_fullinfo(re, extra, PCRE_INFO_JIT, &jit); if (ret != 0 || jit != 1) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : pcre_jit_works=yes else : fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test "x$pcre_jit_works" != "xyes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } echo echo " PCRE JIT support detection worked but testing it failed" echo " something odd is going on, please file a bug report." echo exit 1 else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi #### End of PCRE ############################################################ # We don't want to use the Sagan_strstr assembly code if this is a 32 bit # system. We force SYSSTRSR="yes" when it is. # 32 bit linux. case "${host}" in # Linux | i386 | 32 bit i386*-*-linux* | i686*-*-linux*) SYSSTRSTR="yes" ;; i386*-*-darwin* | i686*-*-darwin*) SYSSTRSTR="yes" ;; esac if test "$SYSSTRSTR" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: using build in strstr()..." >&5 $as_echo "using build in strstr()..." >&6; } $as_echo "#define WITH_SYSSTRSTR 1" >>confdefs.h fi if test "$SYSLOG" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- Syslog support is enabled -------" >&5 $as_echo "------- Syslog support is enabled -------" >&6; } ac_fn_c_check_header_mongrel "$LINENO" "syslog.h" "ac_cv_header_syslog_h" "$ac_includes_default" if test "x$ac_cv_header_syslog_h" = xyes; then : fi $as_echo "#define WITH_SYSLOG 1" >>confdefs.h fi if test "$REDIS" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- Redis support is enabled -------" >&5 $as_echo "------- Redis support is enabled -------" >&6; } ac_fn_c_check_header_mongrel "$LINENO" "hiredis/hiredis.h" "ac_cv_header_hiredis_hiredis_h" "$ac_includes_default" if test "x$ac_cv_header_hiredis_hiredis_h" = xyes; then : fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lhiredis" >&5 $as_echo_n "checking for main in -lhiredis... " >&6; } if ${ac_cv_lib_hiredis_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lhiredis $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_hiredis_main=yes else ac_cv_lib_hiredis_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_hiredis_main" >&5 $as_echo "$ac_cv_lib_hiredis_main" >&6; } if test "x$ac_cv_lib_hiredis_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBHIREDIS 1 _ACEOF LIBS="-lhiredis $LIBS" else as_fn_error $? "The Hiredis (Redis) library cannot be found. If you're not interested in Redis support use the --disable-redis flag." "$LINENO" 5 fi fi if test "$GEOIP2" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- Maxmind GeoIP2 support is enabled -------" >&5 $as_echo "------- Maxmind GeoIP2 support is enabled -------" >&6; } ac_fn_c_check_header_mongrel "$LINENO" "maxminddb.h" "ac_cv_header_maxminddb_h" "$ac_includes_default" if test "x$ac_cv_header_maxminddb_h" = xyes; then : fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lmaxminddb" >&5 $as_echo_n "checking for main in -lmaxminddb... " >&6; } if ${ac_cv_lib_maxminddb_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lmaxminddb $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_maxminddb_main=yes else ac_cv_lib_maxminddb_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_maxminddb_main" >&5 $as_echo "$ac_cv_lib_maxminddb_main" >&6; } if test "x$ac_cv_lib_maxminddb_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBMAXMINDDB 1 _ACEOF LIBS="-lmaxminddb $LIBS" else as_fn_error $? "The Maxmind GeoIP2 library cannot be found. If you're not interested in GeoIP2 support use the --disable-geoip2 flag." "$LINENO" 5 fi fi if test "$ESMTP" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- libesmtp support is enabled -------" >&5 $as_echo "------- libesmtp support is enabled -------" >&6; } ac_fn_c_check_header_mongrel "$LINENO" "libesmtp.h" "ac_cv_header_libesmtp_h" "$ac_includes_default" if test "x$ac_cv_header_libesmtp_h" = xyes; then : fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lesmtp" >&5 $as_echo_n "checking for main in -lesmtp... " >&6; } if ${ac_cv_lib_esmtp_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lesmtp $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_esmtp_main=yes else ac_cv_lib_esmtp_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_esmtp_main" >&5 $as_echo "$ac_cv_lib_esmtp_main" >&6; } if test "x$ac_cv_lib_esmtp_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBESMTP 1 _ACEOF LIBS="-lesmtp $LIBS" else as_fn_error $? "The libesmtp library cannot be found. If you're not interested in libesmtp support use the --disable-esmtp flag." "$LINENO" 5 fi fi if test "$FASTJSON" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- libfastjson support is enabled -------" >&5 $as_echo "------- libfastjson support is enabled -------" >&6; } pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBFASTJSON" >&5 $as_echo_n "checking for LIBFASTJSON... " >&6; } if test -n "$LIBFASTJSON_CFLAGS"; then pkg_cv_LIBFASTJSON_CFLAGS="$LIBFASTJSON_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libfastjson >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libfastjson >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBFASTJSON_CFLAGS=`$PKG_CONFIG --cflags "libfastjson >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$LIBFASTJSON_LIBS"; then pkg_cv_LIBFASTJSON_LIBS="$LIBFASTJSON_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libfastjson >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libfastjson >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBFASTJSON_LIBS=`$PKG_CONFIG --libs "libfastjson >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then LIBFASTJSON_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libfastjson >= 0.0.0" 2>&1` else LIBFASTJSON_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libfastjson >= 0.0.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LIBFASTJSON_PKG_ERRORS" >&5 as_fn_error $? "Package requirements (libfastjson >= 0.0.0) were not met: $LIBFASTJSON_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables LIBFASTJSON_CFLAGS and LIBFASTJSON_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. Alternatively, you may set the environment variables LIBFASTJSON_CFLAGS and LIBFASTJSON_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else LIBFASTJSON_CFLAGS=$pkg_cv_LIBFASTJSON_CFLAGS LIBFASTJSON_LIBS=$pkg_cv_LIBFASTJSON_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi fi if test "$LOGNORM" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- liblognorm support is enabled -------" >&5 $as_echo "------- liblognorm support is enabled -------" >&6; } pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBESTR" >&5 $as_echo_n "checking for LIBESTR... " >&6; } if test -n "$LIBESTR_CFLAGS"; then pkg_cv_LIBESTR_CFLAGS="$LIBESTR_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libestr >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libestr >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBESTR_CFLAGS=`$PKG_CONFIG --cflags "libestr >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$LIBESTR_LIBS"; then pkg_cv_LIBESTR_LIBS="$LIBESTR_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libestr >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libestr >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBESTR_LIBS=`$PKG_CONFIG --libs "libestr >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then LIBESTR_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libestr >= 0.0.0" 2>&1` else LIBESTR_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libestr >= 0.0.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LIBESTR_PKG_ERRORS" >&5 as_fn_error $? "Package requirements (libestr >= 0.0.0) were not met: $LIBESTR_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables LIBESTR_CFLAGS and LIBESTR_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. Alternatively, you may set the environment variables LIBESTR_CFLAGS and LIBESTR_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else LIBESTR_CFLAGS=$pkg_cv_LIBESTR_CFLAGS LIBESTR_LIBS=$pkg_cv_LIBESTR_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBLOGNORM" >&5 $as_echo_n "checking for LIBLOGNORM... " >&6; } if test -n "$LIBLOGNORM_CFLAGS"; then pkg_cv_LIBLOGNORM_CFLAGS="$LIBLOGNORM_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"lognorm >= 1.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "lognorm >= 1.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBLOGNORM_CFLAGS=`$PKG_CONFIG --cflags "lognorm >= 1.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$LIBLOGNORM_LIBS"; then pkg_cv_LIBLOGNORM_LIBS="$LIBLOGNORM_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"lognorm >= 1.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "lognorm >= 1.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBLOGNORM_LIBS=`$PKG_CONFIG --libs "lognorm >= 1.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then LIBLOGNORM_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "lognorm >= 1.0.0" 2>&1` else LIBLOGNORM_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "lognorm >= 1.0.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LIBLOGNORM_PKG_ERRORS" >&5 as_fn_error $? "Package requirements (lognorm >= 1.0.0) were not met: $LIBLOGNORM_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables LIBLOGNORM_CFLAGS and LIBLOGNORM_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. Alternatively, you may set the environment variables LIBLOGNORM_CFLAGS and LIBLOGNORM_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else LIBLOGNORM_CFLAGS=$pkg_cv_LIBLOGNORM_CFLAGS LIBLOGNORM_LIBS=$pkg_cv_LIBLOGNORM_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBFASTJSON" >&5 $as_echo_n "checking for LIBFASTJSON... " >&6; } if test -n "$LIBFASTJSON_CFLAGS"; then pkg_cv_LIBFASTJSON_CFLAGS="$LIBFASTJSON_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libfastjson >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libfastjson >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBFASTJSON_CFLAGS=`$PKG_CONFIG --cflags "libfastjson >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$LIBFASTJSON_LIBS"; then pkg_cv_LIBFASTJSON_LIBS="$LIBFASTJSON_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libfastjson >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libfastjson >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBFASTJSON_LIBS=`$PKG_CONFIG --libs "libfastjson >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then LIBFASTJSON_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libfastjson >= 0.0.0" 2>&1` else LIBFASTJSON_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libfastjson >= 0.0.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LIBFASTJSON_PKG_ERRORS" >&5 as_fn_error $? "Package requirements (libfastjson >= 0.0.0) were not met: $LIBFASTJSON_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables LIBFASTJSON_CFLAGS and LIBFASTJSON_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. Alternatively, you may set the environment variables LIBFASTJSON_CFLAGS and LIBFASTJSON_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else LIBFASTJSON_CFLAGS=$pkg_cv_LIBFASTJSON_CFLAGS LIBFASTJSON_LIBS=$pkg_cv_LIBFASTJSON_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi ac_fn_c_check_header_mongrel "$LINENO" "liblognorm.h" "ac_cv_header_liblognorm_h" "$ac_includes_default" if test "x$ac_cv_header_liblognorm_h" = xyes; then : fi ac_fn_c_check_header_mongrel "$LINENO" "libestr.h" "ac_cv_header_libestr_h" "$ac_includes_default" if test "x$ac_cv_header_libestr_h" = xyes; then : fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lestr" >&5 $as_echo_n "checking for main in -lestr... " >&6; } if ${ac_cv_lib_estr_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lestr $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_estr_main=yes else ac_cv_lib_estr_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_estr_main" >&5 $as_echo "$ac_cv_lib_estr_main" >&6; } if test "x$ac_cv_lib_estr_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBESTR 1 _ACEOF LIBS="-lestr $LIBS" else as_fn_error $? "The libestr library cannot be found. This library is important for the correlation aspects of Sagan! Please see https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm. To disable this feature use the --disable-lognorm flag. " "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llognorm" >&5 $as_echo_n "checking for main in -llognorm... " >&6; } if ${ac_cv_lib_lognorm_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-llognorm $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_lognorm_main=yes else ac_cv_lib_lognorm_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lognorm_main" >&5 $as_echo "$ac_cv_lib_lognorm_main" >&6; } if test "x$ac_cv_lib_lognorm_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBLOGNORM 1 _ACEOF LIBS="-llognorm $LIBS" else as_fn_error $? "The liblognorm library cannot be found. This library is important for the correlation aspects of Sagan! Please see https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm. To disable this feature use the --disable-lognorm flag. " "$LINENO" 5 fi fi if test "$LIBPCAP" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- libpcap support is enabled -------" >&5 $as_echo "------- libpcap support is enabled -------" >&6; } ac_fn_c_check_header_mongrel "$LINENO" "pcap.h" "ac_cv_header_pcap_h" "$ac_includes_default" if test "x$ac_cv_header_pcap_h" = xyes; then : fi ac_fn_c_check_header_mongrel "$LINENO" "net/if.h" "ac_cv_header_net_if_h" "$ac_includes_default" if test "x$ac_cv_header_net_if_h" = xyes; then : fi ac_fn_c_check_header_mongrel "$LINENO" "net/if_arp.h" "ac_cv_header_net_if_arp_h" "$ac_includes_default" if test "x$ac_cv_header_net_if_arp_h" = xyes; then : fi ac_fn_c_check_header_mongrel "$LINENO" "netinet/in_systm.h" "ac_cv_header_netinet_in_systm_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_in_systm_h" = xyes; then : fi ac_fn_c_check_header_mongrel "$LINENO" "netinet/if_ether.h" "ac_cv_header_netinet_if_ether_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_if_ether_h" = xyes; then : fi ac_fn_c_check_header_mongrel "$LINENO" "netinet/ip.h" "ac_cv_header_netinet_ip_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_ip_h" = xyes; then : fi ac_fn_c_check_header_mongrel "$LINENO" "netinet/udp.h" "ac_cv_header_netinet_udp_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_udp_h" = xyes; then : fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpcap" >&5 $as_echo_n "checking for main in -lpcap... " >&6; } if ${ac_cv_lib_pcap_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcap $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pcap_main=yes else ac_cv_lib_pcap_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcap_main" >&5 $as_echo "$ac_cv_lib_pcap_main" >&6; } if test "x$ac_cv_lib_pcap_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBPCAP 1 _ACEOF LIBS="-lpcap $LIBS" else as_fn_error $? "The libpcap library cannot be found. This library is used to run Sagan in a syslog 'sniffer' mode. Please see https://wiki.quadrantsec.com/bin/view/Main/PLog. To disable this feature use the --disable-libpcap flag. " "$LINENO" 5 fi fi if test "$LIBDNET" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- libdnet support is enabled -------" >&5 $as_echo "------- libdnet support is enabled -------" >&6; } for ac_header in dnet.h do : ac_fn_c_check_header_mongrel "$LINENO" "dnet.h" "ac_cv_header_dnet_h" "$ac_includes_default" if test "x$ac_cv_header_dnet_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_DNET_H 1 _ACEOF else DNET_H="no" fi done for ac_header in dumbnet.h do : ac_fn_c_check_header_mongrel "$LINENO" "dumbnet.h" "ac_cv_header_dumbnet_h" "$ac_includes_default" if test "x$ac_cv_header_dumbnet_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_DUMBNET_H 1 _ACEOF else DUMBNET_H="no" fi done if test "x$DNET_H" = "xno" -a "x$DUMBNET_H" = "xno"; then echo echo " The libdnet headers cannot be found. This library is used for Sagan's" echo " Unified2 output support. Please see:" echo " https://wiki.quadrantsec.com/bin/view/Main/Unified2Output" echo " To disable this feature use the --disable-libdnet flag." exit 1 fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for eth_set in -ldnet" >&5 $as_echo_n "checking for eth_set in -ldnet... " >&6; } if ${ac_cv_lib_dnet_eth_set+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldnet $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char eth_set (); int main () { return eth_set (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dnet_eth_set=yes else ac_cv_lib_dnet_eth_set=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dnet_eth_set" >&5 $as_echo "$ac_cv_lib_dnet_eth_set" >&6; } if test "x$ac_cv_lib_dnet_eth_set" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBDNET 1 _ACEOF LIBS="-ldnet $LIBS" else DNET="no" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for eth_set in -ldumbnet" >&5 $as_echo_n "checking for eth_set in -ldumbnet... " >&6; } if ${ac_cv_lib_dumbnet_eth_set+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldumbnet $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char eth_set (); int main () { return eth_set (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dumbnet_eth_set=yes else ac_cv_lib_dumbnet_eth_set=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dumbnet_eth_set" >&5 $as_echo "$ac_cv_lib_dumbnet_eth_set" >&6; } if test "x$ac_cv_lib_dumbnet_eth_set" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBDUMBNET 1 _ACEOF LIBS="-ldumbnet $LIBS" else DUMBNET="no" fi if test "x$DNET" = "xno" -a "x$DUMBNET" = "xno"; then echo echo " The libdnet headers cannot be found. This library is used for Sagan's" echo " Unified2 output support. Please see:" echo " https://wiki.quadrantsec.com/bin/view/Main/Unified2Output" echo " To disable this feature use the --disable-libdnet flag." exit 1 fi fi if test "$BLUEDOT" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- Quadrant \"Bluedot\" is enabled -------" >&5 $as_echo "------- Quadrant \"Bluedot\" is enabled -------" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcurl" >&5 $as_echo_n "checking for main in -lcurl... " >&6; } if ${ac_cv_lib_curl_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lcurl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_curl_main=yes else ac_cv_lib_curl_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_main" >&5 $as_echo "$ac_cv_lib_curl_main" >&6; } if test "x$ac_cv_lib_curl_main" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBCURL 1 _ACEOF LIBS="-lcurl $LIBS" else as_fn_error $? "The libcurl library cannot be found. This library is used for Sagan's / \"Bluedot\" support. Please see https://quadrantsec.com for more information. To disable this feature use the --disable-bluedot flag. " "$LINENO" 5 fi $as_echo "#define WITH_BLUEDOT 1" >>confdefs.h ac_fn_c_check_header_mongrel "$LINENO" "curl/curl.h" "ac_cv_header_curl_curl_h" "$ac_includes_default" if test "x$ac_cv_header_curl_curl_h" = xyes; then : fi pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBFASTJSON" >&5 $as_echo_n "checking for LIBFASTJSON... " >&6; } if test -n "$LIBFASTJSON_CFLAGS"; then pkg_cv_LIBFASTJSON_CFLAGS="$LIBFASTJSON_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libfastjson >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libfastjson >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBFASTJSON_CFLAGS=`$PKG_CONFIG --cflags "libfastjson >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test -n "$LIBFASTJSON_LIBS"; then pkg_cv_LIBFASTJSON_LIBS="$LIBFASTJSON_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libfastjson >= 0.0.0\""; } >&5 ($PKG_CONFIG --exists --print-errors "libfastjson >= 0.0.0") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then pkg_cv_LIBFASTJSON_LIBS=`$PKG_CONFIG --libs "libfastjson >= 0.0.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes fi else pkg_failed=untried fi if test $pkg_failed = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then LIBFASTJSON_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libfastjson >= 0.0.0" 2>&1` else LIBFASTJSON_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libfastjson >= 0.0.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LIBFASTJSON_PKG_ERRORS" >&5 as_fn_error $? "Package requirements (libfastjson >= 0.0.0) were not met: $LIBFASTJSON_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Alternatively, you may set the environment variables LIBFASTJSON_CFLAGS and LIBFASTJSON_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. Alternatively, you may set the environment variables LIBFASTJSON_CFLAGS and LIBFASTJSON_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details. To get pkg-config, see . See \`config.log' for more details" "$LINENO" 5; } else LIBFASTJSON_CFLAGS=$pkg_cv_LIBFASTJSON_CFLAGS LIBFASTJSON_LIBS=$pkg_cv_LIBFASTJSON_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi fi if test "$SNORTSAM" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: ------- Snortsam support is enabled -------" >&5 $as_echo "------- Snortsam support is enabled -------" >&6; } $as_echo "#define WITH_SNORTSAM 1" >>confdefs.h fi test "x$prefix" = x. || test "x$prefix" = xNONE && prefix=/usr/local cat >>confdefs.h <<_ACEOF #define CONFIG_FILE_PATH "`eval echo "${sysconfdir}/sagan.yaml"`" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "sagan" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "Sagan $VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "cclark@quadrantsec.com" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "sagan" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$VERSION" _ACEOF ac_config_files="$ac_config_files Makefile src/Makefile tools/Makefile" # AC_OUTPUT(Makefile) cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then as_fn_error $? "conditional \"MAINTAINER_MODE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking that generated files are newer than configure" >&5 $as_echo_n "checking that generated files are newer than configure... " >&6; } if test -n "$am_sleep_pid"; then # Hide warnings about reused PIDs. wait $am_sleep_pid 2>/dev/null fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: done" >&5 $as_echo "done" >&6; } if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then as_fn_error $? "conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then as_fn_error $? "conditional \"am__fastdepCC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -n "$EXEEXT"; then am__EXEEXT_TRUE= am__EXEEXT_FALSE='#' else am__EXEEXT_TRUE='#' am__EXEEXT_FALSE= fi if test -z "${am__fastdepCCAS_TRUE}" && test -z "${am__fastdepCCAS_FALSE}"; then as_fn_error $? "conditional \"am__fastdepCCAS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by sagan $as_me 1.2.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" config_commands="$ac_config_commands" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Configuration commands: $config_commands Report bugs to the package provider." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ sagan config.status 1.2.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' MKDIR_P='$MKDIR_P' AWK='$AWK' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: \`$1' Try \`$0 --help' for more information.";; --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX $as_echo "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # # INIT-COMMANDS # AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with `./config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script `defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :C $CONFIG_COMMANDS" shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`$as_echo "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac ac_MKDIR_P=$MKDIR_P case $MKDIR_P in [\\/$]* | ?:[\\/]* ) ;; */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi # Compute "$ac_file"'s index in $config_headers. _am_arg="$ac_file" _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" || $as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$_am_arg" : 'X\(//\)[^/]' \| \ X"$_am_arg" : 'X\(//\)$' \| \ X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$_am_arg" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'`/stamp-h$_am_stamp_count ;; :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 $as_echo "$as_me: executing $ac_file commands" >&6;} ;; esac case $ac_file$ac_mode in "depfiles":C) test x"$AMDEP_TRUE" != x"" || { # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in *\'*) eval set x "$CONFIG_FILES" ;; *) set x $CONFIG_FILES ;; esac shift for mf do # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. # We used to match only the files named 'Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then dirpart=`$as_dirname -- "$mf" || $as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$mf" : 'X\(//\)[^/]' \| \ X"$mf" : 'X\(//\)$' \| \ X"$mf" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$mf" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` else continue fi # Extract the definition of DEPDIR, am__include, and am__quote # from the Makefile without running 'make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` test -z "$am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`$as_dirname -- "$file" || $as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$file" : 'X\(//\)[^/]' \| \ X"$file" : 'X\(//\)$' \| \ X"$file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir=$dirpart/$fdir; as_fn_mkdir_p # echo "creating $dirpart/$file" echo '# dummy' > "$dirpart/$file" done done } ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5 $as_echo "" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: ,-._,-. Sagan has been configured!" >&5 $as_echo " ,-._,-. Sagan has been configured!" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: \/)\"(\/ " >&5 $as_echo " \/)\"(\/ " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: (_o_) Champ Clark III & The Quadrant InfoSec Team [quadrantsec.com]" >&5 $as_echo " (_o_) Champ Clark III & The Quadrant InfoSec Team [quadrantsec.com]" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: / \/) Copyright (C) 2009-2018 Quadrant Information Security, et al." >&5 $as_echo " / \/) Copyright (C) 2009-2018 Quadrant Information Security, et al." >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: (|| ||) " >&5 $as_echo " (|| ||) " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: oo-oo " >&5 $as_echo " oo-oo " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5 $as_echo "" >&6; } sagan-1.2.0/doc/0000755000175000017500000000000013310531444012310 5ustar champchampsagan-1.2.0/doc/Makefile.am0000644000175000017500000000000013310531444014332 0ustar champchampsagan-1.2.0/doc/sagan_freebsd.howto.md0000644000175000017500000003012413310531444016554 0ustar champchampBuilding & Installing SAGAN For FreeBSD =============================== Goal => **Configure Sagan with liblognorm to log to unified2 snort logging format, using barnyard2 for output plugins** This goal outlines the best practices to decouple the processor and allow for the fastest logging, and alerting chain possible. ## Install these Dependencies from Ports Tree: *Note: Althought the versions are listed here explicit, you may want/need to build the latest from the port tree.* Ports: ```shell pcre-8.30_2 Perl Compatible Regular Expressions library perl-5.12.4_4 Practical Extraction and Report Language libdnet-1.11_3 A simple interface to low level networking routines libee-0.3.2 An event expression library inspired by CEE libestr-0.1.2 A library for some string essentials autoconf-2.68 Automatically configure source code on many Un*x platforms automake-1.11.1 GNU Standards-compliant Makefile generator (1.11) pulledpork-0.6.1_2 Script to update snort-2.8+ rules syslog-ng-3.3.5 A powerful syslogd replacement ``` Example: Build these freebsd packages from '/usr/ports', 'pkg_add -r', or 'portmaster -n' ```shell [user@sensor /usr/ports/devel/libee]# sudo make clean install ``` ### Barnyard2 Output Plugins: Barnyard2 output plugins such as 'mysql' require additional dependencies to be prebuilt. Example: ```shell barnyard2-1.9_2 An output system for Snort or Suricata that parses unified2 mysql-client-5.5.23 Multithreaded SQL database (client) (can be added for barnyard2 sql logging) ``` ## Switch FreeBSD syslog to syslog-ng using FIFO Modify your '/etc/rc.conf' ```shell syslog_ng_enable="YES" syslogd_enable="NO" syslog_ng_config="-u root" syslog_ng_pid="/var/run/syslog-ng.pid" ``` Add New syslog-ng outputs to `/usr/local/etc/syslog-ng.conf` ```shell destination sagan { pipe( "/var/run/sagan.fifo" template("$SOURCEIP|$FACILITY|$PRIORITY|$LEVEL|$TAG|$YEAR-$MONTH-$DAY|$HOUR:$MIN:$SEC|$PROGRAM| $MSG\n") template-escape(no) ); }; log { source(s_local); # uncomment this line to open port 514 to receive messages #source(s_network); destination(d_local); destination(sagan); }; ``` Note: FreeBSD imports in the /etc/syslog.conf as a module to syslog-ng Stop old Syslog & Start syslog-ng ```shell [user@sensor ~/sagan-0.2.1]# sudo mkfifo /var/run/sagan.fifo [user@sensor ~/]# sudo /etc/rc.d/syslog stop [user@sensor ~/]# sudo /usr/local/etc/rc.d/syslog-ng start ``` Installing the rest From Source: (At this time Sagan and liblognorm are not in the FreeBSD ports tree.) ## Liblognorm ### Option 1. Fetch Nightly GIT REPO for liblognorm http://git.adiscon.com/?p=liblognorm.git;a=summary ```shell [user@sensor ~/]# wget -O liblognorm.0.3.4.tar.gz "http://git.adiscon.com/?p=liblognorm.git;a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz" - or - [user@sensor ~/]# git clone git://git.adiscon.com/git/liblognorm.git ``` Nightly requires auto tooling to build your ./configure file ```shell [user@sensor ~/]# cd liblognorm* [user@sensor ~/liblognorm]# aclocal [user@sensor ~/liblognorm]# autoconf [user@sensor ~/liblognorm]# autoreconf -f -i -Wall,no-obsolete ``` ### Option 2. Fetch a tag/snapshot Tags should be ready release with configure files *liblognorm.0.3.4.tar.gz* http://git.adiscon.com/?p=liblognorm.git;a=snapshot;h=f4b985047cd23be087aa93632acdd7ef7ea8ec70;sf=tgz ```shell [user@sensor ~/]# fetch http://www.liblognorm.com/files/download/liblognorm-0.3.4.tar.gz [user@sensor ~/]# tar -zxvf liblognorm-* ``` ### Continue to Compile liblognorm ```shell [user@sensor ~/]# cd liblognorm* [user@sensor ~/liblognorm]# LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure [user@sensor ~/liblognorm]# make [user@sensor ~/liblognorm]# sudo make install ``` You should see ```shell ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/lib ``` ### Normalizer The normalizer binary has been installed with liblognorm, and can assist you in testing your *.rulebase files. https://github.com/shadowbq/sagan-extras/blob/master/samples/README.normalizer.md ```shell $ normalizer -r ./example.rulebase -e json < ./example.log {"src-port": "14121", "src-ip": "192.168.0.1", "username": "bobuser"} ``` ## Sagan Download and Decompress Sagan ```shell [user@sensor ~/]# fetch http://sagan.softwink.com/download/sagan-0.2.1.tar.gz [user@sensor ~/]# tar zxvf sagan-* [user@sensor ~/]# cd sagan * ``` Configure Sagan to log to unified2 snort logging format. This is best way to decouple the processor and allow for the fastest logging. Use barnyard2 for output plugins. ```shell [user@sensor ~/sagan-0.2.1] LDFLAGS=-L/usr/local/lib CFLAGS=-I/usr/local/include ./configure --disable-mysql --disable-postgresql --disable-esmtp --disable-prelude --enable-lognorm --enable-libdnet --disable-snortsam [user@sensor ~/sagan-0.2.1]# make [user@sensor ~/sagan-0.2.1]# sudo make install ``` At the end of the install you should see ```shell ------------------------------------------------------------------------------ /usr/bin/install -c -d "/usr/local/share/man/man8" /usr/bin/install -c -m 644 etc/sagan.8 "/usr/local/share/man/man8" /usr/bin/install -c -m 755 src/sagan "/usr/local/sbin/sagan" /usr/bin/install -c -d "/var/log/sagan" /usr/bin/install -c -d "/var/run/sagan" ------------------------------------------------------------------------------ Sagan has been installed! You still need to do a few more things before your up and running. See https://wiki.quadrantsec.com/bin/view/Main/SaganHOWTO for more information. ------------------------------------------------------------------------------ ``` Ensure the binary is properly linked and will run without segfault - LDD shows that libee, libestr, liblognorm, libpcap, libdnet, threading, pcre are all enabled and compiled in. ```shell [user@sensor ~/sagan-0.2.1]# sudo ldd /usr/local/sbin/sagan /usr/local/sbin/sagan: libdnet.so => /usr/local/lib/libdnet.so (0x80085e000) libpcap.so.8 => /lib/libpcap.so.8 (0x800a6c000) liblognorm.so.0 => /usr/local/lib/liblognorm.so.0 (0x800c9f000) libee.so.0 => /usr/local/lib/libee.so.0 (0x800ea7000) libestr.so.0 => /usr/local/lib/libestr.so.0 (0x8010ae000) libm.so.5 => /lib/libm.so.5 (0x8012b0000) libthr.so.3 => /lib/libthr.so.3 (0x8014d1000) libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x8016f4000) libc.so.7 => /lib/libc.so.7 (0x80194a000) ``` Create a FreeBSD Sagan Service Script ```shell [user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/rc.d/sagan -o /usr/local/etc/rc.d/sagan [user@sensor ~/sagan-0.2.1]# sudo chmod a+x /usr/local/etc/rc.d/sagan ``` Modify your '/etc/rc.conf' and this new sagan rc.d startup script. ```shell sagan_enable="YES" sagan_user="root" ``` ## Pulledpork Download rules via Pulledpork (rule set manager) Note: pulledpork does not at this time support the classification.config, reference.config, or any *.rulebase files ```shell [user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/pulledpork.sagan.conf -o /usr/local/etc/pulledpork/pulledpork.sagan.conf [user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/beave/sagan-rules/master/classification.config -o /usr/local/etc/sagan-rules/classification.config [user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/beave/sagan-rules/master/reference.config -o /usr/local/etc/sagan-rules/reference.config [user@sensor ~/sagan-0.2.1]# pulledpork.pl -d -T -vv -c /usr/local/etc/pulledpork/pulledpork.sagan.conf ``` You should see pulled pork run. ```shell ---------------------------------- Writing /var/log/sid_changes.log.... Done Rule Stats.... New:-------0 Deleted:---0 Enabled Rules:----1538 Dropped Rules:----6 Disabled Rules:---1 Total Rules:------1545 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! ``` Modify the Sagan Config '/usr/local/etc/sagan.conf' to # all rules file names and only use ```shell include $RULE_PATH/sagan.rules ``` ## FetchCarl Download and install 'fetchcarl' ```shell [user@sensor ~/sagan-0.2.1]# fetch https://raw.github.com/shadowbq/sagan-extras/master/bin/fetchcarl.sh -o /usr/local/bin/fetchcarl [user@sensor ~/sagan-0.2.1]# chmod +x /usr/local/bin/fetchcarl [user@sensor ~]# fetchcarl --help usage: fetchcarl options This command will assist in downloading and updating sagan-rules rulebase, and map files. OPTIONS: -f, --file Sagan configuration file location default: /usr/local/etc/sagan.conf -u, --url Sagan-rule git repo url default: https://github.com/beave/sagan-rules.git GENERIC: -v, --verbose Verbose -h, --help Show this message [user@sensor ~]# fetchcarl --verbose the folder (/tmp/sagan_rules) you specified does not exist or doesn't contain a git repo.. fetching /tmp/sagan_rules Cloning into '/tmp/sagan_rules'... remote: Counting objects: 549, done. remote: Compressing objects: 100% (255/255), done. remote: Total 549 (delta 462), reused 368 (delta 292) Receiving objects: 100% (549/549), 275.21 KiB, done. Resolving deltas: 100% (462/462), done. Finished pulling sagan rules. Sagan rulebase and config update complete. (Note: Sagan *.rules were not updated. Use pulledpork for this process.) ``` ## Running Sagan Run Sagan for the first time. ```shell [user@sensor ~]# /usr/local/etc/rc.d/sagan start ``` ... wait -- do stuff like fail ssh logins, and sudo cmds ... ```shell [user@sensor ~]# ls -la /var/log/sagan/sagan* -rw-r--r-- 1 root sagan 4785 May 10 18:20 sagan.u2.1336685484 ``` ## Barnyard2 ### Configuration Create barnyard2.conf files ```shell [user@sensor ~]# sudo fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/barnyard2.cli.conf -o /usr/local/etc/barnyard2.cli.conf [user@sensor ~]# cat /usr/local/etc/barnyard2.cli.conf # this is not hard, only unified2 is supported ;) input unified2 # Step 3: setup the output plugins output alert_fast: stdout ``` ### Run Barnyard2 Collect the unified2 data and output to double check alert chain is working. ```shell [user@sensor ~]# sudo mkdir /var/log/barnyard2 # Barnyard complains when this directory doesnt exist, although it is not used. [user@sensor ~]# barnyard2 -c /usr/local/etc/barnyard2.cli.conf -C /usr/local/etc/sagan-rules/classification.config -S /usr/local/etc/sagan-rules/sagan-sid-msg.map -R /usr/local/etc/sagan-rules/reference.config -f sagan.u2 -d /var/log/sagan/ --nolock-pidfile [user@sensor ~]# cat alert [**] [5000075] [OPENSSH] Authentication success [shadowbq] [**] [Classification: successful-user] [Priority: 1] 2012-05-10 17:25:39 1.2.5.6:59625 -> 1.2.3.32:22 auth info Message: Accepted publickey for shadowbq from 1.2.5.6 port 59625 ssh2 [Xref => http://wiki.quadrantsec.com/bin/view/Main/5000075] [**] [5000406] [OPENSSH] Accepted publickey [**] [Classification: successful-user] [Priority: 1] 2012-05-10 17:25:39 1.2.5.3:59625 -> 1.2.5.3:22 auth info Message: Accepted publickey for shadowbq from 1.2.5.6 port 59625 ssh2 [Xref => http://wiki.quadrantsec.com/bin/view/Main/5000406] ``` ### YEA! Working.. Moving ON! ### Barnyard Production Service Set up barnyard2 to run in via rc.d Modify your '/etc/rc.conf' and barnyard rc.d startup script. ```shell barnyard2_enable="YES" barnyard2_flags="-D -f sagan.u2 -d /var/log/sagan" ``` ### Optional. Barnyard2 and Existing Snorby/Base/DB Set up barnyard2 to log to snorby mysql remote database (this can be skipped if not running snorby, or remote db) ```shell [user@sensor ~]# sudo fetch https://raw.github.com/shadowbq/sagan-extras/master/etc/barnyard2.sagan.conf -o /usr/local/etc/barnyard2.conf [user@sensor ~]# sudo cat /usr/local/etc/barnyard2.conf config reference_file: /usr/local/etc/sagan-rules/reference.config config classification_file: /usr/local/etc/sagan-rules/classification.config config sid_file: /usr/local/etc/sagan-rules/sagan-sid-msg.map config hostname: sagan config interface: misc config waldo_file: /var/log/sagan/barnyard2.waldo input unified2 output database: log, mysql, user=snorby password=s3cr3tsauce dbname=snorby host=snorby ``` ### Start Barnyard2 ```shell [user@sensor ~]# sudo /usr/local/etc/rc.d/barnyard2 start ``` sagan-1.2.0/m4/0000755000175000017500000000000013310531444012063 5ustar champchampsagan-1.2.0/m4/ax_gcc_x86_cpuid.m40000644000175000017500000000634013310531444015445 0ustar champchamp# =========================================================================== # http://autoconf-archive.cryp.to/ax_gcc_x86_cpuid.html # =========================================================================== # # SYNOPSIS # # AX_GCC_X86_CPUID(OP) # # DESCRIPTION # # On Pentium and later x86 processors, with gcc or a compiler that has a # compatible syntax for inline assembly instructions, run a small program # that executes the cpuid instruction with input OP. This can be used to # detect the CPU type. # # On output, the values of the eax, ebx, ecx, and edx registers are stored # as hexadecimal strings as "eax:ebx:ecx:edx" in the cache variable # ax_cv_gcc_x86_cpuid_OP. # # If the cpuid instruction fails (because you are running a # cross-compiler, or because you are not using gcc, or because you are on # a processor that doesn't have this instruction), ax_cv_gcc_x86_cpuid_OP # is set to the string "unknown". # # This macro mainly exists to be used in AX_GCC_ARCHFLAG. # # LICENSE # # Copyright (c) 2008 Steven G. Johnson # Copyright (c) 2008 Matteo Frigo # # This program is free software: you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 3 of the License, or (at your # option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General # Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program. If not, see . # # As a special exception, the respective Autoconf Macro's copyright owner # gives unlimited permission to copy, distribute and modify the configure # scripts that are the output of Autoconf when processing the Macro. You # need not follow the terms of the GNU General Public License when using # or distributing such scripts, even though portions of the text of the # Macro appear in them. The GNU General Public License (GPL) does govern # all other use of the material that constitutes the Autoconf Macro. # # This special exception to the GPL applies to versions of the Autoconf # Macro released by the Autoconf Archive. When you make and distribute a # modified version of the Autoconf Macro, you may extend this special # exception to the GPL to apply to your modified version as well. AC_DEFUN([AX_GCC_X86_CPUID], [AC_REQUIRE([AC_PROG_CC]) AC_LANG_PUSH([C]) AC_CACHE_CHECK(for x86 cpuid $1 output, ax_cv_gcc_x86_cpuid_$1, [AC_RUN_IFELSE([AC_LANG_PROGRAM([#include ], [ int op = $1, eax, ebx, ecx, edx; FILE *f; __asm__("cpuid" : "=a" (eax), "=b" (ebx), "=c" (ecx), "=d" (edx) : "a" (op)); f = fopen("conftest_cpuid", "w"); if (!f) return 1; fprintf(f, "%x:%x:%x:%x\n", eax, ebx, ecx, edx); fclose(f); return 0; ])], [ax_cv_gcc_x86_cpuid_$1=`cat conftest_cpuid`; rm -f conftest_cpuid], [ax_cv_gcc_x86_cpuid_$1=unknown; rm -f conftest_cpuid], [ax_cv_gcc_x86_cpuid_$1=unknown])]) AC_LANG_POP([C]) ]) sagan-1.2.0/m4/ax_gcc_x86_avx_xgetbv.m40000644000175000017500000000640313310531444016516 0ustar champchamp# =========================================================================== # http://www.gnu.org/software/autoconf-archive/ax_gcc_x86_avx_xgetbv.html # =========================================================================== # # SYNOPSIS # # AX_GCC_X86_AVX_XGETBV # # DESCRIPTION # # On later x86 processors with AVX SIMD support, with gcc or a compiler # that has a compatible syntax for inline assembly instructions, run a # small program that executes the xgetbv instruction with input OP. This # can be used to detect if the OS supports AVX instruction usage. # # On output, the values of the eax and edx registers are stored as # hexadecimal strings as "eax:edx" in the cache variable # ax_cv_gcc_x86_avx_xgetbv. # # If the xgetbv instruction fails (because you are running a # cross-compiler, or because you are not using gcc, or because you are on # a processor that doesn't have this instruction), # ax_cv_gcc_x86_avx_xgetbv_OP is set to the string "unknown". # # This macro mainly exists to be used in AX_EXT. # # LICENSE # # Copyright (c) 2013 Michael Petch # # This program is free software: you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 3 of the License, or (at your # option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General # Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program. If not, see . # # As a special exception, the respective Autoconf Macro's copyright owner # gives unlimited permission to copy, distribute and modify the configure # scripts that are the output of Autoconf when processing the Macro. You # need not follow the terms of the GNU General Public License when using # or distributing such scripts, even though portions of the text of the # Macro appear in them. The GNU General Public License (GPL) does govern # all other use of the material that constitutes the Autoconf Macro. # # This special exception to the GPL applies to versions of the Autoconf # Macro released by the Autoconf Archive. When you make and distribute a # modified version of the Autoconf Macro, you may extend this special # exception to the GPL to apply to your modified version as well. #serial 1 AC_DEFUN([AX_GCC_X86_AVX_XGETBV], [AC_REQUIRE([AC_PROG_CC]) AC_LANG_PUSH([C]) AC_CACHE_CHECK(for x86-AVX xgetbv $1 output, ax_cv_gcc_x86_avx_xgetbv_$1, [AC_RUN_IFELSE([AC_LANG_PROGRAM([#include ], [ int op = $1, eax, edx; FILE *f; /* Opcodes for xgetbv */ __asm__(".byte 0x0f, 0x01, 0xd0" : "=a" (eax), "=d" (edx) : "c" (op)); f = fopen("conftest_xgetbv", "w"); if (!f) return 1; fprintf(f, "%x:%x\n", eax, edx); fclose(f); return 0; ])], [ax_cv_gcc_x86_avx_xgetbv_$1=`cat conftest_xgetbv`; rm -f conftest_xgetbv], [ax_cv_gcc_x86_avx_xgetbv_$1=unknown; rm -f conftest_xgetbv], [ax_cv_gcc_x86_avx_xgetbv_$1=unknown])]) AC_LANG_POP([C]) ]) sagan-1.2.0/m4/ax_ext.m40000644000175000017500000002036013310531444013616 0ustar champchamp# =========================================================================== # http://www.gnu.org/software/autoconf-archive/ax_ext.html # =========================================================================== # # SYNOPSIS # # AX_EXT # # DESCRIPTION # # Find supported SIMD extensions by requesting cpuid. When an SIMD # extension is found, the -m"simdextensionname" is added to SIMD_FLAGS if # compiler supports it. For example, if "sse2" is available, then "-msse2" # is added to SIMD_FLAGS. # # This macro calls: # # AC_SUBST(SIMD_FLAGS) # # And defines: # # HAVE_MMX / HAVE_SSE / HAVE_SSE2 / HAVE_SSE3 / HAVE_SSSE3 / HAVE_SSE4.1 / HAVE_SSE4.2 / HAVE_AVX # # LICENSE # # Copyright (c) 2007 Christophe Tournayre # Copyright (c) 2013 Michael Petch # # Copying and distribution of this file, with or without modification, are # permitted in any medium without royalty provided the copyright notice # and this notice are preserved. This file is offered as-is, without any # warranty. #serial 13 AC_DEFUN([AX_EXT], [ AC_REQUIRE([AC_CANONICAL_HOST]) case $host_cpu in powerpc*) AC_CACHE_CHECK([whether altivec is supported], [ax_cv_have_altivec_ext], [ if test `/usr/sbin/sysctl -a 2>/dev/null| grep -c hw.optional.altivec` != 0; then if test `/usr/sbin/sysctl -n hw.optional.altivec` = 1; then ax_cv_have_altivec_ext=yes fi fi ]) if test "$ax_cv_have_altivec_ext" = yes; then AC_DEFINE(HAVE_ALTIVEC,,[Support Altivec instructions]) AX_CHECK_COMPILE_FLAG(-faltivec, SIMD_FLAGS="$SIMD_FLAGS -faltivec", []) fi ;; i[[3456]]86*|x86_64*|amd64*) AC_REQUIRE([AX_GCC_X86_CPUID]) AC_REQUIRE([AX_GCC_X86_AVX_XGETBV]) AX_GCC_X86_CPUID(0x00000001) ecx=0 edx=0 if test "$ax_cv_gcc_x86_cpuid_0x00000001" != "unknown"; then ecx=`echo $ax_cv_gcc_x86_cpuid_0x00000001 | cut -d ":" -f 3` edx=`echo $ax_cv_gcc_x86_cpuid_0x00000001 | cut -d ":" -f 4` fi AC_CACHE_CHECK([whether mmx is supported], [ax_cv_have_mmx_ext], [ ax_cv_have_mmx_ext=no if test "$((0x$edx>>23&0x01))" = 1; then ax_cv_have_mmx_ext=yes fi ]) AC_CACHE_CHECK([whether sse is supported], [ax_cv_have_sse_ext], [ ax_cv_have_sse_ext=no if test "$((0x$edx>>25&0x01))" = 1; then ax_cv_have_sse_ext=yes fi ]) AC_CACHE_CHECK([whether sse2 is supported], [ax_cv_have_sse2_ext], [ ax_cv_have_sse2_ext=no if test "$((0x$edx>>26&0x01))" = 1; then ax_cv_have_sse2_ext=yes fi ]) AC_CACHE_CHECK([whether sse3 is supported], [ax_cv_have_sse3_ext], [ ax_cv_have_sse3_ext=no if test "$((0x$ecx&0x01))" = 1; then ax_cv_have_sse3_ext=yes fi ]) AC_CACHE_CHECK([whether ssse3 is supported], [ax_cv_have_ssse3_ext], [ ax_cv_have_ssse3_ext=no if test "$((0x$ecx>>9&0x01))" = 1; then ax_cv_have_ssse3_ext=yes fi ]) AC_CACHE_CHECK([whether sse4.1 is supported], [ax_cv_have_sse41_ext], [ ax_cv_have_sse41_ext=no if test "$((0x$ecx>>19&0x01))" = 1; then ax_cv_have_sse41_ext=yes fi ]) AC_CACHE_CHECK([whether sse4.2 is supported], [ax_cv_have_sse42_ext], [ ax_cv_have_sse42_ext=no if test "$((0x$ecx>>20&0x01))" = 1; then ax_cv_have_sse42_ext=yes fi ]) AC_CACHE_CHECK([whether avx is supported by processor], [ax_cv_have_avx_cpu_ext], [ ax_cv_have_avx_cpu_ext=no if test "$((0x$ecx>>28&0x01))" = 1; then ax_cv_have_avx_cpu_ext=yes fi ]) if test x"$ax_cv_have_avx_cpu_ext" = x"yes"; then AX_GCC_X86_AVX_XGETBV(0x00000000) xgetbv_eax="0" if test x"$ax_cv_gcc_x86_avx_xgetbv_0x00000000" != x"unknown"; then xgetbv_eax=`echo $ax_cv_gcc_x86_avx_xgetbv_0x00000000 | cut -d ":" -f 1` fi AC_CACHE_CHECK([whether avx is supported by operating system], [ax_cv_have_avx_ext], [ ax_cv_have_avx_ext=no if test "$((0x$ecx>>27&0x01))" = 1; then if test "$((0x$xgetbv_eax&0x6))" = 6; then ax_cv_have_avx_ext=yes fi fi ]) if test x"$ax_cv_have_avx_ext" = x"no"; then AC_MSG_WARN([Your processor supports AVX, but your operating system doesn't]) fi fi if test "$ax_cv_have_mmx_ext" = yes; then AX_CHECK_COMPILE_FLAG(-mmmx, ax_cv_support_mmx_ext=yes, []) if test x"$ax_cv_support_mmx_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -mmmx" AC_DEFINE(HAVE_MMX,,[Support mmx instructions]) else AC_MSG_WARN([Your processor supports mmx instructions but not your compiler, can you try another compiler?]) fi fi if test "$ax_cv_have_sse_ext" = yes; then AX_CHECK_COMPILE_FLAG(-msse, ax_cv_support_sse_ext=yes, []) if test x"$ax_cv_support_sse_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse" AC_DEFINE(HAVE_SSE,,[Support SSE (Streaming SIMD Extensions) instructions]) else AC_MSG_WARN([Your processor supports sse instructions but not your compiler, can you try another compiler?]) fi fi if test "$ax_cv_have_sse2_ext" = yes; then AX_CHECK_COMPILE_FLAG(-msse2, ax_cv_support_sse2_ext=yes, []) if test x"$ax_cv_support_sse2_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse2" AC_DEFINE(HAVE_SSE2,,[Support SSE2 (Streaming SIMD Extensions 2) instructions]) else AC_MSG_WARN([Your processor supports sse2 instructions but not your compiler, can you try another compiler?]) fi fi if test "$ax_cv_have_sse3_ext" = yes; then AX_CHECK_COMPILE_FLAG(-msse3, ax_cv_support_sse3_ext=yes, []) if test x"$ax_cv_support_sse3_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse3" AC_DEFINE(HAVE_SSE3,,[Support SSE3 (Streaming SIMD Extensions 3) instructions]) else AC_MSG_WARN([Your processor supports sse3 instructions but not your compiler, can you try another compiler?]) fi fi if test "$ax_cv_have_ssse3_ext" = yes; then AX_CHECK_COMPILE_FLAG(-mssse3, ax_cv_support_ssse3_ext=yes, []) if test x"$ax_cv_support_ssse3_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -mssse3" AC_DEFINE(HAVE_SSSE3,,[Support SSSE3 (Supplemental Streaming SIMD Extensions 3) instructions]) else AC_MSG_WARN([Your processor supports ssse3 instructions but not your compiler, can you try another compiler?]) fi fi if test "$ax_cv_have_sse41_ext" = yes; then AX_CHECK_COMPILE_FLAG(-msse4.1, ax_cv_support_sse41_ext=yes, []) if test x"$ax_cv_support_sse41_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse4.1" AC_DEFINE(HAVE_SSE4_1,,[Support SSSE4.1 (Streaming SIMD Extensions 4.1) instructions]) else AC_MSG_WARN([Your processor supports sse4.1 instructions but not your compiler, can you try another compiler?]) fi fi if test "$ax_cv_have_sse42_ext" = yes; then AX_CHECK_COMPILE_FLAG(-msse4.2, ax_cv_support_sse42_ext=yes, []) if test x"$ax_cv_support_sse42_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -msse4.2" AC_DEFINE(HAVE_SSE4_2,,[Support SSSE4.2 (Streaming SIMD Extensions 4.2) instructions]) else AC_MSG_WARN([Your processor supports sse4.2 instructions but not your compiler, can you try another compiler?]) fi fi if test "$ax_cv_have_avx_ext" = yes; then AX_CHECK_COMPILE_FLAG(-mavx, ax_cv_support_avx_ext=yes, []) if test x"$ax_cv_support_avx_ext" = x"yes"; then SIMD_FLAGS="$SIMD_FLAGS -mavx" AC_DEFINE(HAVE_AVX,,[Support AVX (Advanced Vector Extensions) instructions]) else AC_MSG_WARN([Your processor supports avx instructions but not your compiler, can you try another compiler?]) fi fi ;; esac AC_SUBST(SIMD_FLAGS) ]) sagan-1.2.0/m4/ax_check_compile_flag.m40000644000175000017500000000625113310531444016577 0ustar champchamp# =========================================================================== # http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html # =========================================================================== # # SYNOPSIS # # AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS]) # # DESCRIPTION # # Check whether the given FLAG works with the current language's compiler # or gives an error. (Warnings, however, are ignored) # # ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on # success/failure. # # If EXTRA-FLAGS is defined, it is added to the current language's default # flags (e.g. CFLAGS) when the check is done. The check is thus made with # the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to # force the compiler to issue an error when a bad flag is given. # # NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this # macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. # # LICENSE # # Copyright (c) 2008 Guido U. Draheim # Copyright (c) 2011 Maarten Bosmans # # This program is free software: you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 3 of the License, or (at your # option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General # Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program. If not, see . # # As a special exception, the respective Autoconf Macro's copyright owner # gives unlimited permission to copy, distribute and modify the configure # scripts that are the output of Autoconf when processing the Macro. You # need not follow the terms of the GNU General Public License when using # or distributing such scripts, even though portions of the text of the # Macro appear in them. The GNU General Public License (GPL) does govern # all other use of the material that constitutes the Autoconf Macro. # # This special exception to the GPL applies to versions of the Autoconf # Macro released by the Autoconf Archive. When you make and distribute a # modified version of the Autoconf Macro, you may extend this special # exception to the GPL to apply to your modified version as well. #serial 2 AC_DEFUN([AX_CHECK_COMPILE_FLAG], [AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], [AS_VAR_SET(CACHEVAR,[yes])], [AS_VAR_SET(CACHEVAR,[no])]) _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], [m4_default([$2], :)], [m4_default([$3], :)]) AS_VAR_POPDEF([CACHEVAR])dnl ])dnl AX_CHECK_COMPILE_FLAGS sagan-1.2.0/depcomp0000755000175000017500000005601613310533436013133 0ustar champchamp#! /bin/sh # depcomp - compile a program generating dependencies as side-effects scriptversion=2013-05-30.07; # UTC # Copyright (C) 1999-2013 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # Originally written by Alexandre Oliva . case $1 in '') echo "$0: No command. Try '$0 --help' for more information." 1>&2 exit 1; ;; -h | --h*) cat <<\EOF Usage: depcomp [--help] [--version] PROGRAM [ARGS] Run PROGRAMS ARGS to compile a file, generating dependencies as side-effects. Environment variables: depmode Dependency tracking mode. source Source file read by 'PROGRAMS ARGS'. object Object file output by 'PROGRAMS ARGS'. DEPDIR directory where to store dependencies. depfile Dependency file to output. tmpdepfile Temporary file to use when outputting dependencies. libtool Whether libtool is used (yes/no). Report bugs to . EOF exit $? ;; -v | --v*) echo "depcomp $scriptversion" exit $? ;; esac # Get the directory component of the given path, and save it in the # global variables '$dir'. Note that this directory component will # be either empty or ending with a '/' character. This is deliberate. set_dir_from () { case $1 in */*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;; *) dir=;; esac } # Get the suffix-stripped basename of the given path, and save it the # global variable '$base'. set_base_from () { base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'` } # If no dependency file was actually created by the compiler invocation, # we still have to create a dummy depfile, to avoid errors with the # Makefile "include basename.Plo" scheme. make_dummy_depfile () { echo "#dummy" > "$depfile" } # Factor out some common post-processing of the generated depfile. # Requires the auxiliary global variable '$tmpdepfile' to be set. aix_post_process_depfile () { # If the compiler actually managed to produce a dependency file, # post-process it. if test -f "$tmpdepfile"; then # Each line is of the form 'foo.o: dependency.h'. # Do two passes, one to just change these to # $object: dependency.h # and one to simply output # dependency.h: # which is needed to avoid the deleted-header problem. { sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile" sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile" } > "$depfile" rm -f "$tmpdepfile" else make_dummy_depfile fi } # A tabulation character. tab=' ' # A newline character. nl=' ' # Character ranges might be problematic outside the C locale. # These definitions help. upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ lower=abcdefghijklmnopqrstuvwxyz digits=0123456789 alpha=${upper}${lower} if test -z "$depmode" || test -z "$source" || test -z "$object"; then echo "depcomp: Variables source, object and depmode must be set" 1>&2 exit 1 fi # Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po. depfile=${depfile-`echo "$object" | sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`} tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} rm -f "$tmpdepfile" # Avoid interferences from the environment. gccflag= dashmflag= # Some modes work just like other modes, but use different flags. We # parameterize here, but still list the modes in the big case below, # to make depend.m4 easier to write. Note that we *cannot* use a case # here, because this file can only contain one case statement. if test "$depmode" = hp; then # HP compiler uses -M and no extra arg. gccflag=-M depmode=gcc fi if test "$depmode" = dashXmstdout; then # This is just like dashmstdout with a different argument. dashmflag=-xM depmode=dashmstdout fi cygpath_u="cygpath -u -f -" if test "$depmode" = msvcmsys; then # This is just like msvisualcpp but w/o cygpath translation. # Just convert the backslash-escaped backslashes to single forward # slashes to satisfy depend.m4 cygpath_u='sed s,\\\\,/,g' depmode=msvisualcpp fi if test "$depmode" = msvc7msys; then # This is just like msvc7 but w/o cygpath translation. # Just convert the backslash-escaped backslashes to single forward # slashes to satisfy depend.m4 cygpath_u='sed s,\\\\,/,g' depmode=msvc7 fi if test "$depmode" = xlc; then # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information. gccflag=-qmakedep=gcc,-MF depmode=gcc fi case "$depmode" in gcc3) ## gcc 3 implements dependency tracking that does exactly what ## we want. Yay! Note: for some reason libtool 1.4 doesn't like ## it if -MD -MP comes after the -MF stuff. Hmm. ## Unfortunately, FreeBSD c89 acceptance of flags depends upon ## the command line argument order; so add the flags where they ## appear in depend2.am. Note that the slowdown incurred here ## affects only configure: in makefiles, %FASTDEP% shortcuts this. for arg do case $arg in -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;; *) set fnord "$@" "$arg" ;; esac shift # fnord shift # $arg done "$@" stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi mv "$tmpdepfile" "$depfile" ;; gcc) ## Note that this doesn't just cater to obsosete pre-3.x GCC compilers. ## but also to in-use compilers like IMB xlc/xlC and the HP C compiler. ## (see the conditional assignment to $gccflag above). ## There are various ways to get dependency output from gcc. Here's ## why we pick this rather obscure method: ## - Don't want to use -MD because we'd like the dependencies to end ## up in a subdir. Having to rename by hand is ugly. ## (We might end up doing this anyway to support other compilers.) ## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like ## -MM, not -M (despite what the docs say). Also, it might not be ## supported by the other compilers which use the 'gcc' depmode. ## - Using -M directly means running the compiler twice (even worse ## than renaming). if test -z "$gccflag"; then gccflag=-MD, fi "$@" -Wp,"$gccflag$tmpdepfile" stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" echo "$object : \\" > "$depfile" # The second -e expression handles DOS-style file names with drive # letters. sed -e 's/^[^:]*: / /' \ -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" ## This next piece of magic avoids the "deleted header file" problem. ## The problem is that when a header file which appears in a .P file ## is deleted, the dependency causes make to die (because there is ## typically no way to rebuild the header). We avoid this by adding ## dummy dependencies for each header file. Too bad gcc doesn't do ## this for us directly. ## Some versions of gcc put a space before the ':'. On the theory ## that the space means something, we add a space to the output as ## well. hp depmode also adds that space, but also prefixes the VPATH ## to the object. Take care to not repeat it in the output. ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; hp) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; sgi) if test "$libtool" = yes; then "$@" "-Wp,-MDupdate,$tmpdepfile" else "$@" -MDupdate "$tmpdepfile" fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files echo "$object : \\" > "$depfile" # Clip off the initial element (the dependent). Don't try to be # clever and replace this with sed code, as IRIX sed won't handle # lines with more than a fixed number of characters (4096 in # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; # the IRIX cc adds comments like '#:fec' to the end of the # dependency line. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \ | tr "$nl" ' ' >> "$depfile" echo >> "$depfile" # The second pass generates a dummy entry for each header file. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ >> "$depfile" else make_dummy_depfile fi rm -f "$tmpdepfile" ;; xlc) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; aix) # The C for AIX Compiler uses -M and outputs the dependencies # in a .u file. In older versions, this file always lives in the # current directory. Also, the AIX compiler puts '$object:' at the # start of each line; $object doesn't have directory information. # Version 6 uses the directory in both cases. set_dir_from "$object" set_base_from "$object" if test "$libtool" = yes; then tmpdepfile1=$dir$base.u tmpdepfile2=$base.u tmpdepfile3=$dir.libs/$base.u "$@" -Wc,-M else tmpdepfile1=$dir$base.u tmpdepfile2=$dir$base.u tmpdepfile3=$dir$base.u "$@" -M fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" do test -f "$tmpdepfile" && break done aix_post_process_depfile ;; tcc) # tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26 # FIXME: That version still under development at the moment of writing. # Make that this statement remains true also for stable, released # versions. # It will wrap lines (doesn't matter whether long or short) with a # trailing '\', as in: # # foo.o : \ # foo.c \ # foo.h \ # # It will put a trailing '\' even on the last line, and will use leading # spaces rather than leading tabs (at least since its commit 0394caf7 # "Emit spaces for -MD"). "$@" -MD -MF "$tmpdepfile" stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" # Each non-empty line is of the form 'foo.o : \' or ' dep.h \'. # We have to change lines of the first kind to '$object: \'. sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile" # And for each line of the second kind, we have to emit a 'dep.h:' # dummy dependency, to avoid the deleted-header problem. sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile" rm -f "$tmpdepfile" ;; ## The order of this option in the case statement is important, since the ## shell code in configure will try each of these formats in the order ## listed in this file. A plain '-MD' option would be understood by many ## compilers, so we must ensure this comes after the gcc and icc options. pgcc) # Portland's C compiler understands '-MD'. # Will always output deps to 'file.d' where file is the root name of the # source file under compilation, even if file resides in a subdirectory. # The object file name does not affect the name of the '.d' file. # pgcc 10.2 will output # foo.o: sub/foo.c sub/foo.h # and will wrap long lines using '\' : # foo.o: sub/foo.c ... \ # sub/foo.h ... \ # ... set_dir_from "$object" # Use the source, not the object, to determine the base name, since # that's sadly what pgcc will do too. set_base_from "$source" tmpdepfile=$base.d # For projects that build the same source file twice into different object # files, the pgcc approach of using the *source* file root name can cause # problems in parallel builds. Use a locking strategy to avoid stomping on # the same $tmpdepfile. lockdir=$base.d-lock trap " echo '$0: caught signal, cleaning up...' >&2 rmdir '$lockdir' exit 1 " 1 2 13 15 numtries=100 i=$numtries while test $i -gt 0; do # mkdir is a portable test-and-set. if mkdir "$lockdir" 2>/dev/null; then # This process acquired the lock. "$@" -MD stat=$? # Release the lock. rmdir "$lockdir" break else # If the lock is being held by a different process, wait # until the winning process is done or we timeout. while test -d "$lockdir" && test $i -gt 0; do sleep 1 i=`expr $i - 1` done fi i=`expr $i - 1` done trap - 1 2 13 15 if test $i -le 0; then echo "$0: failed to acquire lock after $numtries attempts" >&2 echo "$0: check lockdir '$lockdir'" >&2 exit 1 fi if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" # Each line is of the form `foo.o: dependent.h', # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. # Do two passes, one to just change these to # `$object: dependent.h' and one to simply `dependent.h:'. sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process this invocation # correctly. Breaking it into two sed invocations is a workaround. sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; hp2) # The "hp" stanza above does not work with aCC (C++) and HP's ia64 # compilers, which have integrated preprocessors. The correct option # to use with these is +Maked; it writes dependencies to a file named # 'foo.d', which lands next to the object file, wherever that # happens to be. # Much of this is similar to the tru64 case; see comments there. set_dir_from "$object" set_base_from "$object" if test "$libtool" = yes; then tmpdepfile1=$dir$base.d tmpdepfile2=$dir.libs/$base.d "$@" -Wc,+Maked else tmpdepfile1=$dir$base.d tmpdepfile2=$dir$base.d "$@" +Maked fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" do test -f "$tmpdepfile" && break done if test -f "$tmpdepfile"; then sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile" # Add 'dependent.h:' lines. sed -ne '2,${ s/^ *// s/ \\*$// s/$/:/ p }' "$tmpdepfile" >> "$depfile" else make_dummy_depfile fi rm -f "$tmpdepfile" "$tmpdepfile2" ;; tru64) # The Tru64 compiler uses -MD to generate dependencies as a side # effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'. # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put # dependencies in 'foo.d' instead, so we check for that too. # Subdirectories are respected. set_dir_from "$object" set_base_from "$object" if test "$libtool" = yes; then # Libtool generates 2 separate objects for the 2 libraries. These # two compilations output dependencies in $dir.libs/$base.o.d and # in $dir$base.o.d. We have to check for both files, because # one of the two compilations can be disabled. We should prefer # $dir$base.o.d over $dir.libs/$base.o.d because the latter is # automatically cleaned when .libs/ is deleted, while ignoring # the former would cause a distcleancheck panic. tmpdepfile1=$dir$base.o.d # libtool 1.5 tmpdepfile2=$dir.libs/$base.o.d # Likewise. tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504 "$@" -Wc,-MD else tmpdepfile1=$dir$base.d tmpdepfile2=$dir$base.d tmpdepfile3=$dir$base.d "$@" -MD fi stat=$? if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" do test -f "$tmpdepfile" && break done # Same post-processing that is required for AIX mode. aix_post_process_depfile ;; msvc7) if test "$libtool" = yes; then showIncludes=-Wc,-showIncludes else showIncludes=-showIncludes fi "$@" $showIncludes > "$tmpdepfile" stat=$? grep -v '^Note: including file: ' "$tmpdepfile" if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" echo "$object : \\" > "$depfile" # The first sed program below extracts the file names and escapes # backslashes for cygpath. The second sed program outputs the file # name when reading, but also accumulates all include files in the # hold buffer in order to output them again at the end. This only # works with sed implementations that can handle large buffers. sed < "$tmpdepfile" -n ' /^Note: including file: *\(.*\)/ { s//\1/ s/\\/\\\\/g p }' | $cygpath_u | sort -u | sed -n ' s/ /\\ /g s/\(.*\)/'"$tab"'\1 \\/p s/.\(.*\) \\/\1:/ H $ { s/.*/'"$tab"'/ G p }' >> "$depfile" echo >> "$depfile" # make sure the fragment doesn't end with a backslash rm -f "$tmpdepfile" ;; msvc7msys) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; #nosideeffect) # This comment above is used by automake to tell side-effect # dependency tracking mechanisms from slower ones. dashmstdout) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout, regardless of -o. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # Remove '-o $object'. IFS=" " for arg do case $arg in -o) shift ;; $object) shift ;; *) set fnord "$@" "$arg" shift # fnord shift # $arg ;; esac done test -z "$dashmflag" && dashmflag=-M # Require at least two characters before searching for ':' # in the target name. This is to cope with DOS-style filenames: # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise. "$@" $dashmflag | sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile" rm -f "$depfile" cat < "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process this sed invocation # correctly. Breaking it into two sed invocations is a workaround. tr ' ' "$nl" < "$tmpdepfile" \ | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; dashXmstdout) # This case only exists to satisfy depend.m4. It is never actually # run, as this mode is specially recognized in the preamble. exit 1 ;; makedepend) "$@" || exit $? # Remove any Libtool call if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # X makedepend shift cleared=no eat=no for arg do case $cleared in no) set ""; shift cleared=yes ;; esac if test $eat = yes; then eat=no continue fi case "$arg" in -D*|-I*) set fnord "$@" "$arg"; shift ;; # Strip any option that makedepend may not understand. Remove # the object too, otherwise makedepend will parse it as a source file. -arch) eat=yes ;; -*|$object) ;; *) set fnord "$@" "$arg"; shift ;; esac done obj_suffix=`echo "$object" | sed 's/^.*\././'` touch "$tmpdepfile" ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" rm -f "$depfile" # makedepend may prepend the VPATH from the source file name to the object. # No need to regex-escape $object, excess matching of '.' is harmless. sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process the last invocation # correctly. Breaking it into two sed invocations is a workaround. sed '1,2d' "$tmpdepfile" \ | tr ' ' "$nl" \ | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" "$tmpdepfile".bak ;; cpp) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # Remove '-o $object'. IFS=" " for arg do case $arg in -o) shift ;; $object) shift ;; *) set fnord "$@" "$arg" shift # fnord shift # $arg ;; esac done "$@" -E \ | sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ | sed '$ s: \\$::' > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" cat < "$tmpdepfile" >> "$depfile" sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; msvisualcpp) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi IFS=" " for arg do case "$arg" in -o) shift ;; $object) shift ;; "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") set fnord "$@" shift shift ;; *) set fnord "$@" "$arg" shift shift ;; esac done "$@" -E 2>/dev/null | sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile" echo "$tab" >> "$depfile" sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile" rm -f "$tmpdepfile" ;; msvcmsys) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; none) exec "$@" ;; *) echo "Unknown depmode $depmode" 1>&2 exit 1 ;; esac exit 0 # Local Variables: # mode: shell-script # sh-indentation: 2 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: sagan-1.2.0/INSTALL0000644000175000017500000003661013310533436012605 0ustar champchampInstallation Instructions ************************* Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, Inc. Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind. Basic Installation ================== Briefly, the shell command `./configure && make && make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. Some packages provide this `INSTALL' file but do not implement all of the features documented below. The lack of an optional feature in a given package is not necessarily a bug. More recommendations for GNU packages can be found in *note Makefile Conventions: (standards)Makefile Conventions. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package, generally using the just-built uninstalled binaries. 4. Type `make install' to install the programs and any data files and documentation. When installing into a prefix owned by root, it is recommended that the package be configured and built as a regular user, and only the `make install' phase executed with root privileges. 5. Optionally, type `make installcheck' to repeat any self-tests, but this time using the binaries in their final installed location. This target does not install anything. Running this target as a regular user, particularly if the prior `make install' required root privileges, verifies that the installation completed correctly. 6. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. 7. Often, you can also type `make uninstall' to remove the installed files again. In practice, not all packages have tested that uninstallation works correctly, even though it is required by the GNU Coding Standards. 8. Some packages, particularly those that use Automake, provide `make distcheck', which can by used by developers to test that all other targets like `make install' and `make uninstall' work correctly. This target is generally not run by end users. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. This is known as a "VPATH" build. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. On MacOS X 10.5 and later systems, you can create libraries and executables that work on multiple system types--known as "fat" or "universal" binaries--by specifying multiple `-arch' options to the compiler but only a single `-arch' option to the preprocessor. Like this: ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CPP="gcc -E" CXXCPP="g++ -E" This is not guaranteed to produce working output in all cases, you may have to build one architecture at a time and combine the results using the `lipo' tool if you have problems. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX', where PREFIX must be an absolute file name. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. In general, the default for these options is expressed in terms of `${prefix}', so that specifying just `--prefix' will affect all of the other directory specifications that were not explicitly provided. The most portable way to affect installation locations is to pass the correct locations to `configure'; however, many packages provide one or both of the following shortcuts of passing variable assignments to the `make install' command line to change installation locations without having to reconfigure or recompile. The first method involves providing an override variable for each affected directory. For example, `make install prefix=/alternate/directory' will choose an alternate location for all directory configuration variables that were expressed in terms of `${prefix}'. Any directories that were specified during `configure', but not in terms of `${prefix}', must each be overridden at install time for the entire installation to be relocated. The approach of makefile variable overrides for each directory variable is required by the GNU Coding Standards, and ideally causes no recompilation. However, some platforms have known limitations with the semantics of shared libraries that end up requiring recompilation when using this method, particularly noticeable in packages that use GNU Libtool. The second method involves providing the `DESTDIR' variable. For example, `make install DESTDIR=/alternate/directory' will prepend `/alternate/directory' before all installation names. The approach of `DESTDIR' overrides is not required by the GNU Coding Standards, and does not work on platforms that have drive letters. On the other hand, it does better at avoiding recompilation issues, and works well even when some directory options were not specified in terms of `${prefix}' at `configure' time. Optional Features ================= If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Some packages offer the ability to configure how verbose the execution of `make' will be. For these packages, running `./configure --enable-silent-rules' sets the default to minimal output, which can be overridden with `make V=1'; while running `./configure --disable-silent-rules' sets the default to verbose, which can be overridden with `make V=0'. Particular systems ================== On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC is not installed, it is recommended to use the following options in order to use an ANSI C compiler: ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" and if that doesn't work, install pre-built binaries of GCC for HP-UX. HP-UX `make' updates targets which have the same time stamps as their prerequisites, which makes it generally unusable when shipped generated files such as `configure' are involved. Use GNU `make' instead. On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot parse its `' header file. The option `-nodtk' can be used as a workaround. If GNU CC is not installed, it is therefore recommended to try ./configure CC="cc" and if that doesn't work, try ./configure CC="cc -nodtk" On Solaris, don't put `/usr/ucb' early in your `PATH'. This directory contains several dysfunctional programs; working variants of these programs are available in `/usr/bin'. So, if you need `/usr/ucb' in your `PATH', put it _after_ `/usr/bin'. On Haiku, software installed for all users goes in `/boot/common', not `/usr/local'. It is recommended to use the following options: ./configure --prefix=/boot/common Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf limitation. Until the limitation is lifted, you can use this workaround: CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of all of the options to `configure', and exit. `--help=short' `--help=recursive' Print a summary of the options unique to this package's `configure', and exit. The `short' variant lists options used only in the top level, while the `recursive' variant lists options also present in any nested packages. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `--prefix=DIR' Use DIR as the installation prefix. *note Installation Names:: for more details, including other options available for fine-tuning the installation locations. `--no-create' `-n' Run the configure checks, but stop before creating any output files. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. sagan-1.2.0/NEWS0000644000175000017500000000004113310531444012235 0ustar champchampSee http://sagan.quadrantsec.com sagan-1.2.0/stamp-h10000644000175000017500000000002713310531444013117 0ustar champchamptimestamp for config.h sagan-1.2.0/aclocal.m40000644000175000017500000014606613310533433013420 0ustar champchamp# generated automatically by aclocal 1.14.1 -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],, [m4_warning([this file was generated for autoconf 2.69. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) # pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- # serial 1 (pkg-config-0.24) # # Copyright © 2004 Scott James Remnant . # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # PKG_PROG_PKG_CONFIG([MIN-VERSION]) # ---------------------------------- AC_DEFUN([PKG_PROG_PKG_CONFIG], [m4_pattern_forbid([^_?PKG_[A-Z_]+$]) m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$]) m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$]) AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility]) AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path]) AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path]) if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) fi if test -n "$PKG_CONFIG"; then _pkg_min_version=m4_default([$1], [0.9.0]) AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) PKG_CONFIG="" fi fi[]dnl ])# PKG_PROG_PKG_CONFIG # PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) # # Check to see whether a particular set of modules exists. Similar # to PKG_CHECK_MODULES(), but does not set variables or print errors. # # Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) # only at the first occurence in configure.ac, so if the first place # it's called might be skipped (such as if it is within an "if", you # have to call PKG_CHECK_EXISTS manually # -------------------------------------------------------------- AC_DEFUN([PKG_CHECK_EXISTS], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl if test -n "$PKG_CONFIG" && \ AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then m4_default([$2], [:]) m4_ifvaln([$3], [else $3])dnl fi]) # _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) # --------------------------------------------- m4_define([_PKG_CONFIG], [if test -n "$$1"; then pkg_cv_[]$1="$$1" elif test -n "$PKG_CONFIG"; then PKG_CHECK_EXISTS([$3], [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes ], [pkg_failed=yes]) else pkg_failed=untried fi[]dnl ])# _PKG_CONFIG # _PKG_SHORT_ERRORS_SUPPORTED # ----------------------------- AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes else _pkg_short_errors_supported=no fi[]dnl ])# _PKG_SHORT_ERRORS_SUPPORTED # PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], # [ACTION-IF-NOT-FOUND]) # # # Note that if there is a possibility the first call to # PKG_CHECK_MODULES might not happen, you should be sure to include an # explicit call to PKG_PROG_PKG_CONFIG in your configure.ac # # # -------------------------------------------------------------- AC_DEFUN([PKG_CHECK_MODULES], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl pkg_failed=no AC_MSG_CHECKING([for $1]) _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) _PKG_CONFIG([$1][_LIBS], [libs], [$2]) m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS and $1[]_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details.]) if test $pkg_failed = yes; then AC_MSG_RESULT([no]) _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` else $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD m4_default([$4], [AC_MSG_ERROR( [Package requirements ($2) were not met: $$1_PKG_ERRORS Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. _PKG_TEXT])[]dnl ]) elif test $pkg_failed = untried; then AC_MSG_RESULT([no]) m4_default([$4], [AC_MSG_FAILURE( [The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config. _PKG_TEXT To get pkg-config, see .])[]dnl ]) else $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS $1[]_LIBS=$pkg_cv_[]$1[]_LIBS AC_MSG_RESULT([yes]) $3 fi[]dnl ])# PKG_CHECK_MODULES # PKG_INSTALLDIR(DIRECTORY) # ------------------------- # Substitutes the variable pkgconfigdir as the location where a module # should install pkg-config .pc files. By default the directory is # $libdir/pkgconfig, but the default can be changed by passing # DIRECTORY. The user can override through the --with-pkgconfigdir # parameter. AC_DEFUN([PKG_INSTALLDIR], [m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])]) m4_pushdef([pkg_description], [pkg-config installation directory @<:@]pkg_default[@:>@]) AC_ARG_WITH([pkgconfigdir], [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],, [with_pkgconfigdir=]pkg_default) AC_SUBST([pkgconfigdir], [$with_pkgconfigdir]) m4_popdef([pkg_default]) m4_popdef([pkg_description]) ]) dnl PKG_INSTALLDIR # PKG_NOARCH_INSTALLDIR(DIRECTORY) # ------------------------- # Substitutes the variable noarch_pkgconfigdir as the location where a # module should install arch-independent pkg-config .pc files. By # default the directory is $datadir/pkgconfig, but the default can be # changed by passing DIRECTORY. The user can override through the # --with-noarch-pkgconfigdir parameter. AC_DEFUN([PKG_NOARCH_INSTALLDIR], [m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])]) m4_pushdef([pkg_description], [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@]) AC_ARG_WITH([noarch-pkgconfigdir], [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],, [with_noarch_pkgconfigdir=]pkg_default) AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir]) m4_popdef([pkg_default]) m4_popdef([pkg_description]) ]) dnl PKG_NOARCH_INSTALLDIR # PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, # [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) # ------------------------------------------- # Retrieves the value of the pkg-config variable for the given module. AC_DEFUN([PKG_CHECK_VAR], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl _PKG_CONFIG([$1], [variable="][$3]["], [$2]) AS_VAR_COPY([$1], [pkg_cv_][$1]) AS_VAR_IF([$1], [""], [$5], [$4])dnl ])# PKG_CHECK_VAR # Copyright (C) 2002-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_AUTOMAKE_VERSION(VERSION) # ---------------------------- # Automake X.Y traces this macro to ensure aclocal.m4 has been # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.14' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. m4_if([$1], [1.14.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) # _AM_AUTOCONF_VERSION(VERSION) # ----------------------------- # aclocal traces this macro to find the Autoconf version. # This is a private macro too. Using m4_define simplifies # the logic in aclocal, which can simply ignore this definition. m4_define([_AM_AUTOCONF_VERSION], []) # AM_SET_CURRENT_AUTOMAKE_VERSION # ------------------------------- # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], [AM_AUTOMAKE_VERSION([1.14.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # Figure out how to run the assembler. -*- Autoconf -*- # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_AS # ---------- AC_DEFUN([AM_PROG_AS], [# By default we simply use the C compiler to build assembly code. AC_REQUIRE([AC_PROG_CC]) test "${CCAS+set}" = set || CCAS=$CC test "${CCASFLAGS+set}" = set || CCASFLAGS=$CFLAGS AC_ARG_VAR([CCAS], [assembler compiler command (defaults to CC)]) AC_ARG_VAR([CCASFLAGS], [assembler compiler flags (defaults to CFLAGS)]) _AM_IF_OPTION([no-dependencies],, [_AM_DEPENDENCIES([CCAS])])dnl ]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets # $ac_aux_dir to '$srcdir/foo'. In other projects, it is set to # '$srcdir', '$srcdir/..', or '$srcdir/../..'. # # Of course, Automake must honor this variable whenever it calls a # tool from the auxiliary directory. The problem is that $srcdir (and # therefore $ac_aux_dir as well) can be either absolute or relative, # depending on how configure is run. This is pretty annoying, since # it makes $ac_aux_dir quite unusable in subdirectories: in the top # source directory, any form will work fine, but in subdirectories a # relative path needs to be adjusted first. # # $ac_aux_dir/missing # fails when called from a subdirectory if $ac_aux_dir is relative # $top_srcdir/$ac_aux_dir/missing # fails if $ac_aux_dir is absolute, # fails when called from a subdirectory in a VPATH build with # a relative $ac_aux_dir # # The reason of the latter failure is that $top_srcdir and $ac_aux_dir # are both prefixed by $srcdir. In an in-source build this is usually # harmless because $srcdir is '.', but things will broke when you # start a VPATH build or use an absolute $srcdir. # # So we could use something similar to $top_srcdir/$ac_aux_dir/missing, # iff we strip the leading $srcdir from $ac_aux_dir. That would be: # am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"` # and then we would define $MISSING as # MISSING="\${SHELL} $am_aux_dir/missing" # This will work as long as MISSING is not called from configure, because # unfortunately $(top_srcdir) has no meaning in configure. # However there are other variables, like CC, which are often used in # configure, and could therefore not use this "fixed" $ac_aux_dir. # # Another solution, used here, is to always expand $ac_aux_dir to an # absolute PATH. The drawback is that using absolute paths prevent a # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], [AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl # Expand $ac_aux_dir to an absolute path. am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- # Copyright (C) 1997-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_CONDITIONAL(NAME, SHELL-CONDITION) # ------------------------------------- # Define a conditional. AC_DEFUN([AM_CONDITIONAL], [AC_PREREQ([2.52])dnl m4_if([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl AC_SUBST([$1_TRUE])dnl AC_SUBST([$1_FALSE])dnl _AM_SUBST_NOTMAKE([$1_TRUE])dnl _AM_SUBST_NOTMAKE([$1_FALSE])dnl m4_define([_AM_COND_VALUE_$1], [$2])dnl if $2; then $1_TRUE= $1_FALSE='#' else $1_TRUE='#' $1_FALSE= fi AC_CONFIG_COMMANDS_PRE( [if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then AC_MSG_ERROR([[conditional "$1" was never defined. Usually this means the macro was only invoked conditionally.]]) fi])]) # Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # There are a few dirty hacks below to avoid letting 'AC_PROG_CC' be # written in clear, in which case automake, when reading aclocal.m4, # will think it sees a *use*, and therefore will trigger all it's # C support machinery. Also note that it means that autoscan, seeing # CC etc. in the Makefile, will ask for an AC_PROG_CC use... # _AM_DEPENDENCIES(NAME) # ---------------------- # See how the compiler implements dependency checking. # NAME is "CC", "CXX", "OBJC", "OBJCXX", "UPC", or "GJC". # We try a few techniques and use that to set a single cache variable. # # We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was # modified to invoke _AM_DEPENDENCIES(CC); we would have a circular # dependency, and given that the user is not expected to run this macro, # just rely on AC_PROG_CC. AC_DEFUN([_AM_DEPENDENCIES], [AC_REQUIRE([AM_SET_DEPDIR])dnl AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl AC_REQUIRE([AM_MAKE_INCLUDE])dnl AC_REQUIRE([AM_DEP_TRACK])dnl m4_if([$1], [CC], [depcc="$CC" am_compiler_list=], [$1], [CXX], [depcc="$CXX" am_compiler_list=], [$1], [OBJC], [depcc="$OBJC" am_compiler_list='gcc3 gcc'], [$1], [OBJCXX], [depcc="$OBJCXX" am_compiler_list='gcc3 gcc'], [$1], [UPC], [depcc="$UPC" am_compiler_list=], [$1], [GCJ], [depcc="$GCJ" am_compiler_list='gcc3 gcc'], [depcc="$$1" am_compiler_list=]) AC_CACHE_CHECK([dependency style of $depcc], [am_cv_$1_dependencies_compiler_type], [if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up # making a dummy file named 'D' -- because '-MD' means "put the output # in D". rm -rf conftest.dir mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. cp "$am_depcomp" conftest.dir cd conftest.dir # We will build objects and dependencies in a subdirectory because # it helps to detect inapplicable dependency modes. For instance # both Tru64's cc and ICC support -MD to output dependencies as a # side effect of compilation, but ICC will put the dependencies in # the current directory while Tru64 will put them in the object # directory. mkdir sub am_cv_$1_dependencies_compiler_type=none if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp` fi am__universal=false m4_case([$1], [CC], [case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac], [CXX], [case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac]) for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and # we should not choose a depcomp mode which is confused by this. # # We need to recreate these files for each test, as the compiler may # overwrite some of them when testing with obscure command lines. # This happens at least with the AIX C compiler. : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with # Solaris 10 /bin/sh. echo '/* dummy */' > sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf # We check with '-c' and '-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly # handle '-M -o', and we need to detect this. Also, some Intel # versions had trouble with output in subdirs. am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in gcc) # This depmode causes a compiler race in universal mode. test "$am__universal" = false || continue ;; nosideeffect) # After this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested. if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; msvc7 | msvc7msys | msvisualcpp | msvcmsys) # This compiler won't grok '-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} am__minus_obj= ;; none) break ;; esac if depmode=$depmode \ source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message # that says an option was ignored or not supported. # When given -MP, icc 7.0 and 7.1 complain thusly: # icc: Command line warning: ignoring option '-M'; no argument required # The diagnosis changed in icc 8.0: # icc: Command line remark: option '-MP' not supported if (grep 'ignoring option' conftest.err || grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else am_cv_$1_dependencies_compiler_type=$depmode break fi fi done cd .. rm -rf conftest.dir else am_cv_$1_dependencies_compiler_type=none fi ]) AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type]) AM_CONDITIONAL([am__fastdep$1], [ test "x$enable_dependency_tracking" != xno \ && test "$am_cv_$1_dependencies_compiler_type" = gcc3]) ]) # AM_SET_DEPDIR # ------------- # Choose a directory name for dependency files. # This macro is AC_REQUIREd in _AM_DEPENDENCIES. AC_DEFUN([AM_SET_DEPDIR], [AC_REQUIRE([AM_SET_LEADING_DOT])dnl AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl ]) # AM_DEP_TRACK # ------------ AC_DEFUN([AM_DEP_TRACK], [AC_ARG_ENABLE([dependency-tracking], [dnl AS_HELP_STRING( [--enable-dependency-tracking], [do not reject slow dependency extractors]) AS_HELP_STRING( [--disable-dependency-tracking], [speeds up one-time build])]) if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' am__nodep='_no' fi AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) AC_SUBST([AMDEPBACKSLASH])dnl _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl AC_SUBST([am__nodep])dnl _AM_SUBST_NOTMAKE([am__nodep])dnl ]) # Generate code to set up dependency tracking. -*- Autoconf -*- # Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], [{ # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in *\'*) eval set x "$CONFIG_FILES" ;; *) set x $CONFIG_FILES ;; esac shift for mf do # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. # We used to match only the files named 'Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then dirpart=`AS_DIRNAME("$mf")` else continue fi # Extract the definition of DEPDIR, am__include, and am__quote # from the Makefile without running 'make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` test -z "$am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`AS_DIRNAME(["$file"])` AS_MKDIR_P([$dirpart/$fdir]) # echo "creating $dirpart/$file" echo '# dummy' > "$dirpart/$file" done done } ])# _AM_OUTPUT_DEPENDENCY_COMMANDS # AM_OUTPUT_DEPENDENCY_COMMANDS # ----------------------------- # This macro should only be invoked once -- use via AC_REQUIRE. # # This code is only required when automatic dependency tracking # is enabled. FIXME. This creates each '.P' file that we will # need in order to bootstrap the dependency handling code. AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], [AC_CONFIG_COMMANDS([depfiles], [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS], [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"]) ]) # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O. m4_define([AC_PROG_CC], m4_defn([AC_PROG_CC]) [_AM_PROG_CC_C_O ]) # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) # AM_INIT_AUTOMAKE([OPTIONS]) # ----------------------------------------------- # The call with PACKAGE and VERSION arguments is the old style # call (pre autoconf-2.50), which is being phased out. PACKAGE # and VERSION should now be passed to AC_INIT and removed from # the call to AM_INIT_AUTOMAKE. # We support both call styles for the transition. After # the next Automake release, Autoconf can make the AC_INIT # arguments mandatory, and then we can depend on a new Autoconf # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], [AC_PREREQ([2.65])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl # test to see if srcdir already configured if test -f $srcdir/config.status; then AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi AC_SUBST([CYGPATH_W]) # Define the identity of the package. dnl Distinguish between old-style and new-style calls. m4_ifval([$2], [AC_DIAGNOSE([obsolete], [$0: two- and three-arguments forms are deprecated.]) m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl AC_SUBST([PACKAGE], [$1])dnl AC_SUBST([VERSION], [$2])], [_AM_SET_OPTIONS([$1])dnl dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. m4_if( m4_ifdef([AC_PACKAGE_NAME], [ok]):m4_ifdef([AC_PACKAGE_VERSION], [ok]), [ok:ok],, [m4_fatal([AC_INIT should be called with package and version arguments])])dnl AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl _AM_IF_OPTION([no-define],, [AC_DEFINE_UNQUOTED([PACKAGE], ["$PACKAGE"], [Name of package]) AC_DEFINE_UNQUOTED([VERSION], ["$VERSION"], [Version number of package])])dnl # Some tools Automake needs. AC_REQUIRE([AM_SANITY_CHECK])dnl AC_REQUIRE([AC_ARG_PROGRAM])dnl AM_MISSING_PROG([ACLOCAL], [aclocal-${am__api_version}]) AM_MISSING_PROG([AUTOCONF], [autoconf]) AM_MISSING_PROG([AUTOMAKE], [automake-${am__api_version}]) AM_MISSING_PROG([AUTOHEADER], [autoheader]) AM_MISSING_PROG([MAKEINFO], [makeinfo]) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl # For better backward compatibility. To be removed once Automake 1.9.x # dies out for good. For more background, see: # # AC_SUBST([mkdir_p], ['$(MKDIR_P)']) # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], [_AM_PROG_TAR([v7])])]) _AM_IF_OPTION([no-dependencies],, [AC_PROVIDE_IFELSE([AC_PROG_CC], [_AM_DEPENDENCIES([CC])], [m4_define([AC_PROG_CC], m4_defn([AC_PROG_CC])[_AM_DEPENDENCIES([CC])])])dnl AC_PROVIDE_IFELSE([AC_PROG_CXX], [_AM_DEPENDENCIES([CXX])], [m4_define([AC_PROG_CXX], m4_defn([AC_PROG_CXX])[_AM_DEPENDENCIES([CXX])])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJC], [_AM_DEPENDENCIES([OBJC])], [m4_define([AC_PROG_OBJC], m4_defn([AC_PROG_OBJC])[_AM_DEPENDENCIES([OBJC])])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJCXX], [_AM_DEPENDENCIES([OBJCXX])], [m4_define([AC_PROG_OBJCXX], m4_defn([AC_PROG_OBJCXX])[_AM_DEPENDENCIES([OBJCXX])])])dnl ]) AC_REQUIRE([AM_SILENT_RULES])dnl dnl The testsuite driver may need to know about EXEEXT, so add the dnl 'am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below. AC_CONFIG_COMMANDS_PRE(dnl [m4_provide_if([_AM_COMPILER_EXEEXT], [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl # POSIX will say in a future version that running "rm -f" with no argument # is OK; and we want to be able to make that assumption in our Makefile # recipes. So use an aggressive probe to check that the usage we want is # actually supported "in the wild" to an acceptable degree. # See automake bug#10828. # To make any issue more visible, cause the running configure to be aborted # by default if the 'rm' program in use doesn't match our expectations; the # user can still override this though. if rm -f && rm -fr && rm -rf; then : OK; else cat >&2 <<'END' Oops! Your 'rm' program seems unable to run without file operands specified on the command line, even when the '-f' option is present. This is contrary to the behaviour of most rm programs out there, and not conforming with the upcoming POSIX standard: Please tell bug-automake@gnu.org about your system, including the value of your $PATH and any error possibly output before this message. This can help us improve future automake versions. END if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then echo 'Configuration will proceed anyway, since you have set the' >&2 echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 echo >&2 else cat >&2 <<'END' Aborting the configuration process, to ensure you take notice of the issue. You can download and install GNU coreutils to get an 'rm' implementation that behaves properly: . If you want to complete the configuration process using your problematic 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM to "yes", and re-run configure. END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi fi ]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further dnl mangled by Autoconf and run in a shell conditional statement. m4_define([_AC_COMPILER_EXEEXT], m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header # that is generated. The stamp files are numbered to have different names. # Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the # loop where config.status creates the headers, so we can generate # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. _am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_SH # ------------------ # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl if test x"${install_sh}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi AC_SUBST([install_sh])]) # Copyright (C) 2003-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # Check whether the underlying file-system supports filenames # with a leading dot. For instance MS-DOS doesn't. AC_DEFUN([AM_SET_LEADING_DOT], [rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null AC_SUBST([am__leading_dot])]) # Add --enable-maintainer-mode option to configure. -*- Autoconf -*- # From Jim Meyering # Copyright (C) 1996-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_MAINTAINER_MODE([DEFAULT-MODE]) # ---------------------------------- # Control maintainer-specific portions of Makefiles. # Default is to disable them, unless 'enable' is passed literally. # For symmetry, 'disable' may be passed as well. Anyway, the user # can override the default with the --enable/--disable switch. AC_DEFUN([AM_MAINTAINER_MODE], [m4_case(m4_default([$1], [disable]), [enable], [m4_define([am_maintainer_other], [disable])], [disable], [m4_define([am_maintainer_other], [enable])], [m4_define([am_maintainer_other], [enable]) m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])]) AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles]) dnl maintainer-mode's default is 'disable' unless 'enable' is passed AC_ARG_ENABLE([maintainer-mode], [AS_HELP_STRING([--]am_maintainer_other[-maintainer-mode], am_maintainer_other[ make rules and dependencies not useful (and sometimes confusing) to the casual installer])], [USE_MAINTAINER_MODE=$enableval], [USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes])) AC_MSG_RESULT([$USE_MAINTAINER_MODE]) AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes]) MAINT=$MAINTAINER_MODE_TRUE AC_SUBST([MAINT])dnl ] ) # Check to see how 'make' treats includes. -*- Autoconf -*- # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_MAKE_INCLUDE() # ----------------- # Check to see how make treats includes. AC_DEFUN([AM_MAKE_INCLUDE], [am_make=${MAKE-make} cat > confinc << 'END' am__doit: @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. AC_MSG_CHECKING([for style of include used by $am_make]) am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf # Ignore all kinds of additional output from 'make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include am__quote= _am_result=GNU ;; esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=.include am__quote="\"" _am_result=BSD ;; esac fi AC_SUBST([am__include]) AC_SUBST([am__quote]) AC_MSG_RESULT([$_am_result]) rm -f confinc confmf ]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- # Copyright (C) 1997-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ AC_DEFUN([AM_MISSING_PROG], [AC_REQUIRE([AM_MISSING_HAS_RUN]) $1=${$1-"${am_missing_run}$2"} AC_SUBST($1)]) # AM_MISSING_HAS_RUN # ------------------ # Define MISSING if not defined so far and test if it is modern enough. # If it is, set am_missing_run to use it, otherwise, to nothing. AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then am_missing_run="$MISSING " else am_missing_run= AC_MSG_WARN(['missing' script is too old or missing]) fi ]) # Helper functions for option handling. -*- Autoconf -*- # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_MANGLE_OPTION(NAME) # ----------------------- AC_DEFUN([_AM_MANGLE_OPTION], [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) # _AM_SET_OPTION(NAME) # -------------------- # Set option NAME. Presently that only means defining a flag for this option. AC_DEFUN([_AM_SET_OPTION], [m4_define(_AM_MANGLE_OPTION([$1]), [1])]) # _AM_SET_OPTIONS(OPTIONS) # ------------------------ # OPTIONS is a space-separated list of Automake options. AC_DEFUN([_AM_SET_OPTIONS], [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) # _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) # ------------------------------------------- # Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) # Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_PROG_CC_C_O # --------------- # Like AC_PROG_CC_C_O, but changed for automake. We rewrite AC_PROG_CC # to automatically call this. AC_DEFUN([_AM_PROG_CC_C_O], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([compile])dnl AC_LANG_PUSH([C])dnl AC_CACHE_CHECK( [whether $CC understands -c and -o together], [am_cv_prog_cc_c_o], [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])]) # Make sure it works both with $CC and with simple cc. # Following AC_PROG_CC_C_O, we do the test twice because some # compilers refuse to overwrite an existing .o file with -o, # though they will create one. am_cv_prog_cc_c_o=yes for am_i in 1 2; do if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \ && test -f conftest2.$ac_objext; then : OK else am_cv_prog_cc_c_o=no break fi done rm -f core conftest* unset am_i]) if test "$am_cv_prog_cc_c_o" != yes; then # Losing compiler, so override with the script. # FIXME: It is wrong to rewrite CC. # But if we don't then we get into trouble of one sort or another. # A longer-term fix would be to have automake use am__CC in this case, # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" CC="$am_aux_dir/compile $CC" fi AC_LANG_POP([C])]) # For backward compatibility. AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_RUN_LOG(COMMAND) # ------------------- # Run COMMAND, save the exit status in ac_status, and log it. # (This has been adapted from Autoconf's _AC_RUN_LOG macro.) AC_DEFUN([AM_RUN_LOG], [{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD ac_status=$? echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD (exit $ac_status); }]) # Check to make sure that the build environment is sane. -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_SANITY_CHECK # --------------- AC_DEFUN([AM_SANITY_CHECK], [AC_MSG_CHECKING([whether build environment is sane]) # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[[\\\"\#\$\&\'\`$am_lf]]*) AC_MSG_ERROR([unsafe absolute working directory name]);; esac case $srcdir in *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) AC_MSG_ERROR([unsafe srcdir value: '$srcdir']);; esac # Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( am_has_slept=no for am_try in 1 2; do echo "timestamp, slept: $am_has_slept" > conftest.file set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$[*]" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi if test "$[*]" != "X $srcdir/configure conftest.file" \ && test "$[*]" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken alias in your environment]) fi if test "$[2]" = conftest.file || test $am_try -eq 2; then break fi # Just in case. sleep 1 am_has_slept=yes done test "$[2]" = conftest.file ) then # Ok. : else AC_MSG_ERROR([newly created file is older than distributed files! Check your system clock]) fi AC_MSG_RESULT([yes]) # If we didn't sleep, we still need to ensure time stamps of config.status and # generated files are strictly newer. am_sleep_pid= if grep 'slept: no' conftest.file >/dev/null 2>&1; then ( sleep 1 ) & am_sleep_pid=$! fi AC_CONFIG_COMMANDS_PRE( [AC_MSG_CHECKING([that generated files are newer than configure]) if test -n "$am_sleep_pid"; then # Hide warnings about reused PIDs. wait $am_sleep_pid 2>/dev/null fi AC_MSG_RESULT([done])]) rm -f conftest.file ]) # Copyright (C) 2009-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_SILENT_RULES([DEFAULT]) # -------------------------- # Enable less verbose build rules; with the default set to DEFAULT # ("yes" being less verbose, "no" or empty being verbose). AC_DEFUN([AM_SILENT_RULES], [AC_ARG_ENABLE([silent-rules], [dnl AS_HELP_STRING( [--enable-silent-rules], [less verbose build output (undo: "make V=1")]) AS_HELP_STRING( [--disable-silent-rules], [verbose build output (undo: "make V=0")])dnl ]) case $enable_silent_rules in @%:@ ((( yes) AM_DEFAULT_VERBOSITY=0;; no) AM_DEFAULT_VERBOSITY=1;; *) AM_DEFAULT_VERBOSITY=m4_if([$1], [yes], [0], [1]);; esac dnl dnl A few 'make' implementations (e.g., NonStop OS and NextStep) dnl do not support nested variable expansions. dnl See automake bug#9928 and bug#10237. am_make=${MAKE-make} AC_CACHE_CHECK([whether $am_make supports nested variables], [am_cv_make_support_nested_variables], [if AS_ECHO([['TRUE=$(BAR$(V)) BAR0=false BAR1=true V=1 am__doit: @$(TRUE) .PHONY: am__doit']]) | $am_make -f - >/dev/null 2>&1; then am_cv_make_support_nested_variables=yes else am_cv_make_support_nested_variables=no fi]) if test $am_cv_make_support_nested_variables = yes; then dnl Using '$V' instead of '$(V)' breaks IRIX make. AM_V='$(V)' AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' else AM_V=$AM_DEFAULT_VERBOSITY AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY fi AC_SUBST([AM_V])dnl AM_SUBST_NOTMAKE([AM_V])dnl AC_SUBST([AM_DEFAULT_V])dnl AM_SUBST_NOTMAKE([AM_DEFAULT_V])dnl AC_SUBST([AM_DEFAULT_VERBOSITY])dnl AM_BACKSLASH='\' AC_SUBST([AM_BACKSLASH])dnl _AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl ]) # Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_STRIP # --------------------- # One issue with vendor 'install' (even GNU) is that you can't # specify the program used to strip binaries. This is especially # annoying in cross-compiling environments, where the build's strip # is unlikely to handle the host's binaries. # Fortunately install-sh will honor a STRIPPROG variable, so we # always use install-sh in "make install-strip", and initialize # STRIPPROG with the value of the STRIP variable (set by the user). AC_DEFUN([AM_PROG_INSTALL_STRIP], [AC_REQUIRE([AM_PROG_INSTALL_SH])dnl # Installed binaries are usually stripped using 'strip' when the user # run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the 'STRIP' environment variable to overrule this program. dnl Don't test for $cross_compiling = yes, because it might be 'maybe'. if test "$cross_compiling" != no; then AC_CHECK_TOOL([STRIP], [strip], :) fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) # Copyright (C) 2006-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- # Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) # AM_SUBST_NOTMAKE(VARIABLE) # -------------------------- # Public sister of _AM_SUBST_NOTMAKE. AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- # Copyright (C) 2004-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # _AM_PROG_TAR(FORMAT) # -------------------- # Check how to create a tarball in format FORMAT. # FORMAT should be one of 'v7', 'ustar', or 'pax'. # # Substitute a variable $(am__tar) that is a command # writing to stdout a FORMAT-tarball containing the directory # $tardir. # tardir=directory && $(am__tar) > result.tar # # Substitute a variable $(am__untar) that extract such # a tarball read from stdin. # $(am__untar) < result.tar # AC_DEFUN([_AM_PROG_TAR], [# Always define AMTAR for backward compatibility. Yes, it's still used # in the wild :-( We should find a proper way to deprecate it ... AC_SUBST([AMTAR], ['$${TAR-tar}']) # We'll loop over all known methods to create a tar archive until one works. _am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none' m4_if([$1], [v7], [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'], [m4_case([$1], [ustar], [# The POSIX 1988 'ustar' format is defined with fixed-size fields. # There is notably a 21 bits limit for the UID and the GID. In fact, # the 'pax' utility can hang on bigger UID/GID (see automake bug#8343 # and bug#13588). am_max_uid=2097151 # 2^21 - 1 am_max_gid=$am_max_uid # The $UID and $GID variables are not portable, so we need to resort # to the POSIX-mandated id(1) utility. Errors in the 'id' calls # below are definitely unexpected, so allow the users to see them # (that is, avoid stderr redirection). am_uid=`id -u || echo unknown` am_gid=`id -g || echo unknown` AC_MSG_CHECKING([whether UID '$am_uid' is supported by ustar format]) if test $am_uid -le $am_max_uid; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) _am_tools=none fi AC_MSG_CHECKING([whether GID '$am_gid' is supported by ustar format]) if test $am_gid -le $am_max_gid; then AC_MSG_RESULT([yes]) else AC_MSG_RESULT([no]) _am_tools=none fi], [pax], [], [m4_fatal([Unknown tar format])]) AC_MSG_CHECKING([how to create a $1 tar archive]) # Go ahead even if we have the value already cached. We do so because we # need to set the values for the 'am__tar' and 'am__untar' variables. _am_tools=${am_cv_prog_tar_$1-$_am_tools} for _am_tool in $_am_tools; do case $_am_tool in gnutar) for _am_tar in tar gnutar gtar; do AM_RUN_LOG([$_am_tar --version]) && break done am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' am__untar="$_am_tar -xf -" ;; plaintar) # Must skip GNU tar: if it does not support --format= it doesn't create # ustar tarball either. (tar --version) >/dev/null 2>&1 && continue am__tar='tar chf - "$$tardir"' am__tar_='tar chf - "$tardir"' am__untar='tar xf -' ;; pax) am__tar='pax -L -x $1 -w "$$tardir"' am__tar_='pax -L -x $1 -w "$tardir"' am__untar='pax -r' ;; cpio) am__tar='find "$$tardir" -print | cpio -o -H $1 -L' am__tar_='find "$tardir" -print | cpio -o -H $1 -L' am__untar='cpio -i -H $1 -d' ;; none) am__tar=false am__tar_=false am__untar=false ;; esac # If the value was cached, stop now. We just wanted to have am__tar # and am__untar set. test -n "${am_cv_prog_tar_$1}" && break # tar/untar a dummy directory, and stop if the command works. rm -rf conftest.dir mkdir conftest.dir echo GrepMe > conftest.dir/file AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) rm -rf conftest.dir if test -s conftest.tar; then AM_RUN_LOG([$am__untar /dev/null 2>&1 && break fi done rm -rf conftest.dir AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) AC_MSG_RESULT([$am_cv_prog_tar_$1])]) AC_SUBST([am__tar]) AC_SUBST([am__untar]) ]) # _AM_PROG_TAR m4_include([m4/ax_check_compile_flag.m4]) m4_include([m4/ax_ext.m4]) m4_include([m4/ax_gcc_x86_avx_xgetbv.m4]) m4_include([m4/ax_gcc_x86_cpuid.m4]) sagan-1.2.0/COPYING0000644000175000017500000004307613310531444012610 0ustar champchamp GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. sagan-1.2.0/tools/0000755000175000017500000000000013310533436012706 5ustar champchampsagan-1.2.0/tools/Makefile.am0000644000175000017500000000120313310531444014733 0ustar champchampACLOCAL_AMFLAGS = -I m4 AUTOMAKE_OPIONS=foreign no-dependencies subdir-objects bin_PROGRAMS = saganpeek saganpeek_CPPFLAGS = -I../src $(LIBFASTJSON_CFLAGS) $(LIBESTR_CFLAGS) saganpeek_LDADD = $(LIBFASTJSON_LIBS) $(LIBLOGNORM_LIBS) $(LIBESTR_LIBS) saganpeek_SOURCES = saganpeek.c \ ../src/util-strlcpy.c \ ../src/util-strlcat.c \ ../src/util.c \ ../src/util-time.c \ ../src/lockfile.c \ ../src/parsers/strstr-asm/strstr-hook.c \ ../src/parsers/strstr-asm/strstr_sse2.S \ ../src/parsers/strstr-asm/strstr_sse4_2.S install-data-local: sagan-1.2.0/tools/saganpeek.c0000644000175000017500000006600213310531444015011 0ustar champchamp/* ** Copyright (C) 2009-2018 Quadrant Information Security ** Copyright (C) 2009-2018 Champ Clark III ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* sagan-peek.c * * This small utility "peeks" into Sagan memory to display thresholds, * afters, flowbis, etc. The term "peek" goes back to old BASIC "peek" * and "poke" of memory. * */ /* TODO: need to add dstport, srcport for threshold/after DEBUG: Need ports? DEBUG: --debug limits isn't show after?!? in ./sagan */ #ifdef HAVE_CONFIG_H #include "config.h" /* From autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include "../src/sagan.h" #include "../src/sagan-defs.h" #include "../src/xbit-mmap.h" #include "../src/util-time.h" #include "../src/processors/track-clients.h" #define ALL_TYPES 0 #define THRESHOLD_TYPE 1 #define AFTER_TYPE 2 #define XBIT_TYPE 3 #define TRACK_TYPE 4 /**************************************************************************** * usage - Give the user some hints about how to use this utility! ****************************************************************************/ void Usage( void ) { fprintf(stderr, "\n--[ saganpeek help ]---------------------------------------------------------\n\n"); fprintf(stderr, "-t, --type\tthreshold, after, xbit, track, all (default: all)\n"); fprintf(stderr, "-h, --help\tThis screen.\n"); fprintf(stderr, "-i, --ipc\tIPC source directory. (default: %s)\n", IPC_DIRECTORY); fprintf(stderr, "\nsagan-peek [IPC directory]\n"); } /**************************************************************************** * object_check - Verifies a memory object exists before doing an open. * This way, we don't mistakingly "create" the object! ****************************************************************************/ int object_check( char *object ) { struct stat object_check; if ( ( stat(object, &object_check) == -1 )) { return(false); } return(true); } /**************************************************************************** * u32_time_to_human - Convert epoch time to human readable ****************************************************************************/ /* DEBUG - this is like in util-time.c */ char *u32_time_to_human( uint64_t utime ) { struct tm tm; static char time_buf[80]; char tmp[80]; char *return_time = NULL; memset(&tm, 0, sizeof(struct tm)); snprintf(tmp, sizeof(tmp) - 1, "%lu", utime); strptime(tmp, "%s", &tm); strftime(time_buf, sizeof(time_buf), "%b %d %H:%M:%S %Y", &tm); return_time = (char*)&time_buf; return(return_time); } /**************************************************************************** * main - Pull data from shared memory and display it! ****************************************************************************/ int main(int argc, char **argv) { const struct option long_options[] = { { "help", no_argument, NULL, 'h' }, { "ipc", required_argument, NULL, 'i' }, { "type", required_argument, NULL, 't' }, {0, 0, 0, 0} }; static const char *short_options = "i:t:h"; int option_index = 0; struct _Sagan_IPC_Counters *counters_ipc; struct _Sagan_IPC_Xbit *xbit_ipc; struct _Sagan_Track_Clients_IPC *SaganTrackClients_ipc; struct thresh_by_src_ipc *threshbysrc_ipc; struct thresh_by_dst_ipc *threshbydst_ipc; struct thresh_by_username_ipc *threshbyusername_ipc; struct after_by_src_ipc *afterbysrc_ipc; struct after_by_dst_ipc *afterbydst_ipc; struct after_by_username_ipc *afterbyusername_ipc; signed char c; /* For convert to IP string */ char ip_src[MAXIP]; char ip_dst[MAXIP]; char time_buf[80]; /* Shared memory descriptors */ int shm_counters; int shm; int i; bool typeflag = 0; unsigned char type = ALL_TYPES; char tmp_object_check[255]; char *ipc_directory = IPC_DIRECTORY; /* Get command line arg's */ while ((c = getopt_long(argc, argv, short_options, long_options, &option_index)) != -1) { switch(c) { if ( c == -1 ) break; case 'h': Usage(); exit(0); break; case 'i': ipc_directory = optarg; break; case 't': if (!strcmp(optarg, "threshold")) { type = THRESHOLD_TYPE; typeflag = true; } else if (!strcmp(optarg, "after")) { type = AFTER_TYPE; typeflag = true; } else if (!strcmp(optarg, "xbit")) { type = XBIT_TYPE; typeflag = true; } else if (!strcmp(optarg, "track")) { type = TRACK_TYPE; typeflag = true; } if ( typeflag == false ) { printf("Unknown option '%s'\n", optarg); exit(1); } break; default: fprintf(stderr, "Invalid argument!\n"); Usage(); exit(0); break; } } /* Load the "counters" first. The "counters" keep track of the number of elements on the * other arrays */ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, COUNTERS_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ( ( shm_counters = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() for counters (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( counters_ipc = mmap(0, sizeof(_Sagan_IPC_Counters) , PROT_READ, MAP_SHARED, shm_counters, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory for counters object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm_counters); /*** Get "threshold by source" data ****/ if ( type == ALL_TYPES || type == THRESHOLD_TYPE ) { snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, THRESH_BY_SRC_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ( (shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() for thresh_by_src (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( threshbysrc_ipc = mmap(0, sizeof(thresh_by_src_ipc) + (sizeof(thresh_by_src_ipc) * counters_ipc->thresh_count_by_src), PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory for thresh_by_src object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->thresh_count_by_src >= 1 ) { for ( i = 0; i < counters_ipc->thresh_count_by_src; i++) { Bit2IP(threshbysrc_ipc[i].ipsrc, ip_src, sizeof(ip_src)); printf("Type: Threshold by source [%d].\n", i); u32_Time_To_Human(threshbysrc_ipc[i].utime, time_buf, sizeof(time_buf)); printf("Selector: "); if ( threshbysrc_ipc[i].selector[0] == 0 ) { printf("[None]\n"); } else { printf("%s\n", threshbysrc_ipc[i].selector); } printf("Source IP: %s\n", ip_src); printf("Signature: \"%s\" (%s)\n", threshbysrc_ipc[i].signature_msg, threshbysrc_ipc[i].sid); printf("Syslog Message: \"%s\"\n", threshbysrc_ipc[i].syslog_message); printf("Date added/modified: %s\n", time_buf); printf("Counter: %d\n", threshbysrc_ipc[i].count); printf("Expire Time: %d\n\n", threshbysrc_ipc[i].expire); } } /*** Get "threshold by destination" data ***/ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, THRESH_BY_DST_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ((shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( threshbydst_ipc = mmap(0, sizeof(thresh_by_dst_ipc) + (sizeof(thresh_by_dst_ipc) * counters_ipc->thresh_count_by_dst) , PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->thresh_count_by_dst >= 1 ) { for ( i = 0; i < counters_ipc->thresh_count_by_dst; i++) { Bit2IP(threshbydst_ipc[i].ipdst, ip_dst, sizeof(ip_dst)); u32_Time_To_Human(threshbydst_ipc[i].utime, time_buf, sizeof(time_buf)); printf("Type: Threshold by destination [%d].\n", i); printf("Selector: "); if ( threshbydst_ipc[i].selector[0] == 0 ) { printf("[None]\n"); } else { printf("%s\n", threshbydst_ipc[i].selector); } printf("Destination IP: %s\n", ip_dst); printf("Signature: \"%s\" (%s)\n", threshbydst_ipc[i].signature_msg, threshbydst_ipc[i].sid); printf("Syslog Message: \"%s\"\n", threshbydst_ipc[i].syslog_message); printf("Date added/modified: %s\n", time_buf); printf("Counter: %d\n", threshbydst_ipc[i].count); printf("Expire Time: %d\n\n", threshbydst_ipc[i].expire); } } /*** Get "threshold by username" data ***/ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, THRESH_BY_USERNAME_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ((shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( threshbyusername_ipc = mmap(0, sizeof(thresh_by_username_ipc) + (sizeof(thresh_by_username_ipc) * counters_ipc->thresh_count_by_username ), PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->thresh_count_by_username >= 1 ) { for ( i = 0; i < counters_ipc->thresh_count_by_username; i++) { printf("Type: Threshold by username [%d].\n", i); u32_Time_To_Human(threshbyusername_ipc[i].utime, time_buf, sizeof(time_buf)); printf("Selector: "); if ( threshbyusername_ipc[i].selector[0] == 0 ) { printf("[None]\n"); } else { printf("%s\n", threshbyusername_ipc[i].selector); } printf("Username: %s\n", threshbyusername_ipc[i].username); printf("Signature: \"%s\" (%s)\n", threshbyusername_ipc[i].signature_msg, threshbyusername_ipc[i].sid); printf("Syslog Message: \"%s\"\n", threshbyusername_ipc[i].syslog_message); printf("Date added/modified: %s\n", time_buf); printf("Counter: %d\n", threshbyusername_ipc[i].count); printf("Expire Time: %d\n\n", threshbyusername_ipc[i].expire); } } } /*** Get "after by source" data ***/ if ( type == ALL_TYPES || type == AFTER_TYPE ) { snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, AFTER_BY_SRC_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ((shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( afterbysrc_ipc = mmap(0, sizeof(after_by_src_ipc) + (sizeof(after_by_src_ipc) * counters_ipc->after_count_by_src ), PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->after_count_by_src >= 1 ) { for ( i = 0; i < counters_ipc->after_count_by_src; i++ ) { Bit2IP(afterbysrc_ipc[i].ipsrc, ip_src, sizeof(ip_src)); printf("Type: After by source [%d].\n", i); u32_Time_To_Human(afterbysrc_ipc[i].utime, time_buf, sizeof(time_buf)); printf("Selector: "); if ( afterbysrc_ipc[i].selector[0] == 0 ) { printf("[None]\n"); } else { printf("%s\n", afterbysrc_ipc[i].selector); } printf("Source IP: %s\n", ip_src); printf("Signature: \"%s\" (%s)\n", afterbysrc_ipc[i].signature_msg, afterbysrc_ipc[i].sid); printf("Syslog Message: \"%s\"\n", afterbysrc_ipc[i].syslog_message); printf("Date added/modified: %s\n", time_buf); printf("Counter: %" PRIu64 "\n", afterbysrc_ipc[i].count); printf("Expire Time: %d\n\n", afterbysrc_ipc[i].expire); } } /*** Get "After by destination" data ***/ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, AFTER_BY_DST_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ((shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( afterbydst_ipc = mmap(0, sizeof(after_by_dst_ipc) + (sizeof(after_by_dst_ipc) * counters_ipc->after_count_by_dst ) , PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->after_count_by_dst >= 1 ) { for ( i = 0; i < counters_ipc->after_count_by_dst; i++) { Bit2IP(afterbydst_ipc[i].ipdst, ip_dst, sizeof(ip_dst)); printf("Type: After by destination [%d].\n", i); u32_Time_To_Human(afterbydst_ipc[i].utime, time_buf, sizeof(time_buf)); printf("Selector: "); if ( afterbydst_ipc[i].selector[0] == 0 ) { printf("[None]\n"); } else { printf("%s\n", afterbydst_ipc[i].selector); } printf("Source IP: %s\n", ip_dst); printf("Signature: \"%s\" (%s)\n", afterbydst_ipc[i].signature_msg, afterbydst_ipc[i].sid); printf("Syslog Message: \"%s\"\n", afterbydst_ipc[i].syslog_message); printf("Date added/modified: %s\n", time_buf); printf("Counter: %d\n", afterbydst_ipc[i].count); printf("Expire Time: %d\n\n", afterbydst_ipc[i].expire); } } /*** Get "after by username" data ***/ snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, AFTER_BY_USERNAME_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ((shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( afterbyusername_ipc = mmap(0, sizeof(after_by_username_ipc) + (sizeof(after_by_username_ipc) * counters_ipc->after_count_by_username ) , PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->after_count_by_username >= 1 ) { for ( i = 0; i < counters_ipc->after_count_by_username; i++) { printf("Type: After by username [%d].\n", i); u32_Time_To_Human(afterbyusername_ipc[i].utime, time_buf, sizeof(time_buf)); printf("Selector: "); if ( afterbyusername_ipc[i].selector[0] == 0 ) { printf("[None]\n"); } else { printf("%s\n", afterbyusername_ipc[i].selector); } printf("Username: %s\n", afterbyusername_ipc[i].username); printf("Signature: \"%s\" (%s)\n", afterbyusername_ipc[i].signature_msg, afterbyusername_ipc[i].sid); printf("Syslog Message: \"%s\"\n", afterbyusername_ipc[i].syslog_message); printf("Date added/modified: %s\n", time_buf); printf("Counter: %" PRIu64 "\n", afterbyusername_ipc[i].count); printf("Expire Time: %d\n\n", afterbyusername_ipc[i].expire); } } } /*** Get "xbit" data ***/ if ( type == ALL_TYPES || type == XBIT_TYPE ) { snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, XBIT_IPC_FILE); if ( object_check(tmp_object_check) == false ) { fprintf(stderr, "Error. Can't locate %s. Abort!\n", tmp_object_check); Usage(); exit(1); } if ((shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( xbit_ipc = mmap(0, sizeof(_Sagan_IPC_Xbit) + (sizeof(_Sagan_IPC_Xbit) * counters_ipc->xbit_count ) , PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->xbit_count >= 1 ) { for (i= 0; i < counters_ipc->xbit_count; i++ ) { u32_Time_To_Human(xbit_ipc[i].xbit_expire, time_buf, sizeof(time_buf)); printf("Type: xbit [%d].\n", i); printf("Selector: "); if ( xbit_ipc[i].selector[0] == 0 ) { printf("[None]\n"); } else { printf("%s\n", xbit_ipc[i].selector); } printf("Xbit name: \"%s\"\n", xbit_ipc[i].xbit_name); printf("State: %s\n", xbit_ipc[i].xbit_state == 1 ? "ACTIVE" : "INACTIVE"); printf("IP: %s:%d -> %s:%d\n", xbit_ipc[i].ip_src, xbit_ipc[i].src_port, xbit_ipc[i].ip_dst, xbit_ipc[i].dst_port); printf("Signature: \"%s\" (%s)\n", xbit_ipc[i].signature_msg, xbit_ipc[i].sid); printf("Expire Time: %s (%d seconds)\n", time_buf, xbit_ipc[i].expire); printf("Syslog message: \"%s\"\n\n", xbit_ipc[i].syslog_message ); } } } /**** Get "Tracking" data (if enabled) ****/ if ( type == ALL_TYPES || type == TRACK_TYPE ) { snprintf(tmp_object_check, sizeof(tmp_object_check) - 1, "%s/%s", ipc_directory, CLIENT_TRACK_IPC_FILE); if ( object_check(tmp_object_check) == true ) { if ((shm = open(tmp_object_check, O_RDONLY ) ) == -1 ) { fprintf(stderr, "[%s, line %d] Cannot open() (%s)\n", __FILE__, __LINE__, strerror(errno)); exit(1); } if (( SaganTrackClients_ipc = mmap(0, sizeof(_Sagan_Track_Clients_IPC) + (sizeof(_Sagan_Track_Clients_IPC) * counters_ipc->track_clients_client_count ) , PROT_READ, MAP_SHARED, shm, 0)) == MAP_FAILED ) { fprintf(stderr, "[%s, line %d] Error allocating memory object! [%s]\n", __FILE__, __LINE__, strerror(errno)); exit(1); } close(shm); if ( counters_ipc->track_clients_client_count >= 1 ) { for ( i = 0; i < counters_ipc->track_clients_client_count; i++) { Bit2IP(SaganTrackClients_ipc[i].hostbits, ip_src, sizeof(SaganTrackClients_ipc[i].hostbits)); u32_Time_To_Human(SaganTrackClients_ipc[i].utime, time_buf, sizeof(time_buf)); printf("Type: Tracking. [%d]\n", i); printf("State: %s.\n", 0 == SaganTrackClients_ipc[i].status ? "ACTIVE" : "INACTIVE"); printf("Source tracking: %s\n", ip_src); printf("Last seen: %s (%d/%d)\n\n", time_buf, SaganTrackClients_ipc[i].expire, SaganTrackClients_ipc[i].expire / 60); } } close(shm); } /* object_check */ } return(0); /* Clean exit */ } sagan-1.2.0/tools/Makefile.in0000644000175000017500000012554213310533436014764 0ustar champchamp# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ bin_PROGRAMS = saganpeek$(EXEEXT) subdir = tools DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_ext.m4 \ $(top_srcdir)/m4/ax_gcc_x86_avx_xgetbv.m4 \ $(top_srcdir)/m4/ax_gcc_x86_cpuid.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp am_saganpeek_OBJECTS = saganpeek-saganpeek.$(OBJEXT) \ ../src/saganpeek-util-strlcpy.$(OBJEXT) \ ../src/saganpeek-util-strlcat.$(OBJEXT) \ ../src/saganpeek-util.$(OBJEXT) \ ../src/saganpeek-util-time.$(OBJEXT) \ ../src/saganpeek-lockfile.$(OBJEXT) \ ../src/parsers/strstr-asm/saganpeek-strstr-hook.$(OBJEXT) \ ../src/parsers/strstr-asm/saganpeek-strstr_sse2.$(OBJEXT) \ ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.$(OBJEXT) saganpeek_OBJECTS = $(am_saganpeek_OBJECTS) am__DEPENDENCIES_1 = saganpeek_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = CPPASCOMPILE = $(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) AM_V_CPPAS = $(am__v_CPPAS_@AM_V@) am__v_CPPAS_ = $(am__v_CPPAS_@AM_DEFAULT_V@) am__v_CPPAS_0 = @echo " CPPAS " $@; am__v_CPPAS_1 = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(saganpeek_SOURCES) DIST_SOURCES = $(saganpeek_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCAS = @CCAS@ CCASDEPMODE = @CCASDEPMODE@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ ENDIAN = @ENDIAN@ EXEEXT = @EXEEXT@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LDFLAGS = @LDFLAGS@ LIBESTR_CFLAGS = @LIBESTR_CFLAGS@ LIBESTR_LIBS = @LIBESTR_LIBS@ LIBFASTJSON_CFLAGS = @LIBFASTJSON_CFLAGS@ LIBFASTJSON_LIBS = @LIBFASTJSON_LIBS@ LIBLOGNORM_CFLAGS = @LIBLOGNORM_CFLAGS@ LIBLOGNORM_LIBS = @LIBLOGNORM_LIBS@ LIBOBJS = @LIBOBJS@ LIBPCREVERSION_CFLAGS = @LIBPCREVERSION_CFLAGS@ LIBPCREVERSION_LIBS = @LIBPCREVERSION_LIBS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIMD_FLAGS = @SIMD_FLAGS@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target = @target@ target_alias = @target_alias@ target_cpu = @target_cpu@ target_os = @target_os@ target_vendor = @target_vendor@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ ACLOCAL_AMFLAGS = -I m4 AUTOMAKE_OPIONS = foreign no-dependencies subdir-objects saganpeek_CPPFLAGS = -I../src $(LIBFASTJSON_CFLAGS) $(LIBESTR_CFLAGS) saganpeek_LDADD = $(LIBFASTJSON_LIBS) $(LIBLOGNORM_LIBS) $(LIBESTR_LIBS) saganpeek_SOURCES = saganpeek.c \ ../src/util-strlcpy.c \ ../src/util-strlcat.c \ ../src/util.c \ ../src/util-time.c \ ../src/lockfile.c \ ../src/parsers/strstr-asm/strstr-hook.c \ ../src/parsers/strstr-asm/strstr_sse2.S \ ../src/parsers/strstr-asm/strstr_sse4_2.S all: all-am .SUFFIXES: .SUFFIXES: .S .c .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tools/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu tools/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) ../src/$(am__dirstamp): @$(MKDIR_P) ../src @: > ../src/$(am__dirstamp) ../src/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) ../src/$(DEPDIR) @: > ../src/$(DEPDIR)/$(am__dirstamp) ../src/saganpeek-util-strlcpy.$(OBJEXT): ../src/$(am__dirstamp) \ ../src/$(DEPDIR)/$(am__dirstamp) ../src/saganpeek-util-strlcat.$(OBJEXT): ../src/$(am__dirstamp) \ ../src/$(DEPDIR)/$(am__dirstamp) ../src/saganpeek-util.$(OBJEXT): ../src/$(am__dirstamp) \ ../src/$(DEPDIR)/$(am__dirstamp) ../src/saganpeek-util-time.$(OBJEXT): ../src/$(am__dirstamp) \ ../src/$(DEPDIR)/$(am__dirstamp) ../src/saganpeek-lockfile.$(OBJEXT): ../src/$(am__dirstamp) \ ../src/$(DEPDIR)/$(am__dirstamp) ../src/parsers/strstr-asm/$(am__dirstamp): @$(MKDIR_P) ../src/parsers/strstr-asm @: > ../src/parsers/strstr-asm/$(am__dirstamp) ../src/parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) ../src/parsers/strstr-asm/$(DEPDIR) @: > ../src/parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) ../src/parsers/strstr-asm/saganpeek-strstr-hook.$(OBJEXT): \ ../src/parsers/strstr-asm/$(am__dirstamp) \ ../src/parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) ../src/parsers/strstr-asm/saganpeek-strstr_sse2.$(OBJEXT): \ ../src/parsers/strstr-asm/$(am__dirstamp) \ ../src/parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.$(OBJEXT): \ ../src/parsers/strstr-asm/$(am__dirstamp) \ ../src/parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) saganpeek$(EXEEXT): $(saganpeek_OBJECTS) $(saganpeek_DEPENDENCIES) $(EXTRA_saganpeek_DEPENDENCIES) @rm -f saganpeek$(EXEEXT) $(AM_V_CCLD)$(LINK) $(saganpeek_OBJECTS) $(saganpeek_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) -rm -f ../src/*.$(OBJEXT) -rm -f ../src/parsers/strstr-asm/*.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@../src/$(DEPDIR)/saganpeek-lockfile.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../src/$(DEPDIR)/saganpeek-util-strlcat.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../src/$(DEPDIR)/saganpeek-util-strlcpy.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../src/$(DEPDIR)/saganpeek-util-time.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../src/$(DEPDIR)/saganpeek-util.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr-hook.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse4_2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/saganpeek-saganpeek.Po@am__quote@ .S.o: @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @am__fastdepCCAS_TRUE@ $(CPPASCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ @am__fastdepCCAS_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CPPASCOMPILE) -c -o $@ $< .S.obj: @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ @am__fastdepCCAS_TRUE@ $(CPPASCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ @am__fastdepCCAS_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CPPASCOMPILE) -c -o $@ `$(CYGPATH_W) '$<'` ../src/parsers/strstr-asm/saganpeek-strstr_sse2.o: ../src/parsers/strstr-asm/strstr_sse2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT ../src/parsers/strstr-asm/saganpeek-strstr_sse2.o -MD -MP -MF ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse2.Tpo -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse2.o `test -f '../src/parsers/strstr-asm/strstr_sse2.S' || echo '$(srcdir)/'`../src/parsers/strstr-asm/strstr_sse2.S @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse2.Tpo ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='../src/parsers/strstr-asm/strstr_sse2.S' object='../src/parsers/strstr-asm/saganpeek-strstr_sse2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse2.o `test -f '../src/parsers/strstr-asm/strstr_sse2.S' || echo '$(srcdir)/'`../src/parsers/strstr-asm/strstr_sse2.S ../src/parsers/strstr-asm/saganpeek-strstr_sse2.obj: ../src/parsers/strstr-asm/strstr_sse2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT ../src/parsers/strstr-asm/saganpeek-strstr_sse2.obj -MD -MP -MF ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse2.Tpo -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse2.obj `if test -f '../src/parsers/strstr-asm/strstr_sse2.S'; then $(CYGPATH_W) '../src/parsers/strstr-asm/strstr_sse2.S'; else $(CYGPATH_W) '$(srcdir)/../src/parsers/strstr-asm/strstr_sse2.S'; fi` @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse2.Tpo ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='../src/parsers/strstr-asm/strstr_sse2.S' object='../src/parsers/strstr-asm/saganpeek-strstr_sse2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse2.obj `if test -f '../src/parsers/strstr-asm/strstr_sse2.S'; then $(CYGPATH_W) '../src/parsers/strstr-asm/strstr_sse2.S'; else $(CYGPATH_W) '$(srcdir)/../src/parsers/strstr-asm/strstr_sse2.S'; fi` ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.o: ../src/parsers/strstr-asm/strstr_sse4_2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.o -MD -MP -MF ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse4_2.Tpo -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.o `test -f '../src/parsers/strstr-asm/strstr_sse4_2.S' || echo '$(srcdir)/'`../src/parsers/strstr-asm/strstr_sse4_2.S @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse4_2.Tpo ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse4_2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='../src/parsers/strstr-asm/strstr_sse4_2.S' object='../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.o `test -f '../src/parsers/strstr-asm/strstr_sse4_2.S' || echo '$(srcdir)/'`../src/parsers/strstr-asm/strstr_sse4_2.S ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.obj: ../src/parsers/strstr-asm/strstr_sse4_2.S @am__fastdepCCAS_TRUE@ $(AM_V_CPPAS)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -MT ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.obj -MD -MP -MF ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse4_2.Tpo -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.obj `if test -f '../src/parsers/strstr-asm/strstr_sse4_2.S'; then $(CYGPATH_W) '../src/parsers/strstr-asm/strstr_sse4_2.S'; else $(CYGPATH_W) '$(srcdir)/../src/parsers/strstr-asm/strstr_sse4_2.S'; fi` @am__fastdepCCAS_TRUE@ $(AM_V_at)$(am__mv) ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse4_2.Tpo ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr_sse4_2.Po @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ $(AM_V_CPPAS)source='../src/parsers/strstr-asm/strstr_sse4_2.S' object='../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCCAS_FALSE@ DEPDIR=$(DEPDIR) $(CCASDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCCAS_FALSE@ $(AM_V_CPPAS@am__nodep@)$(CCAS) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CCASFLAGS) $(CCASFLAGS) -c -o ../src/parsers/strstr-asm/saganpeek-strstr_sse4_2.obj `if test -f '../src/parsers/strstr-asm/strstr_sse4_2.S'; then $(CYGPATH_W) '../src/parsers/strstr-asm/strstr_sse4_2.S'; else $(CYGPATH_W) '$(srcdir)/../src/parsers/strstr-asm/strstr_sse4_2.S'; fi` .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ @am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ @am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` saganpeek-saganpeek.o: saganpeek.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT saganpeek-saganpeek.o -MD -MP -MF $(DEPDIR)/saganpeek-saganpeek.Tpo -c -o saganpeek-saganpeek.o `test -f 'saganpeek.c' || echo '$(srcdir)/'`saganpeek.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/saganpeek-saganpeek.Tpo $(DEPDIR)/saganpeek-saganpeek.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='saganpeek.c' object='saganpeek-saganpeek.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o saganpeek-saganpeek.o `test -f 'saganpeek.c' || echo '$(srcdir)/'`saganpeek.c saganpeek-saganpeek.obj: saganpeek.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT saganpeek-saganpeek.obj -MD -MP -MF $(DEPDIR)/saganpeek-saganpeek.Tpo -c -o saganpeek-saganpeek.obj `if test -f 'saganpeek.c'; then $(CYGPATH_W) 'saganpeek.c'; else $(CYGPATH_W) '$(srcdir)/saganpeek.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/saganpeek-saganpeek.Tpo $(DEPDIR)/saganpeek-saganpeek.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='saganpeek.c' object='saganpeek-saganpeek.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o saganpeek-saganpeek.obj `if test -f 'saganpeek.c'; then $(CYGPATH_W) 'saganpeek.c'; else $(CYGPATH_W) '$(srcdir)/saganpeek.c'; fi` ../src/saganpeek-util-strlcpy.o: ../src/util-strlcpy.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util-strlcpy.o -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util-strlcpy.Tpo -c -o ../src/saganpeek-util-strlcpy.o `test -f '../src/util-strlcpy.c' || echo '$(srcdir)/'`../src/util-strlcpy.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util-strlcpy.Tpo ../src/$(DEPDIR)/saganpeek-util-strlcpy.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util-strlcpy.c' object='../src/saganpeek-util-strlcpy.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util-strlcpy.o `test -f '../src/util-strlcpy.c' || echo '$(srcdir)/'`../src/util-strlcpy.c ../src/saganpeek-util-strlcpy.obj: ../src/util-strlcpy.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util-strlcpy.obj -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util-strlcpy.Tpo -c -o ../src/saganpeek-util-strlcpy.obj `if test -f '../src/util-strlcpy.c'; then $(CYGPATH_W) '../src/util-strlcpy.c'; else $(CYGPATH_W) '$(srcdir)/../src/util-strlcpy.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util-strlcpy.Tpo ../src/$(DEPDIR)/saganpeek-util-strlcpy.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util-strlcpy.c' object='../src/saganpeek-util-strlcpy.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util-strlcpy.obj `if test -f '../src/util-strlcpy.c'; then $(CYGPATH_W) '../src/util-strlcpy.c'; else $(CYGPATH_W) '$(srcdir)/../src/util-strlcpy.c'; fi` ../src/saganpeek-util-strlcat.o: ../src/util-strlcat.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util-strlcat.o -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util-strlcat.Tpo -c -o ../src/saganpeek-util-strlcat.o `test -f '../src/util-strlcat.c' || echo '$(srcdir)/'`../src/util-strlcat.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util-strlcat.Tpo ../src/$(DEPDIR)/saganpeek-util-strlcat.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util-strlcat.c' object='../src/saganpeek-util-strlcat.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util-strlcat.o `test -f '../src/util-strlcat.c' || echo '$(srcdir)/'`../src/util-strlcat.c ../src/saganpeek-util-strlcat.obj: ../src/util-strlcat.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util-strlcat.obj -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util-strlcat.Tpo -c -o ../src/saganpeek-util-strlcat.obj `if test -f '../src/util-strlcat.c'; then $(CYGPATH_W) '../src/util-strlcat.c'; else $(CYGPATH_W) '$(srcdir)/../src/util-strlcat.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util-strlcat.Tpo ../src/$(DEPDIR)/saganpeek-util-strlcat.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util-strlcat.c' object='../src/saganpeek-util-strlcat.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util-strlcat.obj `if test -f '../src/util-strlcat.c'; then $(CYGPATH_W) '../src/util-strlcat.c'; else $(CYGPATH_W) '$(srcdir)/../src/util-strlcat.c'; fi` ../src/saganpeek-util.o: ../src/util.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util.o -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util.Tpo -c -o ../src/saganpeek-util.o `test -f '../src/util.c' || echo '$(srcdir)/'`../src/util.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util.Tpo ../src/$(DEPDIR)/saganpeek-util.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util.c' object='../src/saganpeek-util.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util.o `test -f '../src/util.c' || echo '$(srcdir)/'`../src/util.c ../src/saganpeek-util.obj: ../src/util.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util.obj -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util.Tpo -c -o ../src/saganpeek-util.obj `if test -f '../src/util.c'; then $(CYGPATH_W) '../src/util.c'; else $(CYGPATH_W) '$(srcdir)/../src/util.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util.Tpo ../src/$(DEPDIR)/saganpeek-util.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util.c' object='../src/saganpeek-util.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util.obj `if test -f '../src/util.c'; then $(CYGPATH_W) '../src/util.c'; else $(CYGPATH_W) '$(srcdir)/../src/util.c'; fi` ../src/saganpeek-util-time.o: ../src/util-time.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util-time.o -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util-time.Tpo -c -o ../src/saganpeek-util-time.o `test -f '../src/util-time.c' || echo '$(srcdir)/'`../src/util-time.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util-time.Tpo ../src/$(DEPDIR)/saganpeek-util-time.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util-time.c' object='../src/saganpeek-util-time.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util-time.o `test -f '../src/util-time.c' || echo '$(srcdir)/'`../src/util-time.c ../src/saganpeek-util-time.obj: ../src/util-time.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-util-time.obj -MD -MP -MF ../src/$(DEPDIR)/saganpeek-util-time.Tpo -c -o ../src/saganpeek-util-time.obj `if test -f '../src/util-time.c'; then $(CYGPATH_W) '../src/util-time.c'; else $(CYGPATH_W) '$(srcdir)/../src/util-time.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-util-time.Tpo ../src/$(DEPDIR)/saganpeek-util-time.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/util-time.c' object='../src/saganpeek-util-time.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-util-time.obj `if test -f '../src/util-time.c'; then $(CYGPATH_W) '../src/util-time.c'; else $(CYGPATH_W) '$(srcdir)/../src/util-time.c'; fi` ../src/saganpeek-lockfile.o: ../src/lockfile.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-lockfile.o -MD -MP -MF ../src/$(DEPDIR)/saganpeek-lockfile.Tpo -c -o ../src/saganpeek-lockfile.o `test -f '../src/lockfile.c' || echo '$(srcdir)/'`../src/lockfile.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-lockfile.Tpo ../src/$(DEPDIR)/saganpeek-lockfile.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/lockfile.c' object='../src/saganpeek-lockfile.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-lockfile.o `test -f '../src/lockfile.c' || echo '$(srcdir)/'`../src/lockfile.c ../src/saganpeek-lockfile.obj: ../src/lockfile.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/saganpeek-lockfile.obj -MD -MP -MF ../src/$(DEPDIR)/saganpeek-lockfile.Tpo -c -o ../src/saganpeek-lockfile.obj `if test -f '../src/lockfile.c'; then $(CYGPATH_W) '../src/lockfile.c'; else $(CYGPATH_W) '$(srcdir)/../src/lockfile.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/$(DEPDIR)/saganpeek-lockfile.Tpo ../src/$(DEPDIR)/saganpeek-lockfile.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/lockfile.c' object='../src/saganpeek-lockfile.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/saganpeek-lockfile.obj `if test -f '../src/lockfile.c'; then $(CYGPATH_W) '../src/lockfile.c'; else $(CYGPATH_W) '$(srcdir)/../src/lockfile.c'; fi` ../src/parsers/strstr-asm/saganpeek-strstr-hook.o: ../src/parsers/strstr-asm/strstr-hook.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/parsers/strstr-asm/saganpeek-strstr-hook.o -MD -MP -MF ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr-hook.Tpo -c -o ../src/parsers/strstr-asm/saganpeek-strstr-hook.o `test -f '../src/parsers/strstr-asm/strstr-hook.c' || echo '$(srcdir)/'`../src/parsers/strstr-asm/strstr-hook.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr-hook.Tpo ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr-hook.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/parsers/strstr-asm/strstr-hook.c' object='../src/parsers/strstr-asm/saganpeek-strstr-hook.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/parsers/strstr-asm/saganpeek-strstr-hook.o `test -f '../src/parsers/strstr-asm/strstr-hook.c' || echo '$(srcdir)/'`../src/parsers/strstr-asm/strstr-hook.c ../src/parsers/strstr-asm/saganpeek-strstr-hook.obj: ../src/parsers/strstr-asm/strstr-hook.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../src/parsers/strstr-asm/saganpeek-strstr-hook.obj -MD -MP -MF ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr-hook.Tpo -c -o ../src/parsers/strstr-asm/saganpeek-strstr-hook.obj `if test -f '../src/parsers/strstr-asm/strstr-hook.c'; then $(CYGPATH_W) '../src/parsers/strstr-asm/strstr-hook.c'; else $(CYGPATH_W) '$(srcdir)/../src/parsers/strstr-asm/strstr-hook.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr-hook.Tpo ../src/parsers/strstr-asm/$(DEPDIR)/saganpeek-strstr-hook.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../src/parsers/strstr-asm/strstr-hook.c' object='../src/parsers/strstr-asm/saganpeek-strstr-hook.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(saganpeek_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../src/parsers/strstr-asm/saganpeek-strstr-hook.obj `if test -f '../src/parsers/strstr-asm/strstr-hook.c'; then $(CYGPATH_W) '../src/parsers/strstr-asm/strstr-hook.c'; else $(CYGPATH_W) '$(srcdir)/../src/parsers/strstr-asm/strstr-hook.c'; fi` ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(bindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) -rm -f ../src/$(DEPDIR)/$(am__dirstamp) -rm -f ../src/$(am__dirstamp) -rm -f ../src/parsers/strstr-asm/$(DEPDIR)/$(am__dirstamp) -rm -f ../src/parsers/strstr-asm/$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic mostlyclean-am distclean: distclean-am -rm -rf ../src/$(DEPDIR) ../src/parsers/strstr-asm/$(DEPDIR) ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ../src/$(DEPDIR) ../src/parsers/strstr-asm/$(DEPDIR) ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic cscopelist-am ctags ctags-am \ distclean distclean-compile distclean-generic distclean-tags \ distdir dvi dvi-am html html-am info info-am install \ install-am install-binPROGRAMS install-data install-data-am \ install-dvi install-dvi-am install-exec install-exec-am \ install-html install-html-am install-info install-info-am \ install-man install-pdf install-pdf-am install-ps \ install-ps-am install-strip installcheck installcheck-am \ installdirs maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-compile mostlyclean-generic pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am \ uninstall-binPROGRAMS install-data-local: # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: