├── APT31 └── apt31.rules ├── CVE-2016-0800 ├── cve-2016-0800.rules └── pcap.zip ├── CVE-2016-1285 ├── cve-2016-1285.rules └── pcap.zip ├── CVE-2016-2208 ├── cve-2016-2208.rules └── pcap.zip ├── CVE-2016-2386 └── cve-2016-2386.rules ├── CVE-2016-3078 ├── cve-2016-3078.rules └── pcap.zip ├── CVE-2016-3087 ├── cve-2016-3087.rules └── pcap.zip ├── CVE-2016-4010 ├── cve-2016-4010.rules └── pcap.zip ├── CVE-2016-4971 ├── cve-2016-4971.rules └── pcap.zip ├── CVE-2016-6304 ├── CVE-2016-6304.rules └── pcap.zip ├── CVE-2016-6366 └── cve-2016-6366.rules ├── CVE-2016-6367 ├── cve-2016-6367.rules └── pcaps.zip ├── CVE-2016-6662 └── CVE-2016-6662.rules ├── CVE-2016-7237 ├── CVE-2016-7237.rules └── pcap.zip ├── CVE-2016-7636 └── CVE-2016-7636.rules ├── CVE-2016-9147 └── CVE-2016-9147.rules ├── CVE-2016-9565 └── CVE-2016-9565.rules ├── CVE-2017-13089 └── cve-2017-13089.rules ├── CVE-2017-14492 └── cve-2017-14492.rules ├── CVE-2017-14493 └── cve-2017-14493.rules ├── CVE-2017-14494 └── cve-2017-14494.rules ├── CVE-2017-16943 └── cve-2017-16943.rules ├── CVE-2017-2491 └── CVE-2017-2491.rules ├── CVE-2017-3143 ├── cve-2017-3143.rules └── pcap.zip ├── CVE-2017-5638 └── CVE-2017-5638.rules ├── CVE-2017-7269 └── CVE-2017-7269.rules ├── CVE-2017-7494 ├── CVE-2017-7494.rules └── pcap.zip ├── CVE-2017-8045 └── CVE-2017-8045.rules ├── CVE-2017-9798 ├── CVE-2017-9798.rules └── pcap.zip ├── CVE-2018-0171 └── cve-2018-0171.rules ├── CVE-2018-0886 └── cve-2018-0886.rules ├── CVE-2018-1000006 └── cve-2018-1000006.rules ├── CVE-2018-1000207 └── cve-2018-1000207.rules ├── CVE-2018-1111 └── cve-2018-1111.rules ├── CVE-2018-1306 └── cve-2018-1306.rules ├── CVE-2018-14847 └── cve-2018-14847.rules ├── CVE-2018-15379 └── cve-2018-15379.rules ├── CVE-2018-15442 └── cve-2018-15442.rules ├── CVE-2018-15454 └── cve-2018-15454.rules ├── CVE-2018-17245 └── cve-2018-17245.rules ├── CVE-2018-5955 └── cve-2018-5955.rules ├── CVE-2018-6789 └── cve-2018-6789.rules ├── CVE-2018-7445 ├── cve-2018-7445.rules └── pcap.zip ├── CVE-2018-7600 └── cve-2018-7600.rules ├── CVE-2018-7602 └── cve-2018-7602.rules ├── CVE-2018-8495 └── cve-2018-8495.rules ├── CVE-2018-8581 └── cve-2018-8581.rules ├── CVE-2019-0227 └── cve-2019-0227.rules ├── CVE-2019-0232 └── cve-2019-0232.rules ├── CVE-2019-0708 └── cve-2019-0708.rules ├── CVE-2019-1003001 └── cve-2019-1003001.rules ├── CVE-2019-2618 └── cve-2019-2618.rules ├── CVE-2019-2725 ├── cve-2019-2725.rules └── pcap.zip ├── CVE-2019-3396 └── cve-2019-3396.rules ├── CVE-2019-3924 └── cve-2019-3924.rules ├── CVE-2019-3978 └── cve-2019-3978.rules ├── CVE-2019-6340 └── cve-2019-6340.rules ├── CVE-2020-0601 └── cve-2020-0601.rules ├── CVE-2020-0796 └── cve-2020-0796.rules ├── CVE-2020-1350 └── cve-2020-1350.rules ├── CVE-2020-14882 └── cve-2020-14882.rules ├── CVE-2021-41773 └── cve-2021-41773.rules ├── CVE-2022-23131 └── cve-2022-23131.rules ├── DNS Rebinding └── dns_rebinding.rules ├── DarkHVNC └── darkhvnc.rules ├── Dridex ├── dridex.rules └── pcap.zip ├── FreePBX_13_14_rce ├── FreePBX_13_14_rce.rules └── pcap.zip ├── GraphicsMagick_shell_vulnerability └── GraphicsMagick.rules ├── LICENSE ├── Log4Shell └── log4shell.rules ├── MS17-010 └── ms17-010.rules ├── Microtik Router OS Stack Clash └── microtik_router_os_stack_clash.rules ├── Neutrino └── neutrino.rules ├── Omnivista_8770_RCE └── omnivista_8770_rce.rules ├── PetitPotam └── petitpotam.rules ├── PowerShell Empire ├── pcap.zip └── power_shell_empire.rules ├── PrintNightmare └── printnightmare.rules ├── README.md ├── SilentTrinity └── silenttrinity.rules ├── Spring4Shell └── Spring4Shell.rules ├── Squid 3.5 http cache poisoning └── squid.rules ├── Suricon2018 ├── Detect_Malicious_Communications_Even_Under_TLS.rules └── readme.md ├── SystemNightmare └── systemnightmare.rules ├── Telegram └── telegram.rules ├── ThePrinterBug └── theprinterbug.rules ├── aes.ddos.dofloo └── aes.ddos.dofloo.rules ├── apache_continuum_cmd_injection ├── continuum_cmd_injection.rules └── pcap.zip ├── badtunnel └── badtunnel.rules ├── carbanak_pegasus └── carbanak_pegasus.rules ├── dcshadow ├── dcshadow.rules └── pcap.zip ├── eternalblue(WannaCry,Petya) └── eternalblue(WannaCry,Petya).rules ├── httpoxy ├── httpoxy.rules └── pcap.zip ├── ios 10.1.x remote memory corruption └── ios_10.1.x_remote_memory_corruption.rules ├── nfcapd ├── nfcapd.rules └── pcap.zip ├── phpggc └── phpggc.rules ├── policy └── policy.rules ├── pt.rules.tar.gz ├── pt.rules.tar.gz.md5 ├── rConfig_rce └── rconfig_rce.rules ├── raisecom_gpon_rce └── raisecom_gpon_rce.rules ├── redis_replication_rce └── redis_replication_rce.rules ├── scm_tools_rce └── scm_tools_rce.rules ├── tools └── burp_suite.rules ├── vBulletin_5.x_rce └── vbulletin_5.x_rce.rules ├── wannamine ├── pcap.zip └── wannamine.rules ├── wordpress LearnDash plugin arbitrary file upload └── wordpress_learnlash_plugin_arbitrary_file_upload.rules └── xfreerdp └── xfreerdp.rules /APT31/apt31.rules: -------------------------------------------------------------------------------- 1 | # Rules 10006530 and 10006531 work in appliances with ssl/tls mitm 2 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] SSVagent.APT31"; flow: established, to_server; content: "|00 00 00 01 00 00 00 01 00 00 00|"; offset: 1; depth: 11; http_client_body; pcre: "/^[A-F-0-9]{32}/RP"; reference: url, github.com/ptresearch/AttackDetection; metadata: created_at 2021_05_13, updated_at 2021_05_14; classtype: trojan-activity; sid: 10006530; rev: 1;) 3 | 4 | ## Snort version 5 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] SSVagent.APT31"; flow: established, to_server; content: "POST"; depth: 4; content: "|0d0a 0d0a|"; within: 300; content: "|00 00 00 01 00 00 00 01 00 00 00|"; distance: 1; within: 11; pcre: "/^[A-F-0-9]{32}/R"; reference: url, github.com/ptresearch/AttackDetection; classtype: trojan-activity; sid: 10006530; rev: 1;) 6 | 7 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] Possible SSVagent.APT31"; flow: established, to_server;content: "|00 00 00|"; offset: 1; depth: 3; http_client_body;pcre: "/^.{12}[A-F-0-9]{32}/P"; content: "|0d0a 0d0a|"; depth: 300; byte_jump: 1, 0, relative; isdataat: !5, relative;classtype: trojan-activity; sid: 10006531; rev: 2;) 8 | 9 | alert tcp any any -> any any (msg: "BACKDOOR [PTsecurity] SSVagent.APT31 SSL certificate"; flow:established,from_server; content: "|550403|"; depth: 3000;content: "|10|www.flushcdn.com0"; distance: 1; within: 18;content: "|55040a|"; depth: 3000;content: "|08|GoGetSSL1"; distance: 1; within: 10; reference: url, github.com/ptresearch/AttackDetection; classtype: trojan-activity; sid: 10006685; rev: 1;) 10 | 11 | -------------------------------------------------------------------------------- /CVE-2016-0800/cve-2016-0800.rules: -------------------------------------------------------------------------------- 1 | #alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] SSLv2 Hello flood. Possible DROWN attack"; flow: established,to_server; ssl_version: sslv2; ssl_state: client_hello; content: "|01 00 02|"; offset: 2; depth: 3; threshold: type both, track by_src, count 30, seconds 10; reference: url, drownattack.com; reference: cve, 2016-0800; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10000010; rev:1;) 2 | -------------------------------------------------------------------------------- /CVE-2016-0800/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-0800/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-1285/cve-2016-1285.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Attempt to crash named using malformed RNDC packet"; flow: established, to_server; content:"_auth"; depth: 20; fast_pattern; content: !"|02 00 00 00|"; within: 4; content: "_ctrl"; content: "_ser"; content: "_tim"; content: "_exp"; reference: cve, 2016-1285; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000005; rev: 3; ) 2 | 3 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Attempt to crash named using malformed RNDC packet"; flow: established, to_server; content:"_auth"; depth: 20; fast_pattern; content: !"|01 00 00 00|"; distance: 10; within: 4; content: "_ctrl"; content: "_ser"; content: "_tim"; content: "_exp"; reference: cve, 2016-1285; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000006; rev: 3; ) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2016-1285/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-1285/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-2208/cve-2016-2208.rules: -------------------------------------------------------------------------------- 1 | #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] RCE attempt via malformed ASPack"; content: "M"; offset: 0; depth: 2; content: "Z"; distance: -2; within: 3; content: "PE"; offset: 64; depth: 2; byte_test: 4, >, 0, 70, little; byte_extract: 4, 144, cve20162208, little; byte_test: 4, >, cve20162208, 328, little; reference: cve, 2016-2208; reference: url, bugs.chromium.org/p/project-zero/issues/detail?id=820; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000057; rev: 1;) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2016-2208/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-2208/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-2386/cve-2016-2386.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] SAP NetWeaver AS Java UDDI 7.11-7.50 SQL Injection (CVE-2016-2386)"; flow: established, to_server; content: "POST"; http_method; content: "/UDDISecurityService/UDDISecurityImplBean"; http_uri; fast_pattern; content: "permissionId"; http_client_body; content: "|27|"; http_client_body; distance: 0; pcre: "/permissionId\s*>[^<]+?\x27/Pi"; reference: cve, 2016-2386; reference: url, github.com/vah13/SAP_exploit; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10002408; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2016-3078/cve-2016-3078.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] PHP7 x86 heap overflow attempt via crafted zip archive"; flow: established, to_server; content: "POST"; http_method; content:"PK|01 02|"; fast_pattern; content: "|FF FF FF|"; distance: 21; within: 3; content:"PK|01 02|"; distance: 0; content: "|FF FF FF|"; distance: 21; within: 3; content:"PK|01 02|"; distance: 0; content: "|FF FF FF|"; distance: 21; within: 3; content:"PK|01 02|"; distance: 0; content: "|FF FF FF|"; distance: 21; within: 3; reference: cve, 2016-3078; reference: url, github.com/dyntopia/exploits/blob/master/CVE-2016-3078; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000037; rev: 1; ) 2 | -------------------------------------------------------------------------------- /CVE-2016-3078/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-3078/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-3087/cve-2016-3087.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Apache Struts 2.3.20-2.3.28.1 Privilege Escalation attempt"; content: "#_memberAccess"; http_uri; content: "="; http_uri; distance: 0; content: "@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS"; http_uri; distance: 0; reference: cve, 2016-0785; reference: cve, 2016-3081; reference: cve, 2016-3087; reference: cve, 2016-3093; reference: cve, 2016-4438; reference: url, struts.apache.org/docs/s2-029.html; reference: url, struts.apache.org/docs/s2-032.html; reference: url, struts.apache.org/docs/s2-033.html; reference: url, struts.apache.org/docs/s2-034.html; reference: url, struts.apache.org/docs/s2-037.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000049; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2016-3087/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-3087/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-4010/cve-2016-4010.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Magento < 2.0.6 Arbitrary write file"; content: "rest/V1/guest-carts/"; http_raw_uri; content: "set-payment-information"; http_raw_uri; fast_pattern; content: "|5C 75 30 30 30 30|"; content: "Magento\\\\Sales\\\\Model\\\\Order\\\\Payment\\\\Transaction"; reference: cve, 2016-4010; reference: url, netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution; classtype: web-application-attack; reference: url, github.com/ptresearch/AttackDetection; sid: 10000042; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2016-4010/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-4010/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-4971/cve-2016-4971.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ATTACK [PTsecurity] GNU Wget http request"; content: "wget"; http_user_agent; nocase; depth: 4; flowbits: set, 10000062; flowbits: noalert; reference: cve, 2016-4971; classtype:bad-unknown; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, github.com/ptresearch/AttackDetection; sid: 10000062; rev: 2; ) 2 | 3 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution"; flowbits: isset, 10000062; content: "30"; http_stat_code; depth: 2; content: "Location: ftp://"; nocase; http_header; reference: cve, 2016-4971; classtype:bad-unknown; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, github.com/ptresearch/AttackDetection; sid: 10000063; rev: 2; ) 4 | -------------------------------------------------------------------------------- /CVE-2016-4971/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-4971/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-6304/CVE-2016-6304.rules: -------------------------------------------------------------------------------- 1 | alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Likely OpenSSL TLS renegotiations DoS"; flow: to_server, no_stream; content: "|16|"; depth: 1; flowint: tlshandshakecount, +, 1; flowbits: noalert; reference: url, security.360.cn/cve/CVE-2016-6304/; reference: cve, 2016-6304; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000131; rev: 3; ) 2 | -------------------------------------------------------------------------------- /CVE-2016-6304/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-6304/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-6366/cve-2016-6366.rules: -------------------------------------------------------------------------------- 1 | alert udp any any -> $HOME_NET 161 (msg: "ATTACK [PTsecurity] Cisco Adaptive Security Appliance 8.x SNMP overflow RCE Probe"; content: "|a035020100020100020100302a300c06082b060102010101000500300c06082b060102010103000500300c06082b060102010105000500|"; isdataat:!1, relative; reference: url, blogs.cisco.com/security/shadow-brokers; reference: cve, 2016-6366; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10000098; rev: 2; ) 2 | 3 | alert udp any any -> $HOME_NET 161 (msg: "ATTACK [PTsecurity] Cisco Adaptive Security Appliance 8.x SNMP overflow RCE Attempt"; byte_jump:1, 6; content: "|A5|"; content: "|2B 06 01 02 01 01 01|"; distance: 0; content: "|2B 06 01 04 01 09 09 83 6B 01 03 03 01 01 05 09|"; isdataat:30,relative; reference: url, blogs.cisco.com/security/shadow-brokers; reference: cve, 2016-6366; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000099; rev: 2; ) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2016-6367/cve-2016-6367.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] EpicBanana Exploitation"; content: "|50 16 60 16 b8 16 82 16 aa 16 aa 16 aa 16 35 16 aa 16 aa 16 aa 16 aa|"; depth: 24; classtype: attempted-admin; reference: url, tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli; reference: cve, 2016-6367; reference: url, github.com/ptresearch/AttackDetection; sid:10000125; rev:1;) 2 | -------------------------------------------------------------------------------- /CVE-2016-6367/pcaps.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-6367/pcaps.zip -------------------------------------------------------------------------------- /CVE-2016-6662/CVE-2016-6662.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] MySQL <= 5.7.15, 5.6.33, 5.5.53 root RCE/Privilege Escalation attempt"; content:"|03|"; offset:4; depth:1; content:"736574"; distance:0; content:"6c6f675f66696c65"; distance:0; content:"6d79"; distance:0; content:"2e636e66"; distance:0; within:14; reference: url, legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; reference: cve, 2016-6662; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid:10000128; rev:1;) 2 | 3 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] MySQL <= 5.7.15, 5.6.33, 5.5.53 root RCE/Privilege Escalation attempt"; content:"|03|"; offset:4; depth:1; content:"set"; distance:0; content:"log_file"; distance:0; content:"my"; distance:0; content:".cnf"; distance:0; within:7; reference: url, legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; reference: cve, 2016-6662; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid:10000129; rev:1;) 4 | -------------------------------------------------------------------------------- /CVE-2016-7237/CVE-2016-7237.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Attempt (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|73 00 00 00 00|"; offset: 4; depth: 9; content: "|FF 00|"; offset: 37; depth: 2; content: "|01 00 00 00 00 00|"; offset: 45; depth: 6; content: "|00 00 00 00 D4 00 00 A0|"; distance: 2; within: 8; content: "|A1 84|"; distance: 2; within: 2; byte_test:1,!=,0xD1,0,relative; flowbits: set, CVE.2016-7237.Attempt; xbits:set,CVE.2016-7237.Attempt,track ip_dst,expire 15; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000532; rev: 2; ) 2 | 3 | alert tcp any 445 -> any any (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Successful LSASS Inf. loop (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|73 05 02 00 C0|"; offset: 4; depth: 9; flowbits: isset, CVE.2016-7237.Attempt; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; classtype: successful-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000533; rev: 2;) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2016-7237/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2016-7237/pcap.zip -------------------------------------------------------------------------------- /CVE-2016-7636/CVE-2016-7636.rules: -------------------------------------------------------------------------------- 1 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Apple macOS 10.12.1/iOS 10 OCSP DDoS Attempt (CVE-2016-7636)"; flow: established, from_server, only_stream; content: "|16 03|"; depth: 2; content: "|16 03|"; content: "|0B|"; distance: 3; within: 1; content: "|30 83|"; content: "|30|"; distance: 3; within: 1; content: "|06 08 2B 06 01 05 05 07 30 02 86|"; distance: 1; within: 11; byte_jump: 1, 0, relative; content: "|30|"; content: "|06 08 2B 06 01 05 05 07 30 02 86|"; distance: 1; within: 11; byte_jump: 1, 0, relative; content: "|30|"; pcre: "/(?:[^\x06]+\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86){10,}/"; reference: cve, 2016-7636; reference: url, cxsecurity.com/issue/WLB-2016100213; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000495; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2016-9147/CVE-2016-9147.rules: -------------------------------------------------------------------------------- 1 | alert dns any any -> $HOME_NET any (msg: "INFO [PTsecurity] DNS RRSIG without covered RR (CVE-2016-9147)"; flow: established, from_server; content: "|00 01 00 01|"; offset: 4; depth: 6; content: "|00 00|"; distance: 0; content: "|00 01|"; distance: 1; within: 2; content: "|00 2E 00|"; fast_pattern; distance: 0; pcre: "/.{4,6}\x00\x01\x00\x01.{4}[^\x00]+\x00.{4}[^\x00]+\x00(?:\x2e|\x00\x2e)/"; reference: cve, 2016-9147; reference: url, kb.isc.org/article/AA-01440/74/CVE-2016-9147%3A-An-error-handling-a-query-response-containing-inconsistent-DNSSEC-information-could-cause-an-assertion-failure-.html; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000892; rev: 2; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2016-9565/CVE-2016-9565.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> any any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) RSS Request"; flow:established, to_server; content: "/nagios/rss-"; http_uri; content: ".php"; http_uri; distance: 0; content: "User-Agent: magpie"; http_header; nocase; flowbits: set, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000777; rev: 1; ) 2 | 3 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) Attempt"; flow:established, from_server; content: "302"; http_stat_code; content: "nagios"; http_header; flowbits: isset, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000778; rev: 1; ) 4 | 5 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) Remote Script Execution"; flow:established, from_server; content: "302"; http_stat_code; content: "--trace-ascii"; http_header; content: " -F"; http_header; pcre: "/Location\:(?:.*?\s+-F\S+\s+){2}/Hi"; flowbits: isset, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000779; rev: 1; ) 6 | 7 | -------------------------------------------------------------------------------- /CVE-2017-13089/cve-2017-13089.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Buffer Overflow via Negative HTTP Chunk size number (FFMPEG CVE-2016-10190, WGET CVE-2017-13089, CVE-2017-13090)"; flow: established, from_server; content: "Transfer-Encoding"; nocase; http_header; content: "chunked"; http_header; nocase; distance: 0; app-layer-event:http.invalid_response_chunk_len; pcre: "/^\s*-[0-9A-Fa-f]+/Qs"; reference: cve, 2016-10190; reference: cve, 2017-13089; reference: cve, 2017-13090; reference: url, trac.ffmpeg.org/ticket/5992; reference: url, bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-13089; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001108; rev: 2; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2017-14492/cve-2017-14492.rules: -------------------------------------------------------------------------------- 1 | alert icmp any any -> any any (msg: "ATTACK [PTsecurity] Dnsmasq <2.78 Heap Based Buffer Overflow (CVE-2017-14492)"; itype:133; icode: 0; content: "|01|"; offset: 4; depth: 1; byte_test: 1, >, 150, 0, relative; isdataat:1500, relative; reference: cve, 2017-14492; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002469; rev: 2; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2017-14493/cve-2017-14493.rules: -------------------------------------------------------------------------------- 1 | alert udp any any -> any 547 (msg: "ATTACK [PTsecurity] Possible Dnsmasq <2.78 DHCPv6 Link Layer Address Stack Overflow (CVE-2017-14493)"; flow: no_stream; content: "|0C|"; depth: 1; content: "|00 4F|"; distance: 33; within: 2; byte_test: 2, >, 16, 0, relative, big; isdataat:18,relative; reference: cve, 2017-14493; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002473; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2017-14494/cve-2017-14494.rules: -------------------------------------------------------------------------------- 1 | alert udp any any -> any 547 (msg: "ATTACK [PTsecurity] Possible Dnsmasq <2.78 DHCPv6 Sensitive info leak (CVE-2017-14494)"; flow: no_stream; content: "|0C|"; depth: 1; content: "|00 09|"; distance: 33; within: 2; content: "|00 01|"; distance: 24; within: 2; byte_test: 2, >, 2, 0, relative, big; isdataat:!3,relative; reference: cve, 2017-14494; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10002475; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2017-16943/cve-2017-16943.rules: -------------------------------------------------------------------------------- 1 | alert smtp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Exim 4.88, 4.89 UAF RCE Attempt (CVE-2017-16943)"; flow: established, to_server; content: "BDAT"; content: "BDAT"; within: 10; pcre: "/BDAT\s*\D[^\n\r]*[\n\r][^\n\r]{100}/"; reference: cve, 2017-16943; reference: url, bugs.exim.org/show_bug.cgi?id=2199; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002280; rev: 2; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2017-2491/CVE-2017-2491.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Safari 10.0.3 UAF RCE (CVE-2017-2491)"; flow: established, from_server; file_data; content: "RegExp"; content: ".repeat"; within: 25; content: ".repeat"; within: 50; content: ".repeat"; within: 50; content: "ArrayBuffer"; within: 100; content: "Uint8Array"; within: 50; content: "Float64Array"; within: 50; content: "jsCellHeader"; distance: 0; content: "butterfly"; distance: 0; reference: cve, 2017-2491; reference: url, github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001322; rev: 2; ) 2 | 3 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Safari 10.0.3 UAF RCE (CVE-2017-2491)"; flow: established, from_server; file_data; content: "0x40000"; content: "0x1000"; content: "0x10000000"; content: "0x7ffff000"; content: "0x80"; content: "0x81"; content: "0x50"; reference: cve, 2017-2491; reference: url, github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001326; rev: 1; ) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2017-3143/cve-2017-3143.rules: -------------------------------------------------------------------------------- 1 | alert dns any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] ISC BIND DNS TSIG authentication bypass attempt (CVE-2017-3143, HMAC_SHA256)"; flow: to_server; content: "|00 FA|"; content: "|00 00 00 00|"; distance: 2; within: 4; content: "|0B|hmac-sha256|00|"; within: 15; byte_test: 2, >, 32, 8, relative; flowbits: set, CVE.2017-3143.attempt; reference: cve, 2017-3143; reference: url, http://www.synacktiv.ninja/ressources/CVE-2017-3143_BIND9_TSIG_dynamic_updates_vulnerability_Synacktiv.pdf; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001502; rev: 1; ) 2 | 3 | alert dns any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] ISC BIND DNS TSIG authentication bypass successful (CVE-2017-3143)"; flow: from_server; content: "|00 FA|"; content: "|00 00 00 00|"; distance: 2; within: 4; content: "|0B|hmac-sha256|00|"; within: 15; byte_test: 2, >, 0, 8, relative; flowbits: isset,CVE.2017-3143.attempt; flowbits: unset,CVE.2017-3143.attempt; reference: cve, 2017-3143; reference: url, http://www.synacktiv.ninja/ressources/CVE-2017-3143_BIND9_TSIG_dynamic_updates_vulnerability_Synacktiv.pdf; classtype: successful-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001508; rev: 2; ) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2017-3143/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2017-3143/pcap.zip -------------------------------------------------------------------------------- /CVE-2017-5638/CVE-2017-5638.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Struts < 2.3.32 < 2.5.10.1 RCE through Jakarta Multipart parser Attempt"; flow: established, to_server; content: "%{"; fast_pattern; http_header; content: "multipart/form-data"; http_header; content: "#_memberAccess"; http_header; content: "@java"; http_header; reference: cve, 2017-5638; reference: url, paper.seebug.org/241/; classtype:attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001065; rev: 3;) 2 | -------------------------------------------------------------------------------- /CVE-2017-7269/CVE-2017-7269.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] MS IIS 6.0 BO RCE (CVE-2017-7269)"; flow: to_server, established; content: "PROPFIND"; http_method; content: "If: <"; http_header; nocase; pcre: "/^If: <[^\r\n>]+[\x7F-\xFF]/Hmi"; reference:url, www.helpnetsecurity.com/2017/03/30/cve-2017-7269/; reference: cve, 2017-7269; classtype:attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001195; rev: 1;) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2017-7494/CVE-2017-7494.rules: -------------------------------------------------------------------------------- 1 | alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|ff 53 4d 42 a2|"; offset: 4; depth: 5; byte_extract: 2, 85, name_length, little; content: "|2f|"; distance: 2; within:name_length; content: !"|04|"; distance: 0; within: 1; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; classtype: attempted-user; reference: url, github.com/ptresearch/AttackDetection; sid: 10001356; rev: 5;) 2 | 3 | alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; fast_pattern; byte_extract: 2, 114, name_length, little; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|2f|"; distance:0; within:name_length; content: !"|04|"; distance:0; within: 1; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; classtype: attempted-user; reference: url, github.com/ptresearch/AttackDetection; sid: 10001357; rev: 5;) 4 | 5 | alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|ff 53 4d 42 2d|"; offset: 4; depth: 5; byte_extract: 2, 67, name_length, little; content: "|2f|"; distance: 2; within:name_length; content: !"|04|"; distance: 0; within: 1; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; classtype: attempted-user; reference: url, github.com/ptresearch/AttackDetection; sid: 10001438; rev: 1;) 6 | 7 | -------------------------------------------------------------------------------- /CVE-2017-7494/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2017-7494/pcap.zip -------------------------------------------------------------------------------- /CVE-2017-8045/CVE-2017-8045.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET 5672 -> $HOME_NET any (msg: "ATTACK [PTsecurity] Spring AMQP <1.7.4, 1.6.11, 1.5.7 Java Object Deserialization RCE (CVE--2017-8045)"; flow: established, no_stream; content: "application/x-java-serialized-object"; nocase; content: "|03|"; distance: 1; within: 1; content: "java."; distance: 0; pcre: "/application/x-java-serialized-object.{0,110}(?:org\.(?:apache\.|springframework\.|jboss\.|hibernate\.)|java(?:x\.management\.|\.rmi\.)|com\.sun\.|sun\.reflect\.)/"; reference: cve, 2017-8045; reference: url, pivotal.io/security/cve-2017-8045; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002274; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2017-9798/CVE-2017-9798.rules: -------------------------------------------------------------------------------- 1 | #alert http $HOME_NET any -> any any (msg: "ATTACK [PTsecurity] Apache2 <2.2.34 <2.4.27 Optionsbleed (CVE-2017-9798) Leak"; flow: established, from_server; content: "Allow:"; nocase; http_header; pcre: "/Allow:(?: ,|[^\r\n]*(?:[^A-Za-z0-9,\s\-_]|,,))/Hi"; threshold: type limit, track by_src, count 1, seconds 10; reference: cve, 2017-9798; reference: url, blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; metadata: updated_at 2021_09_29; classtype: attempted-recon; sid: 10001947; rev: 4;) 2 | 3 | #alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Apache2 <2.2.34 <2.4.27 Optionsbleed (CVE-2017-9798) Attempt"; flow: established, to_server; content: "OPTIONS"; http_method; threshold: type both, track by_src, count 20, seconds 30; reference: cve, 2017-9798; reference: url, blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; metadata: updated_at 2019_07_25; classtype: attempted-recon; sid: 10001948; rev: 1;) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2017-9798/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2017-9798/pcap.zip -------------------------------------------------------------------------------- /CVE-2018-0171/cve-2018-0171.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET 4786 (msg: "ATTACK [PTsecurity] Cisco Smart Install 15.2(5)E RCE (CVE-2018-0171)"; flow: established, to_server, no_stream; content: "|00 00 00 01 00 00 00 07|"; offset: 4; depth: 8; content: "|00 00 00 01|"; distance: 4; within: 4; isdataat: 210, relative; reference: cve, 2018-0171; reference: url, embedi.com/blog/cisco-smart-install-remote-code-execution; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002774; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2018-0886/cve-2018-0886.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET 3389 -> any any (msg: "ATTACK [PTsecurity] MS RDP CredSSP Remote Code Execution MitM (CVE-2018-0886)"; flow: established, from_server, only_stream; content: "|16 03|"; content: "|0B|"; distance: 3; within: 1; content: "|06 09 2a 86 48 86 f7 0d 01 01 01|"; distance: 0; content: "D|00|i|00|s|00|a|00|l|00|l|00|o|00|w|00|S|00|t|00|a|00|r|00|t|00|I|00|f|00|O|00|n|00|B|00|a|00|t|00|t|00|e|00|r|00|i|00|e|00|s|00|"; nocase; distance: 0; content: "E|00|x|00|e|00|c|00|"; nocase; distance: 0; content: "C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; nocase; distance: 0; reference: cve, 2018-0886; reference: url, blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002831; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2018-1000006/cve-2018-1000006.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GitHub Electron <1.8.2-beta.4, <1.7.11, <1.6.16 protocol handler RCE (CVE-2018-1000006)"; flow: established, from_server; content: "://"; content: "--gpu-launcher="; nocase; pcre: "/(powershell|cmd|python|bash|\.exe)/i"; reference: cve, 2018-1000006; reference: url, electronjs.org/blog/protocol-handler-fix; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002500; rev: 2; ) 2 | 3 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GitHub Electron <1.8.2-beta.4, <1.7.11, <1.6.16 protocol handler RCE (CVE-2018-1000006)"; flow: established, from_server; content: "://"; content: "-cmd-prefix="; nocase; pcre: "/(powershell|cmd|python|bash|\.exe)/i"; reference: cve, 2018-1000006; reference: url, electronjs.org/blog/protocol-handler-fix; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002501; rev: 3; ) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2018-1000207/cve-2018-1000207.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Modx Revolution CMS < 2.6.4 RCE by PoC (CVE-2018-1000207)"; flow: established, to_server; content: "POST"; http_method; content: "/connectors/system/phpthumb.php"; http_uri; content: "IMresizedData"; nocase; http_client_body; content: "cache_filename"; nocase; http_client_body; reference: cve, 2018-1000207; reference: url, rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003350; rev: 1;) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2018-1111/cve-2018-1111.rules: -------------------------------------------------------------------------------- 1 | alert udp any 67 -> $HOME_NET 68 (msg: "ATTACK [PTsecurity] DHCP Client Script WPAD option OS Command Injection (CVE-2018-1111)"; content: "|63 82 53 63|"; fast_pattern; content: "|FC|"; distance: 0; byte_extract: 1, 0, length, relative; content: "'"; within:length; pcre: "/[\x79\x28-\x2a\x77\xf9\x21\x2a\x35\x36\x33\x3a\x3b\x01-\x0f\x1a\x1c]/"; content:!"|00|"; within: 1; content:!"|01|"; within: 1; content:!"|02|"; within: 1; byte_jump: 1, 0, relative; content: "|FC|"; within: 1; byte_extract: 1, 0, length, relative; content: "'"; within:length; reference: cve, 2018-1111; reference: url, dynoroot.ninja; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002971; rev: 2; ) 2 | 3 | alert udp any 67 -> $HOME_NET 68 (msg: "ATTACK [PTsecurity] DHCP Client Script WPAD option Exploit (CVE-2018-1111)"; content: "|63 82 53 63|"; fast_pattern; content: "|FC|"; distance: 0; byte_extract: 1, 0, length, relative; content: "'"; within:length; pcre: "/^[\x20-\x7E]+(sh|nc|wget|curl|echo|cat|id|uname)/Ri"; reference: cve, 2018-1111; reference: url, dynoroot.ninja; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002975; rev: 1; ) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2018-1306/cve-2018-1306.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Portals Pluto 3.0.0 RCE (CVE-2018-1306)"; flow: established, to_server; content: "HEAD"; http_method; content: "/pluto/portal/File Upload"; http_uri; depth: 25; content: "<%"; http_client_body; content: ".jsp"; http_client_body; reference: cve, 2018-1306; reference: url, packetstormsecurity.com/files/149366/apacheportalspluto300-exec.txt; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10003786; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2018-14847/cve-2018-14847.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik <6.42 Password disclosure path traversal (CVE-2018-14847)"; flow: established, to_server; content: "|01 00|"; offset: 1; depth: 2; content: "M2"; distance: 1; within: 2; content: "/../"; distance: 0; content: "/flash/rw/store/user.dat"; distance: 0; content: "|02 00 00 00 02 00 00 00|"; distance: 0; reference: cve, 2018-14847; reference: url, github.com/tenable/routeros/tree/master/poc/bytheway; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003917; rev: 1; ) 2 | -------------------------------------------------------------------------------- /CVE-2018-15379/cve-2018-15379.rules: -------------------------------------------------------------------------------- 1 | alert udp any any -> any any (msg: "ATTACK [PTsecurity] Cisco Prime Infrastructure < 3.4.1 & 3.3.1 TFTP RCE (CVE-2018-15379)"; flow: established, from_server; content: "|00 03 00 01|"; depth: 4; content: "<%@"; flowbits: set, CVE.2018-15379.JSP1; flowbits: noalert; reference: cve, 2018-15379; reference: url, seclists.org/fulldisclosure/2018/Oct/19; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003907; rev: 1; ) 2 | 3 | alert udp any any -> any any (msg: "ATTACK [PTsecurity] Cisco Prime Infrastructure < 3.4.1 & 3.3.1 TFTP RCE (CVE-2018-15379)"; flow: established, from_server; content: "|00 03 00|"; depth: 3; content: "/CSCOlumos/"; content: "runrshell"; distance: 0; flowbits: isset, CVE.2018-15379.JSP1; reference: cve, 2018-15379; reference: url, seclists.org/fulldisclosure/2018/Oct/19; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003908; rev: 1; ) 4 | -------------------------------------------------------------------------------- /CVE-2018-15442/cve-2018-15442.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] Webexservice Service Probe (CVE-2018-15442)"; flow: established, to_server, no_stream; content: "SMB"; depth: 8; content: "|05 00 00|"; distance: 0; content: "|10 00|"; distance: 19; within: 3; content: "w|00|e|00|b|00|e|00|x|00|s|00|e|00|r|00|v|00|i|00|c|00|e|000000|"; nocase; distance: 0; reference: url, webexec.org; reference: cve, 2018-15442; flowbits: set, CVE.2018-15442.Probe; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003982; rev: 1; ) 2 | 3 | alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] Webexservice remote priveleged command execution (CVE-2018-15442)"; flow: established, to_server, no_stream; content: "SMB"; depth: 8; content: "|05 00 00|"; distance: 0; content: "|13 00|"; distance: 19; within: 3; content: "s|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00|-|00|u|00|p|00|d|00|a|00|t|00|e|00|"; nocase; distance: 0; reference: url, webexec.org; reference: cve, 2018-15442; flowbits: isset, CVE.2018-15442.Probe; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003983; rev: 1; ) 4 | -------------------------------------------------------------------------------- /CVE-2018-15454/cve-2018-15454.rules: -------------------------------------------------------------------------------- 1 | alert udp any any -> $HOME_NET 5060 (msg: "ATTACK [PTSecurity] Cisco ASA and Cisco FTD possible DoS (CVE-2018-15454)"; flow: no_stream; content: "SIP|2f|"; nocase; content: "Via:"; nocase; distance: 0; content: "SIP|2f|"; nocase; distance: 0; content: "|2f|UDP"; nocase; distance: 0; within: 10; content: "0.0.0.0"; distance: 0; within: 15; fast_pattern; content: "branch="; nocase; distance: 0; reference: url, www.securityfocus.com/bid/105768/; reference: cve, 2018-15454; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10004025; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2018-17245/cve-2018-17245.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Kibana < 6.4.3 <5.6.13 Arbitrary File Inclusion/Disclosure/RCE attempt (CVE-2018-17245)"; flow: established, to_server; content: "/api/console/api_server"; http_uri; content: "SENSE_VERSION"; nocase; http_uri; distance: 0; pcre: "/apis\s*=\s*[^&]*(?:(?:%2e|\.)(?:%2e|\.)(?:%5c|%2f|\/|\\))/Ui"; reference: cve, 2018-17245; reference: url, www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004231; rev: 1; ) 2 | -------------------------------------------------------------------------------- /CVE-2018-5955/cve-2018-5955.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GitStack Arbitrary PHP upload RCE (CVE-2018-5955)"; flow: established, to_server; content: "/web/index.php?"; http_uri; content: ".git"; distance: 0; http_uri; content: "Authorization:"; http_header; nocase; content: "Basic"; distance: 0; http_header; nocase; pcre: "/Basic\s+/i"; base64_decode: offset 0, relative; base64_data; pcre: "/&\s/"; reference: url, blogs.securiteam.com/index.php/archives/3557; reference: cve, CVE-2018-5955; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002449; rev: 2;) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2018-6789/cve-2018-6789.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET 25 (msg: "ATTACK [PTsecurity] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established, to_server, only_stream; content: "|0D 0A|AUTH"; pcre: "/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; reference: cve, 2018-6789; reference: url, https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10002643; rev: 3; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2018-7445/cve-2018-7445.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET 139 (msg: "ATTACK [PTsecurity] Mikrotik <6.41.3 <6.42rc27 RCE Attempt (CVE-2018-7445)"; flow: established, to_server, no_stream; content: "|81 00|"; depth: 2; byte_test: 1, >, 0x20, 2, relative; content: "|00 00 00|"; distance: 0; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002680; rev: 1; ) 2 | 3 | alert tcp any any -> $HOME_NET 139 (msg: "ATTACK [PTsecurity] ShellCode Upload Mikrotik <6.41.3 <6.42rc27 RCE (CVE-2018-7445)"; flow: established, to_server, only_stream; content: "|00 00 eb 02 00 00 eb 02|"; depth: 8; pcre: "/(?:\x00\x00\xeb\x02){10}/R"; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002681; rev: 1; ) 4 | 5 | alert tcp $HOME_NET 139 -> any any (msg: "ATTACK [PTsecurity] Successful Mikrotik <6.41.3 <6.42rc27 RCE (CVE-2018-7445)"; flow: established, from_server, no_stream; content: "sh: "; depth: 4; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; classtype: successful-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002682; rev: 1; ) 6 | 7 | -------------------------------------------------------------------------------- /CVE-2018-7445/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2018-7445/pcap.zip -------------------------------------------------------------------------------- /CVE-2018-7600/cve-2018-7600.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE through registration form (CVE-2018-7600)"; flow: established, to_server; content: "/user/register"; http_uri; content: "POST"; http_method; content: "drupal"; http_client_body; pcre: "/(%23|#)(access(?:_|%5f)callback|pre(?:_|%5f)render|post(?:_|%5f)render|lazy(?:_|%5f)builder)/Pi"; reference: cve, 2018-7600; reference: url, research.checkpoint.com/uncovering-drupalgeddon-2; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10002808; rev: 3;) 2 | -------------------------------------------------------------------------------- /CVE-2018-7602/cve-2018-7602.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Drupalgeddon2 <7.5.9 <8.4.8 <8.5.3 RCE (CVE-2018-7602)"; flow: established, to_server; content: "markup"; http_uri; pcre: "/(%2523|%23|#)markup/U"; pcre: "/(%2523|%23|#)type/U"; reference: cve, 2018-7602; reference: url, www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002866; rev: 1; ) 2 | 3 | -------------------------------------------------------------------------------- /CVE-2018-8495/cve-2018-8495.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] MS Edge WScript Command Injection RCE (CVE-2018-8495)"; flow: established, from_server; content: "wshfile:"; nocase; http_server_body; fast_pattern; content: ".."; distance: 0; http_server_body; content: ".vbs"; distance: 0; nocase; http_server_body; pcre: "/wshfile:[^\x22\x27\s]+(\\|\/)\.\.(\\|\/)[^\x22\x27\s]+\.vbs/Qi"; reference: cve, 2018-8495; reference: url, leucosite.com/Microsoft-Edge-RCE; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003930; rev: 2; ) 2 | -------------------------------------------------------------------------------- /CVE-2018-8581/cve-2018-8581.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] MS Exchange 2010-2019 Possible privilege escalation (CVE-2018-8581)"; flow: established, to_server; content: "POST"; http_method; content: "SOAPAction"; http_header; content: "Authorization: NTLM"; http_header; content: "m:SendNotificationResponseMessage"; http_client_body; reference: url, dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/; reference: cve, 2018-8581; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004420; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2019-0227/cve-2019-0227.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)"; flow: established, to_client; content: "30"; http_stat_code; content: "Location:"; http_header; content: "method"; distance: 0; http_header; pcre: "/(!|%21)(-|%2D|)+(>|%3E)/RHi"; content: "deployment"; distance: 0; http_header; reference: cve, 2019-0227; reference: url, rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10004698; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2019-0232/cve-2019-0232.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)"; flow: established, to_server; content: "?&"; http_raw_uri; pcre: "/\.(?:bat|cmd)\?\&/I"; reference: cve, 2019-0232; reference: url, wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004953; rev: 2;) 2 | -------------------------------------------------------------------------------- /CVE-2019-0708/cve-2019-0708.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #1)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; fast_pattern; content: "|17 03 01|"; distance: 32; within: 3; byte_test: 2, >, 450, 0, relative, big; flowbits: set, BlueKeep.pkt1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004861; rev: 4;) 2 | 3 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #2)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 30|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt1; flowbits: set, BlueKeep.pkt2; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004862; rev: 4;) 4 | 5 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #3)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 20|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt2; flowbits: set, BlueKeep.pkt3; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004863; rev: 4;) 6 | 7 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (MCS Channel Join Requests)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 30|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt3; flowint: JoinReq, +, 1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004864; rev: 4;) 8 | 9 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 01 80|"; distance: 32; within: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004865; rev: 7;) 10 | 11 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708"; flow: established, from_server; app-layer-protocol:!tls; stream_size: client, <, 3500; stream_size: server, <, 3000; content: "|17 03 01 01 d0|"; depth: 5; flowbits: isset, BlueKeep.pkt12; flowbits: set, BlueKeep.pkt13; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004867; rev: 5;) 12 | 13 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #1)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01|"; depth: 3; byte_test: 2, >, 450, 0, relative, big; flowbits: set, BlueKeep.pkt1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005396; rev: 1;) 14 | 15 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #2)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 30|"; depth: 5; fast_pattern; flowbits: isset, BlueKeep.pkt1; flowbits: set, BlueKeep.pkt2; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005397; rev: 1;) 16 | 17 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #3)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 20|"; depth: 5; flowbits: isset, BlueKeep.pkt2; flowbits: set, BlueKeep.pkt3; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005398; rev: 1;) 18 | 19 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (MCS Channel Join Requests)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 00 30|"; depth: 5; flowbits: isset, BlueKeep.pkt3; flowint: JoinReq, +, 1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005399; rev: 1;) 20 | 21 | alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol:!tls; content: "|17 03 01 01 80|"; depth: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005400; rev: 1;) 22 | -------------------------------------------------------------------------------- /CVE-2019-1003001/cve-2019-1003001.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Jenkins sandbox bypassing RCE (CVE-2019-1003000/1/2)"; flow: established, to_server; content: "POST"; http_method; nocase; content: "/job/"; http_uri; depth: 5; content: "/config.xml"; http_uri; content: "script"; http_client_body; pcre: "/<\s*script\s*>.*?@(Grab|ASTTest)/Ps"; reference: url, github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc; reference: cve, 2019-1003000; reference: cve, 2019-1003001; reference: cve, 2019-1003002; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004529; rev: 1; ) 2 | -------------------------------------------------------------------------------- /CVE-2019-2618/cve-2019-2618.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)"; flow: established, to_server; content: "POST"; nocase; http_method; content: "/bea_wls_deployment_internal/DeploymentService"; http_uri; content: "app_upload"; http_header; content: "_WL_internal"; http_header; content: "bea_wls_"; http_header; distance: 0; reference: cve, 2019-2618; reference: url, github.com/jas502n/cve-2019-2618/blob/master/cve-2019-2618.py; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004781; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2019-2725/cve-2019-2725.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)"; flow: established, to_server; content: "POST"; nocase; http_method; content: "oracle.toplink.internal.sessions.UnitOfWorkChangeSet"; pcre: "/(/wls-wsat/|/__async/)/I"; reference: cve, 2019-2725; reference: url, paper.seebug.org/910/; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004779; rev: 3;) 2 | 3 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic _async deserialization RCE Attempt (CVE-2019-2725)"; flow: established, to_server; content: "POST"; nocase; http_method; content: "org.slf4j.ext.EventData"; pcre: "/(/wls-wsat/|/__async/)/I"; reference: cve, 2019-2725; reference: url, paper.seebug.org/910/; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004927; rev: 1;) -------------------------------------------------------------------------------- /CVE-2019-2725/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/CVE-2019-2725/pcap.zip -------------------------------------------------------------------------------- /CVE-2019-3396/cve-2019-3396.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Confluence <6.14.2,6.13.3,6.12.3 Unauthorized RCE (CVE-2019-3396)"; flow: established, to_server; content: "/rest/tinymce/"; http_uri; content: "/macro/preview"; http_uri; distance: 0; content: "contentId"; http_client_body; content: "_template"; http_client_body; content: "url"; http_client_body; reference: url, paper.seebug.org/886; reference: cve, 2019-3396; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10004699; rev: 1; ) 2 | -------------------------------------------------------------------------------- /CVE-2019-3924/cve-2019-3924.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any 8291 (msg: "ATTACK [PTsecurity] MikroTik Firewall & NAT Bypass (CVE-2019-3924)"; flow: established, no_stream, to_server; content: "|01 00|"; depth: 4; content: "M2"; depth: 8; content: "|68 00 00 00|"; isdataat: !1, relative; content: "|07 00 FF 09 01|"; content: "|03 00 00 08|"; content: "|04 00 00 09|"; content: "|07 00 00 21|"; content: "|08 00 00 21|"; reference: cve, 2019-3924; reference: url, www.tenable.com/security/research/tra-2019-07; reference: url, github.com/tenable/routeros/blob/master/poc/cve_2019_3924; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10004547; rev: 1; ) 2 | -------------------------------------------------------------------------------- /CVE-2019-3978/cve-2019-3978.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik RouterOS unauthenticated DNS cache poisoning (CVE-2019-3978)"; flow: established, to_server, no_stream; content: "M2"; offset: 4; depth: 2; content: "|01 00 00 08|"; content: "|07 00 FF 09 03|"; content: "|03 00 00 21|"; content: "|01 00 FF 88 01 00 0E 00 00 00|"; reference: cve, 2019-3978; reference: cve, medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005475; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2019-6340/cve-2019-6340.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)"; flow: established, to_server; content: "GET"; http_method; content: "hal_json"; http_uri; content: "link"; http_client_body; content: "options"; distance: 0; content: "O:"; distance: 0; http_client_body; pcre: "/\x22options\x22\s*:\s*\x22O:\d+:/P"; reference: cve, 2019-6340; reference: url, www.ambionics.io/blog/drupal8-rce; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004555; rev: 3; ) 2 | -------------------------------------------------------------------------------- /CVE-2020-0601/cve-2020-0601.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Suspicious explicitly-defined ECC parameters. Possible CVE-2020-0601 crafted certificate"; flow:established; content:"|06 07 2a 86 48 ce 3d 02 01 30 82|"; content:"|06 07 2a 86 48 ce 3d 01 01 02|"; within:200; reference: cve, 2020-0601; reference: url, github.com/ollypwn/cve-2020-0601; reference: url, github.com/ptresearch/AttackDetection; classtype: trojan-activity; sid: 10005695; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2020-0796/cve-2020-0796.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] CoronaBlue/SMBGhost DOS/RCE Attempt (CVE-2020-0796)"; flow: established; content: "|FC|SMB"; depth: 8; byte_test: 4, >, 0x800134, 8, relative, little; reference: url, www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796; reference: cve, 2020-0796; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005777; rev: 2;) 2 | 3 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] CoronaBlue/SMBGhost DOS/RCE Attempt (CVE-2020-0796)"; flow: established; content: "|FC|SMB"; depth: 8; byte_test: 4, >, 0x800134, 0, relative, little; reference: url, www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796; reference: cve, 2020-0796; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005778; rev: 2;) 4 | -------------------------------------------------------------------------------- /CVE-2020-1350/cve-2020-1350.rules: -------------------------------------------------------------------------------- 1 | alert tcp any 53 -> any any (msg: "ATTACK [PTsecurity] Windows Server DNS RCE aka SIGRed (CVE-2020-1350) - Query response"; flow: established, from_server; content:"|FF|"; depth: 1; content: "|00 00 18 00 01 C0|"; within: 100; content:"|00 18 00 01|"; distance: 1; within: 4; content: "|FF|"; distance: 4; within: 1; reference: url, research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers; reference: cve, 2020-1350; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005977; rev: 2;) 2 | -------------------------------------------------------------------------------- /CVE-2020-14882/cve-2020-14882.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic unauth RCE (CVE-2020-14882)"; flow: established, to_server; content: "%252E%252E"; http_raw_uri; content: "console.portal"; http_uri; content: "tangosol"; content: "coherence"; distance: 0; content: "ShellSession"; distance: 0; reference: url, twitter.com/jas502n/status/1321416053050667009; reference: url, testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf; reference: url, github.com/ptresearch/AttackDetection; reference: cve, 2020-14882; classtype: attempted-admin; sid: 10006254; rev: 1;) 2 | -------------------------------------------------------------------------------- /CVE-2021-41773/cve-2021-41773.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Likely Apache HTTP Server 2.4.49 Directory Traversal (CVE-2021-41773)"; flow: established, to_server; content: "%2e/"; nocase; http_raw_uri; pcre: "/\/(\.|%2e)%2e\//Ii"; threshold: type limit, track by_src, count 1, seconds 60; reference: cve, 2021-41773; reference: url, twitter.com/lofi42/status/1445382059640434695; reference: url, github.com/ptresearch/AttackDetection; metadata: created_at 2021_10_05, updated_at 2021_10_06; classtype: web-application-attack; sid: 10006811; rev: 2;) 2 | 3 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache HTTP Server 2.4.49 RCE attempt (CVE-2021-41773)"; flow: established, to_server; content: "%2e/"; nocase; http_raw_uri; content: "sh"; distance: 0; nocase; http_raw_uri; pcre: "/\/(\.|%2e)%2e\//Ii"; content: "POST"; nocase; http_method; reference: cve, 2021-41773; reference: url, twitter.com/lofi42/status/1445382059640434695; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10006813; rev: 1;) 4 | 5 | -------------------------------------------------------------------------------- /CVE-2022-23131/cve-2022-23131.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Zabbix v5.4.x SSO/SALM Auth Bypass RCE (CVE-2022-23131)"; flow: established, to_server; content: "/index_sso.php"; http_uri; content: "zbx_session="; http_cookie; base64_decode: relative; base64_data; content: "saml_data"; content: "username_attribute"; distance: 0; pcre: "/^(?:(?!.*sessionid)|(?!.*sign)|(?!.*session_index))/"; reference: url, blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference: url, github.com/ptresearch/AttackDetection; reference: cve, 2022-23131; classtype: attempted-admin; sid: 10007101; rev: 1;) 2 | 3 | -------------------------------------------------------------------------------- /DNS Rebinding/dns_rebinding.rules: -------------------------------------------------------------------------------- 1 | #alert udp any 53 -> $HOME_NET any (msg: "ATTACK [PTsecurity] DNS Rebinding attack in progress"; flow: established, from_server; content: "|00 01 00 01|"; offset: 4; depth: 4; content: "|00 01 00 01 00 00 00 00 00 04|"; distance: 0; content: !"|7F|"; within: 1; xbits: set, DNSREBINDING.NON_LOCALHOST, track ip_pair, expire 10; flowbits: noalert; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002488; rev: 2; ) 2 | 3 | #alert udp any 53 -> $HOME_NET any (msg: "ATTACK [PTsecurity] DNS Rebinding attack in progress"; flow: established, from_server; content: "|00 01 00 01|"; offset: 4; depth: 4; content: "|00 01 00 01 00 00 00 00 00 04 7F 00 00 01|"; distance: 0; xbits: isset, DNSREBINDING.NON_LOCALHOST, track ip_pair; threshold: type both, track by_src, count 1, seconds 30; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002489; rev: 1; ) 4 | 5 | #alert udp any 53 -> $HOME_NET any (msg: "ATTACK [PTsecurity] Possible DNS Rebinding attack"; flow: established, from_server; content: "|00 01 00 01|"; offset: 4; depth: 4; content: "|00 01 00 01 00 00 00 00 00 04 7F 00 00 01|"; distance: 0; threshold: type both, track by_src, count 1, seconds 30; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002490; rev: 1; ) 6 | 7 | -------------------------------------------------------------------------------- /DarkHVNC/darkhvnc.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "REMOTE [PTsecurity] DarkHVNC"; flow: established, to_server; stream_size: client, =, 11;stream_size: server, =, 1;dsize: 10; content: "AVE_MARIA"; depth: 9; reference: url, app.any.run/tasks/48ad8f56-2255-47bf-a988-e0602c11f4b0; metadata: id 1927656; metadata: created_at 2021_09_29; classtype: trojan-activity; sid: 10006793; rev: 1;) 2 | 3 | -------------------------------------------------------------------------------- /Dridex/dridex.rules: -------------------------------------------------------------------------------- 1 | alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] Dridex/Feodo-D SSL connection #0.1"; flow: established, to_server; content: "|17 03 01 00 80|"; depth:5; stream_size: server, <,1905; stream_size: client, <,9911; stream_size: client, >,0; stream_size: server, >,0; flowbits: noalert;flowbits: set, FB313831_0; classtype: trojan-activity; metadata: created_at 2017_8_1; reference: url, github.com/ptresearch/AttackDetection; sid: 10001683; rev: 1;) 2 | 3 | alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] Dridex/Feodo-D SSL connection #0.2"; flow: established, to_server; content: "|17 03 01 00 90|"; depth:5; stream_size: server, <,1905; stream_size: client, <,9911; stream_size: client, >,0; stream_size: server, >,0; flowbits: noalert;flowbits: set, FB313831_0; classtype: trojan-activity; metadata: created_at 2017_8_1; reference: url, github.com/ptresearch/AttackDetection; sid: 10001684; rev: 1;) 4 | 5 | alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] Dridex/Feodo-D SSL connection #1"; flow: established, to_server; content: "|1703|"; depth:2; byte_test: 2, >=,2512, 1, relative; byte_test: 2, <=,7900, 1, relative; stream_size: server, <,1905; stream_size: client, <,9911; stream_size: client, >,0; stream_size: server, >,0; flowbits: noalert; flowbits: isset, FB313831_0; flowbits: unset, FB313831_0; flowbits: set, FB313831_1; classtype: trojan-activity; metadata: created_at 2017_8_1; reference: url, github.com/ptresearch/AttackDetection; sid: 10001685; rev: 1;) 6 | 7 | alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Dridex/Feodo-D SSL connection #2.1"; flow: established, to_client; content: "|17 03 01 01 60|"; depth:5; stream_size: server, <,2257; stream_size: client, <,10263; stream_size: client, >,0; stream_size: server, >,0; flowbits: isset, FB313831_1; flowbits: unset, FB313831_1; threshold: type limit, track by_src, count 1, seconds 300;classtype: trojan-activity; metadata: created_at 2017_8_1; reference: url, github.com/ptresearch/AttackDetection; sid: 10001686; rev: 1;) 8 | 9 | alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Dridex/Feodo-D SSL connection #2.2"; flow: established, to_client; content: "|17 03 01 00 D0|"; depth:5; stream_size: server, <,2257; stream_size: client, <,10263; stream_size: client, >,0; stream_size: server, >,0; flowbits: isset, FB313831_1; flowbits: unset, FB313831_1; threshold: type limit, track by_src, count 1, seconds 300;classtype: trojan-activity; metadata: created_at 2017_8_1; reference: url, github.com/ptresearch/AttackDetection; sid: 10001792; rev: 1;) 10 | 11 | alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Dridex/Feodo-D SSL connection #2.3"; flow: established, to_client; content: "|17 03 01 00 C0|"; depth:5; stream_size: server, <,2257; stream_size: client, <,10263; stream_size: client, >,0; stream_size: server, >,0; flowbits: isset, FB313831_1; flowbits: unset, FB313831_1; threshold: type limit, track by_src, count 1, seconds 300;classtype: trojan-activity; metadata: created_at 2017_8_1; reference: url, github.com/ptresearch/AttackDetection; sid: 10001793; rev: 1;) 12 | 13 | alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Trickbot/Dyre/Dridex #1"; flow: established, to_client; content: "|1703|"; depth:2; byte_test: 2, >=,160, 1, relative; byte_test: 2, <=,240, 1, relative; stream_size: server, <,3000; stream_size: client, <,3000; flowbits: noalert; flowbits: set, FB320221_0; classtype: trojan-activity; metadata: created_at 2017_8_11; reference: url, github.com/ptresearch/AttackDetection; sid: 10001758; rev: 1;) 14 | 15 | alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Trickbot/Dyre/Dridex #2";flow: established, to_client;content: "|17 03 01 00 F0|";depth:5;content: "|17 03 01 00 20|";distance:240;within:5;content: "|17 03 01|";distance:32;within:3;stream_size: server, <,30000;stream_size: client, <,30000;flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; flowbits: noalert ; classtype: trojan-activity;metadata: created_at 2017_8_11; reference: url, github.com/ptresearch/AttackDetection; sid: 10001759; rev: 2;) 16 | 17 | alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Trickbot/Dyre/Dridex #3";flow: established, to_client;content: "|17 03 01 01 00|"; depth:5; content: "|17 03 01 00 20|"; distance:256; within:5; content: "|17 03 01|";distance:32;within:3;stream_size: server, <,30000;stream_size: client, <,30000;flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; classtype: trojan-activity;metadata: created_at 2017_8_11; reference: url, github.com/ptresearch/AttackDetection; sid: 10001760; rev: 1;) 18 | 19 | # For Suricon 2018. Disabled by default. 20 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection #0"; flow: established, to_server; content: "|1703|"; depth:2; byte_test: 2, >=,270, 1, relative; byte_test: 2, <=,292, 1, relative; stream_size: server, <,2710; stream_size: client, <,1540; flowbits: noalert; flowbits: set, FB314917_0; classtype: trojan-activity; metadata: created_at 2017_8_3; reference: url, github.com/ptresearch/AttackDetection; sid: 11101465; rev: 2;) 21 | 22 | #alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection #1"; flow: established, to_client; content: "|1703|"; depth:2; byte_test: 2, >=,400, 1, relative; byte_test: 2, <=,416, 1, relative; stream_size: server, <,2710; stream_size: client, <,1540; flowbits: isset, FB314917_0; flowbits: unset, FB314917_0; flowbits: set, FB314917_1; flowbits: noalert; classtype: trojan-activity; metadata: created_at 2017_8_3; reference: url, github.com/ptresearch/AttackDetection; sid: 11101466; rev: 2;) 23 | 24 | #alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection #2"; flow: established, to_server; content: "|1703|"; depth:2; byte_test: 2, >=,400, 1, relative; byte_test: 2, <=,416, 1, relative; stream_size: server, <,3300; stream_size: client, <,2500; flowbits: isset, FB314917_1; flowbits: unset, FB314917_1; flowbits: set, FB314917_2; classtype: trojan-activity; metadata: created_at 2017_8_3; reference: url, github.com/ptresearch/AttackDetection; sid: 11101467; rev: 1;) 25 | -------------------------------------------------------------------------------- /Dridex/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/Dridex/pcap.zip -------------------------------------------------------------------------------- /FreePBX_13_14_rce/FreePBX_13_14_rce.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ATTACK [PTsecurity] FreePBX 13/14 Malicious Filename Upload attempt"; flow: to_server; content: "POST"; http_method; nocase; content:"/admin/ajax.php?"; http_uri; content:"module=recordings"; http_uri; content:"command=savebrowserrecording"; http_uri; content: "Content-Type: multipart/form-data"; nocase; http_header; pcre:"/Content-Disposition: form-data\; name=\x22filename\x22\r\n\r\n[^\r\n]*\x60[^\r\n]*\x60.*\r\n/P"; xbits: set, FreePBXMaliciousFilenameUpload, track ip_dst, expire 30; classtype: attempted-user; reference: exploitdb, 40232; reference: url, github.com/ptresearch/AttackDetection; sid:10000082; rev:2;) 2 | 3 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution"; flow: to_server; content: "POST"; http_method; nocase; content:"/admin/ajax.php"; http_uri; content: "Content-Type: application/x-www-form-urlencoded"; nocase; http_header; pcre:"/file=[^&]*\x60[^&]*\x60/P"; pcre:"/module=recordings/P"; xbits: isset, FreePBXMaliciousFilenameUpload, track ip_dst; classtype: successful-user; reference: exploitdb, 40232; reference: url, github.com/ptresearch/AttackDetection; sid:10000083; rev:2;) 4 | 5 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution attempt"; flow: to_server; content:"POST"; http_method; content:"/admin/ajax.php"; http_uri; content:"Content-Type: application/x-www-form-urlencoded"; nocase; http_header; pcre:"/file=[^&]*\x60[^&]*\x60/P"; pcre:"/module=recordings/P"; xbits: isnotset, FreePBXMaliciousFilenameUpload, track ip_dst; classtype: attempted-user; reference: exploitdb, 40232; reference: url, github.com/ptresearch/AttackDetection; sid:10000084; rev:2;) 6 | -------------------------------------------------------------------------------- /FreePBX_13_14_rce/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/FreePBX_13_14_rce/pcap.zip -------------------------------------------------------------------------------- /GraphicsMagick_shell_vulnerability/GraphicsMagick.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ATTACK [PTsecurity] GraphicsMagick popen shell vulnerability"; flow:established,to_server; content:" $HOME_NET any (msg:"ATTACK [PTsecurity] GraphicsMagick popen shell vulnerability"; flow:established,to_server; content:"viewbox "; nocase; http_client_body; fast_pattern; pcre:"/image\s+copy\s+\d+\s*,\s*\d+\s+\d+\s*,\s*\d+\s*\x22\|/RPi"; reference: url, permalink.gmane.org/gmane.comp.security.oss.general/19669; classtype:web-application-attack; reference: url, github.com/ptresearch/AttackDetection; sid: 10000045; rev:1;) 4 | 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | LICENSE AGREEMENT 2 | with an individual, the end user of software, exclusive rights to which belong to Positive Technologies CJSС. 3 | 4 | 1. General Provisions 5 | 6 | 1.1 This license agreement (hereinafter referred to as the "Agreement") represents an agreement between Positive Technologies CJSC (hereinafter referred to as the "Rightholder") and the end user (hereinafter referred to as the "User") with regard to the Positive Technologies software, rules for detection and exploits in particular, provided by the Rightholder for public access at ХХХ (hereinafter referred to as the "Software"). 7 | 8 | 1.2. The usage of the Software is allowed only under this Agreement’s conditions. Execution, storage or any other use of the Software implies that the User agrees to fulfill the terms and conditions of the Agreement. If the User does not fully accept the Agreement, the User may not use the Software for any purpose, including keeping a copy of the Software on data storage devices. 9 | 10 | 2. Legal Usage 11 | 12 | 2.1 A legal Software instance is only the instance received by the User from the Rightholder by downloading from the repository, located at the address specified in section 1.1. 13 | 14 | 2.2 The Rightholder grants the User the right to use the legal Software instance for personal, non-commercial use and for its designated purpose, namely, for assessment of the current security status. 15 | 16 | 2.3 To provide the User with means for exercising the rights under the section 2.2 of this Agreement the Rightholder grants the User the right to reproduce the Software, which is limited to installing (copying to read-only storage) and running (copying to the core memory) the Software. Other legal manner of using the Software is to be specified in the appropriate contract. The manner of using the Software that is not expressly specified under this Agreement or in the contract is considered to be not allowed. 17 | 18 | 2.4 The end user acquires the right to reproduce the Software, which is limited to installing and running the Software, on one hardware platform only. 19 | 20 | 2.5 The user receives the rights to use the Software only to the extent granted to the User by the Rightholder explicitly under the Agreement. The Rightholder reserves all rights not expressly granted to the User herein. 21 | 22 | 2.6 The User being an eligible owner of an instance of the Software may create one backup copy, provided that such copy is used solely as an archive backup or to replace the legally acquired instance in case it is lost, destroyed or unusable. Such backup copy should contain all copyright notices that appear on the original instance. 23 | 24 | 2.7 The User shall not modify, adapt, localize or decompile the Software except as specified under the current law of the Russian Federation, nor shall the User make any changes to the source code of the Software. 25 | 26 | 2.8 The User shall not use the Software to provide services (including consulting) to third parties, including donated services. 27 | 28 | 2.9 The User shall not distribute, rent or lease the Software, or use it for fraudulent or other illegal purposes. 29 | 30 | 2.10 The Software may be used worldwide throughout period of validity of the exclusive right to the Software. 31 | 32 | 33 | 3. Exclusive rights 34 | 35 | 3.1 The rightholder of the Software is Positive Technologies CJSС. 36 | 37 | 3.2 All rights (including the right for the content that can become available as a result of the Software usage) are the property of the Rightholder and are protected by applicable laws of the Russian Federation and international intellectual property treaties. 38 | 39 | 3.3 Nothing in this Agreement shall be construed as transfer of any exclusive rights to the User. 40 | 41 | 3.4 The User may not remove or change the Rightholder and third parties’ copyright information. 42 | 43 | 4. Disclaimer of warranty 44 | 45 | 4.1. The Software is provided as is. The Rightholder gives no warranties of uninterrupted or error-free operation of the Software, nor does it give warranties that the Software meets the User’s requirements or expectations. The Rightholder is not liable for direct or indirect damages resulting from potential errors in the Software, as well as for damages that might result from using or impossibility to use the Software. 46 | 47 | 5. Liability 48 | 49 | 5.1 The User shall be liable for any breach of the terms of this Agreement and for the illegal usage of the Software under applicable laws of the Russian Federation and international intellectual property treaties. 50 | 51 | 5.2 The Rightholder reserves the right to terminate the User’s license unilaterally in case of any breach of the terms of this Agreement and illegal usage of the Software. 52 | 53 | 6. Other Provisions 54 | 55 | 6.1 This Agreement is governed by the law of the Russian Federation. 56 | 57 | 6.2 The Rightholder reserves the right to modify the conditions of this Agreement (with the obligation to notify the User). 58 | 59 | 6.3 The User may contact the Rightholder, should the User have any questions regarding the permitted use of the Software: 60 | 61 | Positive Technologies CJSС 62 | 107241, Moscow, Schelkovskoe shosse, 23A 63 | Tel.: +7 495 744 0144 64 | Fax: +7 495 744 0187 65 | E-mail: pt@ptsecurity.com 66 | -------------------------------------------------------------------------------- /Log4Shell/log4shell.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] log4j RCE aka Log4Shell attempt (CVE-2021-44228)"; flow: established; content: "${"; content: "j"; distance: 0; nocase; content: "n"; distance: 0; nocase; content: "d"; distance: 0; nocase; content: "i"; distance: 0; nocase; content: ":"; distance: 0; nocase; content: "l"; distance: 0; nocase; content: "d"; distance: 0; nocase; content: "a"; distance: 0; nocase; content: "p"; distance: 0; nocase; pcre: "/\${(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?j}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?n}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?d}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?i}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?:}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?l}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?d}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?a}?(?:\${upper:|\${lower:|\${env:[^:]+:-|\${::-)?p}?/i"; reference: cve, 2021-44228; reference: url, www.lunasec.io/docs/blog/log4j-zero-day; reference: url, github.com/ptresearch/AttackDetection; metadata: created_at 2021_12_10, updated_at 2021_12_13; classtype: attempted-admin; sid: 10006897; rev: 3;) 2 | 3 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] log4j RCE aka Log4Shell successful. Malicious LDAP response (CVE-2021-44228)"; flow: established; content: "0"; depth: 1; content: "|02 01 02 64|"; within: 7; content: "javaClassName1"; within: 150; content: "javaCodeBase1"; distance: 0; content: "objectClass1"; distance: 0; content: "javaFactory1"; distance: 0; reference: cve, 2021-44228; reference: url, www.lunasec.io/docs/blog/log4j-zero-day; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10006900; rev: 1;) 4 | 5 | -------------------------------------------------------------------------------- /MS17-010/ms17-010.rules: -------------------------------------------------------------------------------- 1 | alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION. Non-Fragmented NT Trans Request with command NT Rename (CVE-2017-0146)"; flow: established, to_server; content: "|FF|SMB|A0|"; offset: 4; depth: 5; byte_extract: 4, 35, NTTrans.TotalDataCount, relative, little; byte_test: 4, =, NTTrans.TotalDataCount, 16, relative, little; content: "|05 00|"; distance: 25; within: 2; isdataat:300, relative; flowbits: set, EternalRomance.RaceCondition.Possible; flowbits: noalert; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001717; rev: 2;) 2 | 3 | alert smb $HOME_NET any -> any any (msg: "ATTACK [PTsecurity] NT Trans Response"; flow: established, from_server; content: "|FF|SMB|A0|"; offset: 4; depth: 5; flowbits: isset, EternalRomance.RaceCondition.Possible; flowbits: unset, EternalRomance.RaceCondition.Possible; flowbits: noalert; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001718; rev: 1;) 4 | 5 | alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION Race Condition Exploit. NT Trans Secondary packet follows NT Trans Req (CVE-2017-0146)"; flow: established, no_stream, to_server; content: "|FF|SMB|A1|"; flowbits: isset, EternalRomance.RaceCondition.Possible; flowbits: set, EternalRomance.RaceCondition.Attempt; threshold: type both, track by_src, count 1, seconds 60; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001719; rev: 1;) 6 | 7 | alert smb $HOME_NET any -> any any (msg: "ATTACK [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION Successful kernel data leak (CVE-2017-0146)"; flow: established, from_server; content: "|FF|SMB|A0|"; content: "Frag"; within: 115; flowbits: isset, EternalRomance.RaceCondition.Attempt; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001720; rev: 1;) 8 | 9 | alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Metasploit MS17-010 ETERNALROMANCE exploitation (CVE-2017-0143)"; flow: established, to_server; content: "|FF|SMB|A1|"; content: "|FF|SMB|A0|"; distance: 0; content: "|05 00|"; distance: 64; within: 2; content: "|FF|SMB|25|"; distance: 13; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; threshold: type both, track by_src, count 1, seconds 60; reference: cve, 2017-0143; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001723; rev: 1; ) 10 | 11 | -------------------------------------------------------------------------------- /Microtik Router OS Stack Clash/microtik_router_os_stack_clash.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server; content: "POST"; http_method; content: "/jsproxy"; http_uri; fast_pattern; content: "Content-Length: "; http_header; content: !"|0D|"; within: 5; http_header; xbits: set, RouterOS.StackClash.POST2, track ip_src, expire 10; flowbits: noalert; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClashMIPS.py; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002456; rev: 1; ) 2 | 3 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server, no_stream; content: "|24 50 00 00 26 04 00 40 AE 04 FF F0 26 11 00 50 AE 11 FF F4 26 11 00 60 AE 11 FF F8 22 05 FF F0 22 06 FF FC 24 02 0F AB 00 00 00 0C|"; content: "/bin"; within: 30; xbits: isset, RouterOS.StackClash.POST2, track ip_src; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClashMIPS.py; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002457; rev: 1; ) 4 | 5 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Possible Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server; content: "POST"; http_method; content: "/jsproxy"; http_uri; fast_pattern; content: "Content-Length: "; http_header; content: !"|0D|"; within: 6; http_header; byte_test: 0, =, 167936, 0, relative, string; threshold: type both, track by_src, count 2, seconds 5; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClashMIPS.py; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002459; rev: 2; ) 6 | 7 | -------------------------------------------------------------------------------- /Neutrino/neutrino.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] Neutrino Bot Check-in"; flow: established, to_server; content: "msg=Y21kJ"; http_client_body; depth: 9; fast_pattern; classtype: trojan-activity; metadata: created_at 2018_3_20; reference: url, github.com/ptresearch/AttackDetection; sid: 10002712; rev: 1; ) 2 | 3 | alert http any any -> any any (msg: "SCAN [PTsecurity] Neutrino shell probing die(@md5("; flow: established, to_server; content: "die(@md5("; isdataat: !20, relative; threshold: type limit, track by_src, seconds 300, count 1; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-recon; sid: 10003765; rev: 2; ) 4 | 5 | alert http any any -> any any (msg: "SCAN [PTsecurity] Neutrino shell probing die(md5("; flow: established, to_server; content: "die(md5("; isdataat: !20, relative; threshold: type limit, track by_src, seconds 300, count 1; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-recon; sid: 10003766; rev: 2; ) 6 | 7 | alert http any any -> any any (msg: "ATTACK [PTsecurity] PHPMyAdmin web shell planting with log redirection"; flow: established, to_server; content: "POST"; http_method; content: "import.php"; http_uri; content: "application/x-www-form-urlencoded"; http_header; content: "general_log_file"; http_client_body; fast_pattern; content: ".php"; http_client_body; distance: 0; pcre: "/general_log_file[^&]+\.php(\x22|\x27|\s|%27|%22|%20)/P"; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004566; rev: 1; ) 8 | -------------------------------------------------------------------------------- /Omnivista_8770_RCE/omnivista_8770_rce.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (AddJobSet)"; flow: established, no_stream; content: "GIOP"; depth: 4; content: "SchedulerInterface"; distance: 0; content: "AddJobSet"; distance: 0; flowbits: set, Omnivista.SchedulerInterface.AddJobSet; flowbits: noalert; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000677; rev: 1; ) 2 | 3 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (AddJob)"; flow: established, no_stream; content: "GIOP"; depth: 4; byte_jump:4,24; content: "|00 00 00 07|AddJob|00|"; within: 11; flowbits: isset, Omnivista.SchedulerInterface.AddJobSet; flowbits: set, Omnivista.SchedulerInterface.AddJob; flowbits: noalert; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000678; rev: 1; ) 4 | 5 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (ExecuteNow)"; flow: established, no_stream; content: "GIOP"; depth: 4; byte_jump:4,24; content: "|00 00 00 0B|ExecuteNow|00|"; within: 15; flowbits: isset, Omnivista.SchedulerInterface.AddJob; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10000679; rev: 1; ) 6 | 7 | -------------------------------------------------------------------------------- /PetitPotam/petitpotam.rules: -------------------------------------------------------------------------------- 1 | alert tcp-pkt any any -> any any (msg: "ATTACK [PTsecurity] EFSR Bind"; flow: established, to_server; content: "|05 00 0B|"; content: "|88 D4 81 C6 50 D8 D0 11 8C 52 00 C0 4F D9 0F 7E|"; within: 64; flowbits: set, DCERPC.EFSR.Bind; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_23, updated_at 2021_11_19; classtype: attempted-admin; sid: 10006662; rev: 2;) 2 | 3 | alert tcp-pkt any any -> any any (msg: "ATTACK [PTsecurity] EFSR /efsrpc Bind"; flow: established, to_server; content: "|05 00 0B|"; content: "|C5 41 19 DF 89 FE 79 4E BF 10 46 36 57 AC F4 4D|"; within: 64; flowbits: set, DCERPC.EFSR.Bind; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_23, updated_at 2021_11_19; classtype: attempted-admin; sid: 10006663; rev: 2;) 4 | 5 | alert dcerpc any any -> any any (msg: "ATTACK [PTsecurity] PetitPotam (Machine account NTLM Hash leak) attempt"; flow: established, to_server; content: "|05 00 00|"; depth: 70; content: "|00 00|"; distance: 19; within: 2; flowbits: isset, DCERPC.EFSR.Bind; xbits: set, PetitPotam.Attempt, track ip_dst, expire 10; reference: url, github.com/ptresearch/AttackDetection; reference: url, github.com/topotam/PetitPotam; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_23, updated_at 2021_11_19; classtype: attempted-admin; sid: 10006664; rev: 3;) 6 | 7 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] PetitPotam (Machine account NTLM Hash leak) successful"; flow: established, to_server; content: "SMB"; content: "NTLMSSP|00 03 00 00 00|"; distance: 0; byte_jump: 4, 36, relative, little, post_offset -55; content: "|00 24 00|"; within: 3; xbits: isset, PetitPotam.Attempt, track ip_src; reference: url, github.com/ptresearch/AttackDetection; reference: url, github.com/topotam/PetitPotam; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_23, updated_at 2021_07_23; classtype: attempted-admin; sid: 10006665; rev: 2;) 8 | 9 | -------------------------------------------------------------------------------- /PowerShell Empire/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/PowerShell Empire/pcap.zip -------------------------------------------------------------------------------- /PowerShell Empire/power_shell_empire.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] PowerShell Empire Request HTTP Pattern";flow: established, to_server; content: "POST"; http_method; content: "HTTP/1.1|0d0a|Cookie: session="; depth:1000; fast_pattern; content: "=|0d0a|User-Agent: "; distance:27; within:400; content: "Host: "; within:400; content: "Content-Length: 462|0d0a|"; within: 400; content:!"Referer|3a|"; http_header; content: !"Content-Type: "; http_header; classtype: trojan-activity; metadata: created_at 2017_11_21; reference: url, github.com/ptresearch/AttackDetection; sid: 10002268; rev: 2;) 2 | 3 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] PowerShell Empire stager receive over HTTP";flow: established, to_client; content:"200"; http_stat_code; content: "If($PSVersionTable.PSVersion.Major -ge 3){"; http_server_body; nocase; depth: 1000; content: "$GPS=[ref].Assembly.GetType(";http_server_body; nocase; within: 100; content: "System.Management.Automation.Utils";http_server_body; within: 100; threshold: type limit, track by_src, count 1, seconds 30; classtype: trojan-activity; metadata: created_at 2017_11_22; reference: url, github.com/ptresearch/AttackDetection; sid: 10002269; rev: 1;) 4 | 5 | -------------------------------------------------------------------------------- /PrintNightmare/printnightmare.rules: -------------------------------------------------------------------------------- 1 | alert tcp-pkt any any -> any any (msg: "ATTACK [PTsecurity] IREMOTEWINSPOOL Bind"; flow: established, to_server; content: "|96 3F F0 76 FD CD FC 44 A2 2C 64 95 0A 00 12 09|"; flowbits: set, DCERPC.IREMOTEWINSPOOL.Bind; flowbits: noalert; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_12, updated_at 2021_08_10; classtype: attempted-admin; sid: 10006624; rev: 3;) 2 | 3 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] PrintNightmare attempt (CVE-2021-1675)"; flow: established, to_server; content: "|05 00 00|"; depth: 70; content: "|27 00|"; distance: 19; within: 2; flowbits: isset, DCERPC.IREMOTEWINSPOOL.Bind; threshold: type limit, track by_dst, count 1, seconds 60; reference: url, github.com/ptresearch/AttackDetection; reference: url, github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210709; reference: cve, 2021-1675; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_12, updated_at 2021_08_10; classtype: attempted-admin; sid: 10006625; rev: 3;) 4 | 5 | alert tcp-pkt any any -> any any (msg: "ATTACK [PTsecurity] SPOOLSS Bind"; flow: established, to_server; content: "|78 56 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB|"; flowbits: set, DCERPC.SPOOLSS.Bind; flowbits: noalert; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_12, updated_at 2021_08_10; classtype: attempted-admin; sid: 10006626; rev: 3;) 6 | 7 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] PrintNightmare attempt (CVE-2021-1675)"; flow: established, to_server; content: "|05 00 00|"; depth: 70; content: "|59 00|"; distance: 19; within: 2; flowbits: isset, DCERPC.SPOOLSS.Bind; threshold: type limit, track by_dst, count 1, seconds 60; reference: url, github.com/ptresearch/AttackDetection; reference: cve, 2021-1675; metadata: Open Ptsecurity.com ruleset; metadata: created_at 2021_07_12, updated_at 2021_08_10; classtype: attempted-admin; sid: 10006627; rev: 3;) 8 | 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Suricata PT Open Ruleset 2 | ===== 3 | The [Attack Detection Team](https://twitter.com/AttackDetection) searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers’ TTPs, so we develop Suricata rules for detecting all sorts of such activities. 4 | ## Structure 5 | This repository consisting of folders with self-explanatory names contains Suricata rules, PoC exploits, and traffic samples in zip archives with default password. 6 | 7 | :wrench: Some rules in this repo are aimed to detect communications under TLS. Please, set ```encryption-handling: full``` in suricata.yaml configuration file to activate them. 8 | ## SID range 9 | We use SID 10000000-11999999 for our rules. 10 | ## License 11 | This software is provided under a custom License. See the accompanying LICENSE file for more information. 12 | -------------------------------------------------------------------------------- /SilentTrinity/silenttrinity.rules: -------------------------------------------------------------------------------- 1 | alert tls any any -> any any (msg: "MALWARE [PTsecurity] Silent Trinity pkt checker #0"; flow: established, to_client; stream_size: client, <,3500; stream_size: server, <,3500; content: "|1703030065|"; depth: 5; flowbits: set, ST_checker1; flowbits: noalert; reference: url, github.com/ptresearch/AttackDetection; classtype: trojan-activity; sid: 11004397; rev: 2;) 2 | 3 | alert tls any any -> any any (msg: "MALWARE [PTsecurity] Silent Trinity pkt checker #1"; flow: established, to_client; stream_size: client, <,3500; stream_size: server, <,3500; content: "|1703030099|"; depth: 5; flowbits: isset, ST_checker1; flowbits: set, ST_checker2; flowbits: unset, ST_checker1; flowbits: noalert; reference: url, github.com/ptresearch/AttackDetection; classtype: trojan-activity; sid: 11004398; rev: 2;) 4 | 5 | alert tls any any -> any any (msg: "MALWARE [PTsecurity] Silent Trinity RAT (post-exploitation agent)"; flow: established, to_client; stream_size: client, <,3500; stream_size: server, <,3500; content: "|17030300a0|"; depth: 5; flowbits: isset, ST_checker2; flowbits: unset, ST_checker2; reference: url, github.com/ptresearch/AttackDetection; classtype: trojan-activity; sid: 11004399; rev: 2;) -------------------------------------------------------------------------------- /Spring4Shell/Spring4Shell.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Spring Core RCE aka Spring4Shell Attempt"; flow: established; content: "pipeline.first.pattern"; nocase; content: "getRuntime"; nocase; distance: 0; content: "exec"; nocase; pcre: "/(?:%25|%)(?:%7B|{)/i"; pcre: "/(?:%7D|})i/i"; reference: url, github.com/ptresearch/AttackDetection; reference: url, www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html; classtype: attempted-admin; sid: 10007107; rev: 1;) 2 | 3 | -------------------------------------------------------------------------------- /Squid 3.5 http cache poisoning/squid.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Mismatch URI and Host header. Possible Squid cache poisoning"; content: "GET"; http_method; content: "://"; fast_pattern; distance: 0; http_raw_uri; pcre: "/^\w+\s+\w+:\/\/\S+\s+.*?[\r\n].*?Host:[ \t]+[\w\.:]+\b/is"; pcre:! "/^\w+\s+\w+:\/\/([^\/\s:#]+)[\/\s:#]\S*.+?Host:[ \t]*\1\S*\b/is"; reference: url, bugs.squid-cache.org/show_bug.cgi?id=4501; reference: cve, 2016-4554; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10000035; rev: 4; ) 2 | 3 | -------------------------------------------------------------------------------- /Suricon2018/readme.md: -------------------------------------------------------------------------------- 1 | Pcaps for these rules are here: https://storage.ptsecurity.com/d/7f387844efd84fbaac74/ 2 | -------------------------------------------------------------------------------- /SystemNightmare/systemnightmare.rules: -------------------------------------------------------------------------------- 1 | alert smb any any -> any any (msg: "ATTACK [PTsecurity] Possible SystemNightmare LPE"; flow: established; content: "|63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 77 00 69 00 6E 00 73 00 74 00 61 00 30 00 5C 00 64 00 65 00 66 00 61 00 75 00 6C 00 74 00 00 00|"; reference: url, github.com/ptresearch/AttackDetection; reference: url, github.com/gentilkiwi/mimikatz/blob/master/mimispool/README.md; metadata: created_at 2021_09_22, updated_at 2021_10_01; classtype: attempted-admin; sid: 10006770; rev: 2;) 2 | 3 | -------------------------------------------------------------------------------- /Telegram/telegram.rules: -------------------------------------------------------------------------------- 1 | #################### MTproto Telegram 2 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "APP [PTsecurity] MTproto Telegram pkt chk#0"; flow: established, to_server; dsize: 130<>240; content: !"|1603|"; depth: 2; stream_size: server, =, 1; stream_size: server, =, 1; stream_size: client, >,130; stream_size: client, <,300; flowbits: set, FBMproto_0; flowbits: noalert; pcre: "/[\x09-\x0e]/"; reference: url, github.com/ptresearch/AttackDetection; metadata: autosign, id_0,; metadata: created_at 2019_02_19, updated_at 2021_03_20; classtype: misc-activity; sid: 11004534; rev: 4;) 3 | 4 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "APP [PTsecurity] MTproto Telegram pkt chk#1"; flow: established, to_client; dsize: 100<>120; stream_size: server, >,100; stream_size: server, <,200; stream_size: client, >,130; stream_size: client, <,300; flowbits: isset, FBMproto_0; flowbits: unset, FBMproto_0; flowbits: set, FBMproto_1; flowbits: noalert; pcre: "/[\x09-\x0e]/"; reference: url, github.com/ptresearch/AttackDetection; metadata: autosign, id_0,; metadata: created_at 2019_02_19, updated_at 2021_03_20; classtype: misc-activity; sid: 11004535; rev: 3;) 5 | 6 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "APP [PTsecurity] MTproto Telegram pkt chk#2"; flow: established, to_server; dsize: 130<>450; stream_size: server, >,100; stream_size: server, <,200; stream_size: client, >,260; stream_size: client, <,880; flowbits: isset, FBMproto_1; flowbits: unset, FBMproto_1; flowbits: set, FBMproto_2; flowbits: noalert; pcre: "/[\x09-\x0e]/"; reference: url, github.com/ptresearch/AttackDetection; metadata: autosign, id_0,; metadata: created_at 2019_02_19, updated_at 2021_03_20; classtype: misc-activity; sid: 11004536; rev: 3;) 7 | 8 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "APP [PTsecurity] MTproto Telegram pkt chk#3"; flow: established, to_client; dsize: 150<>250; stream_size: server, >,250; stream_size: server, <,600; stream_size: client, >,260; stream_size: client, <,880; flowbits: isset, FBMproto_2; flowbits: unset, FBMproto_2; flowbits: set, FBMproto_3; flowbits: noalert; pcre: "/[\x09-\x0e]/"; reference: url, github.com/ptresearch/AttackDetection; metadata: autosign, id_0,; metadata: created_at 2019_02_19, updated_at 2021_03_20; classtype: misc-activity; sid: 11004537; rev: 3;) 9 | 10 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "APP [PTsecurity] MTproto Telegram"; flow: established, to_server; dsize: 250<>350;stream_size: server, >,250;stream_size: server, <,600;stream_size: client, >,460;stream_size: client, <,1000;flowbits: isset, FBMproto_3;flowbits: unset, FBMproto_3; pcre: "/[\x09-\x0e]/"; reference: url, github.com/ptresearch/AttackDetection; metadata: autosign, id_0,; metadata: created_at 2019_02_19, updated_at 2019_07_25; classtype: misc-activity; sid: 11004538; rev: 2;) 11 | 12 | -------------------------------------------------------------------------------- /ThePrinterBug/theprinterbug.rules: -------------------------------------------------------------------------------- 1 | alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] SPOOLSS DCERPC/SMB Bind"; flow: to_server, established, no_stream; content:"SMB"; offset: 5; depth: 3; content: "|05 00 0B|"; distance: 0; content: "|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab 01 00 00 00|"; distance: 29; flowbits: set, DCERPC.BIND.SPOOLSS; flowbits: noalert; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-recon; sid: 10004152; rev: 1; ) 2 | 3 | alert smb any any -> $DC_SERVERS 445 (msg: "ATTACK AD [PTsecurity] Possible MS-RPRN abuse. Hash or Ticket theft"; flow: to_server, established, no_stream; content:"SMB"; offset: 5; depth: 3; content: "|05 00 00|"; distance: 0; content: "|41 00|"; distance: 19; within: 2; content: "|00 01 00 00|"; distance: 36; within: 4; content: "|5C 00 5C 00|"; fast_pattern; distance: 0; flowbits: isset, DCERPC.BIND.SPOOLSS; reference: url, posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-recon; sid: 10004153; rev: 1;) 4 | -------------------------------------------------------------------------------- /aes.ddos.dofloo/aes.ddos.dofloo.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] AES.DDoS.Dofloo";flow: established, to_server; stream_size: server, =, 1; content: "VERSONEX";depth: 60; classtype: trojan-activity; metadata: created_at 2019_04_11; reference: url, github.com/ptresearch/AttackDetection; sid: 10004700; rev: 1;) 2 | 3 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "MALWARE [PTsecurity] AES.DDoS.Dofloo";flow: established, to_server; dsize: 20; content: "|49 4e 46 4f 3a 30 2e 30 25 7c 30 2e 30|";depth: 13; content: "|20 4d 62 70 73 00|"; distance: 1; within: 6;classtype: trojan-activity; metadata: created_at 2019_04_11; reference: url, github.com/ptresearch/AttackDetection; sid: 10004701; rev: 1;) 4 | -------------------------------------------------------------------------------- /apache_continuum_cmd_injection/continuum_cmd_injection.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Apache Continuum <= v1.4.2 CMD Injection"; content: "POST"; http_method; content: "/continuum/saveInstallation.action"; offset: 0; depth: 34; http_uri; content: "installation.varValue="; nocase; http_client_body; pcre: !"/^\$?[\sa-z\\_0-9.-]*(\&|$)/iRP"; flow: to_server, established; classtype: web-application-attack; reference: url, exploit-db.com/exploits/39886; reference: url, github.com/ptresearch/AttackDetection; sid: 10000048; rev: 1;) 2 | -------------------------------------------------------------------------------- /apache_continuum_cmd_injection/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/apache_continuum_cmd_injection/pcap.zip -------------------------------------------------------------------------------- /badtunnel/badtunnel.rules: -------------------------------------------------------------------------------- 1 | alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg: "ATTACK [PTsecurity] BadTunnel NBNS response after NBSTAT query"; flow: no_stream; byte_test: 1,&,0x80,2; content: !"|00 00|"; offset: 6; depth: 2; threshold: type limit, track by_dst, count 1, seconds 30; xbits:isset,BadTunnelStage1,track ip_dst; reference: url, xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/; reference: cve, 2016-3236; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10000051; rev:2;) 2 | 3 | #alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg: "ATTACK [PTsecurity] BadTunnel WPAD spoofing attempt via NBNS"; flow: no_stream; content: "|46 48 46 41 45 42 45 45|"; offset: 13; depth: 8; threshold: type limit, track by_dst, count 1, seconds 30; reference: url, xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/; reference: cve, 2016-3236; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10000052; rev:1;) 4 | 5 | #alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg: "ATTACK [PTsecurity] BadTunnel ISATAP spoofing attempt via NBNS"; flow: no_stream; content: "|45 4A 46 44 45 42 46 45 45 42 46 41|"; offset: 13; depth: 12; threshold: type limit, track by_dst, count 1, seconds 30; reference: url, xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/; reference: cve, 2016-3236; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10000053; rev:1;) 6 | 7 | -------------------------------------------------------------------------------- /carbanak_pegasus/carbanak_pegasus.rules: -------------------------------------------------------------------------------- 1 | alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg: "MALWARE [PTsecurity] Pegasus (Buhtrap/Ratopak) C2 connection"; flow: established, to_server; content: "POST"; http_method; content: ".php"; http_uri; content: "Content-Type: multipart/form-data|3b| boundary="; http_header; pcre: "/^[0-9a-f]{12}\r\n/RH"; content: "Content-Type: application/octet-stream"; http_client_body; content: "Content-Disposition: form-data|3b| name=|22|"; http_client_body; pcre: "/^[a-z]{8,14}\x22\r\nContent-Type: application/octet-stream\r\n\r\n(.{192}){1,2}\r\n--[0-9a-z]{12}--/RPs"; pcre: "/[\x0e-\x19\x80-\xff]{4}/P"; classtype: trojan-activity; reference: url, github.com/ptresearch/AttackDetection; sid: 10003298; rev: 1; ) 2 | 3 | alert udp $HOME_NET any -> $HOME_NET 138 (msg: "MALWARE [PTsecurity] Pegasus (Buhtrap/Ratopak) credentials broadcast via Mailslot"; content: "|5C|MAILSLOT|5C|"; content: !"|00|"; within: 16; pcre: "/^[0-9A-F]{16,32}\x00/R"; pcre: "/[\x0e-\x19\x80-\xff]{5}/R"; threshold: type both, track by_src, count 4, seconds 3600; classtype: trojan-activity; reference: url, github.com/ptresearch/AttackDetection; sid: 10003304; rev: 1; ) 4 | 5 | alert tcp $HOME_NET any -> $HOME_NET 445 (msg: "MALWARE [PTsecurity] Pegasus (Buhtrap/Ratopak) domain replication remote pipe check"; flow: established, to_server, no_stream; content: "SMB"; content: "|0B 00|"; distance: 8; within: 2; content: "|00 00 18 00 11 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; distance: 0; pcre: "/([0-9A-F]\x00){16,32}$/R"; threshold: type threshold, track by_src, count 8, seconds 2; classtype: trojan-activity; reference: url, github.com/ptresearch/AttackDetection; sid: 10003305; rev: 1; ) 6 | 7 | -------------------------------------------------------------------------------- /dcshadow/dcshadow.rules: -------------------------------------------------------------------------------- 1 | alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt"; flow: established, to_server; content: "|05 00 0B|"; depth: 3; content: "|35 42 51 E3 06 4B D1 11 AB 04 00 C0 4F C2 DC D2|"; distance: 0; flowbits: set, RPC.Bind.DRSUAPI; flowbits: noalert; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002557; rev: 2; ) 2 | 3 | alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC"; flow: established, to_server, no_stream; content: "|05 00 00 03|"; depth: 4; content: "|05 00|"; distance: 18; within: 2; flowbits: isset, RPC.Bind.DRSUAPI; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002558; rev: 1; ) 4 | 5 | alert tcp !$DC_SERVERS any -> $DC_SERVERS 389 (msg: "ATTACK [PTsecurity] DCShadow: Fake DC Creation"; flow: established, to_server; content: "|68 84 00|"; content: "CN="; distance: 5; within: 3; content: "CN=Servers,CN="; distance: 0; content: ",CN=Sites,CN=Configuration,DC="; distance: 0; content: "objectClass"; distance: 0; content: "server"; distance: 0; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002559; rev: 2; ) 6 | 7 | #alert dcerpc any any -> $HOME_NET any (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD"; flow: established; dce_iface: e3514235-4b06-11d1-ab04-00c04fc2dcd2; dce_opnum: 5; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002570; rev: 1; ) 8 | 9 | -------------------------------------------------------------------------------- /dcshadow/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/dcshadow/pcap.zip -------------------------------------------------------------------------------- /eternalblue(WannaCry,Petya)/eternalblue(WannaCry,Petya).rules: -------------------------------------------------------------------------------- 1 | alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/s"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001254; rev: 2;) 2 | 3 | #alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001255; rev: 3;) 4 | 5 | #alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001256; rev: 2;) 6 | 7 | alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; reference: url, github.com/ptresearch/AttackDetection; sid: 10001443; rev: 1;) 8 | 9 | alert smb any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; reference: url, github.com/ptresearch/AttackDetection; sid: 10001444; rev:1;) 10 | 11 | -------------------------------------------------------------------------------- /httpoxy/httpoxy.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Possible HTTPoxy HTTP_PROXY value spoofing"; flow: established, to_server; content: "|0A|Proxy:"; nocase; http_header; reference: url, httpoxy.org; reference: cve, 2016-5385; reference: cve, 2016-5386; reference: cve, 2016-5387; reference: cve, 2016-5388; reference: cve, 2016-1000109; reference: cve, 2016-1000110; classtype: attempted-recon; reference: url, github.com/ptresearch/AttackDetection; sid: 10000065; rev: 3;) 2 | -------------------------------------------------------------------------------- /httpoxy/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/httpoxy/pcap.zip -------------------------------------------------------------------------------- /ios 10.1.x remote memory corruption/ios_10.1.x_remote_memory_corruption.rules: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "BggrBgEFBQcwAoaD"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000757; rev: 1; ) 2 | 3 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "YIKwYBBQUHMAKGgw"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000758; rev: 1; ) 4 | 5 | alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "GCCsGAQUFBzAChoM"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000759; rev: 1; ) 6 | 7 | -------------------------------------------------------------------------------- /nfcapd/nfcapd.rules: -------------------------------------------------------------------------------- 1 | alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Nfcapd buffer overflow via incorrect flowset_length field attempt"; content:"|00 0a|"; depth: 2; content: "|00 02 00|"; distance: 14; within: 3; byte_test: 1, <=, 0x07, 0, relative; byte_test: 1, >=, 0x05, 0, relative; reference: url, www.exploit-db.com/exploits/39800; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000038; rev: 1; ) 2 | 3 | alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Nfcapd buffer overflow with large scope_field_count field attempt"; content:"|00 0a|"; depth: 2; content: "|00 03 00|"; distance: 14; within: 3; content: "|00 00|"; distance: 3; within: 2; byte_test: 2, >=, 30000, 0, relative; reference: url, www.exploit-db.com/exploits/39800; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000039; rev: 1; ) 4 | 5 | alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Nfcapd DoS attempt caused inifinite loop"; content:"|00 09|"; depth: 2; content: "|00 00 00 14 04 00 00|"; distance: 18; within: 7; reference: url, www.exploit-db.com/exploits/39800; classtype: attempted-dos; reference: url, github.com/ptresearch/AttackDetection; sid: 10000040; rev: 1; ) 6 | 7 | -------------------------------------------------------------------------------- /nfcapd/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/nfcapd/pcap.zip -------------------------------------------------------------------------------- /phpggc/phpggc.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] PHP Object Deserialization RCE POP Chain (Guzzle/RCE1)"; flow: established; content: "GuzzleHttp"; content: "Psr7"; distance: 0; content: "FnStream"; distance: 0; content: "close"; distance: 0; content: "GuzzleHttp"; distance: 0; content: "HandlerStack"; distance: 0; content: "resolve"; distance: 0; reference: url, github.com/ambionics/phpggc; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10003494; rev: 2; ) 2 | 3 | -------------------------------------------------------------------------------- /policy/policy.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any 389 (msg: "POLICY [PTsecurity] LDAP Cleartext credentials exposure"; flow: established, to_server, no_stream; content: "|30|"; depth: 1; content: "|02 01|"; distance: 1; within: 2; content: "|60|"; distance: 1; within: 1; content: "|02 01|"; distance: 1; within: 2; content: "|04|"; distance: 1; within: 1; byte_jump: 1, 0, relative; content: "|80|"; within: 1; content:!"|00|"; within: 1; reference: url, github.com/ptresearch/AttackDetection; classtype: successful-recon-limited; sid: 10002317; rev: 2;) 2 | -------------------------------------------------------------------------------- /pt.rules.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/pt.rules.tar.gz -------------------------------------------------------------------------------- /pt.rules.tar.gz.md5: -------------------------------------------------------------------------------- 1 | 63013cd0640a3f95c5f6010b5691c49c 2 | -------------------------------------------------------------------------------- /rConfig_rce/rconfig_rce.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] rConfig ajaxServerSettingsChk.php unauth RCE (CVE-2019-16662)"; flow: established, to_server; content: "ajaxserversettingschk.php"; http_uri; nocase; pcre: "/(?:\x3b|\x26|\x7C|%3b|%7c|%26)/iRU"; reference: url, shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662; reference: cve, 2019-16662; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005501; rev: 4;) 2 | 3 | alert http any any -> any any (msg: "ATTACK [PTsecurity] rConfig search.crud.php unauth RCE (CVE-2019-16663)"; flow: established, to_server; content: "search.crud.php"; http_uri; nocase; pcre: "/(?:\x3b|\x26|\x7C|%3b|%7c|%26)/iRU"; reference: url, shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662; reference: cve, 2019-16663; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005502; rev: 4;) 4 | -------------------------------------------------------------------------------- /raisecom_gpon_rce/raisecom_gpon_rce.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7385)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/formPasswordSetup"; http_uri; content: "confpass"; http_client_body; pcre: "/(newpass|confpass)\s*=\s*\x60/P"; reference: cve, 2019-7385; reference: url, s3curityb3ast.github.io/KSA-Dev-006.md; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004526; rev: 1;) 2 | 3 | alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7384)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/admin/formgponConf"; http_uri; content: "fmgpon_loid"; http_client_body; pcre: "/fmgpon_loid\s*=\s*(\x7c|%7c)/P"; reference: cve, 2019-7384; reference: url, s3curityb3ast.github.io/KSA-Dev-005.md; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10004527; rev: 1;) 4 | -------------------------------------------------------------------------------- /redis_replication_rce/redis_replication_rce.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Redis Master-Slave replication RCE successful"; flow: established, to_client; content: "FULLRESYNC"; nocase; depth: 20; content: "|7F|ELF"; within: 70; reference: url, paper.seebug.org/977; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005212; rev: 1;) 2 | -------------------------------------------------------------------------------- /scm_tools_rce/scm_tools_rce.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] SVN/Git Remote Code Execution through malicious (svn+,git+)ssh:// URL (Multiple CVEs)"; flow: established; content: "ssh://-"; nocase; pcre: "/\S{3}/Rsi"; reference: cve, 2017-9800; reference: cve, 2017-12426; reference: cve, 2017-1000116; reference: cve, 2017-1000117; reference: url, subversion.apache.org/security/CVE-2017-9800-advisory.txt; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001756; rev: 3; ) 2 | 3 | alert tcp any [3690, 9418] <> any any (msg: "ATTACK [PTsecurity] SVN/Git Remote Code Execution through malicious (svn+,git+)ssh:// URL (Multiple CVEs)"; flow: established; content: "ssh://"; nocase; pcre: "/ssh:\/\/(?:[^@\s]+@)?(?:[\w\:\.\-\[\]\@]+[^\w\:\.\-\[\]\@\/\ ]|[^\w\:\.\-\[\]\@\/\ ][\w\:\.\-\[\]\@])/i"; reference: cve, 2017-9800; reference: cve, 2017-12426; reference: cve, 2017-1000116; reference: cve, 2017-1000117; reference: url, subversion.apache.org/security/CVE-2017-9800-advisory.txt; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001757; rev: 3; ) 4 | 5 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] SVN/Git Remote Code Execution through malicious (svn+,git+)ssh:// URL (Multiple CVEs)"; flow: established, from_server; content: "30"; http_stat_code; depth: 2; content: "Location:"; http_header; nocase; content: "ssh://"; nocase; http_header; distance: 0; pcre: "/ssh:\/\/(?:[^@\s]+@)?(?:[\w\:\.\-\[\]\@]+[^\w\:\.\-\[\]\@\/\ ]|[^\w\:\.\-\[\]\@\/\ ][\w\:\.\-\[\]\@])/Hi"; reference: cve, 2017-9800; reference: cve, 2017-12426; reference: cve, 2017-1000116; reference: cve, 2017-1000117; reference: url, subversion.apache.org/security/CVE-2017-9800-advisory.txt; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001763; rev: 2; ) 6 | 7 | -------------------------------------------------------------------------------- /tools/burp_suite.rules: -------------------------------------------------------------------------------- 1 | alert dns any any -> any any (msg: "TOOLS [PTsecurity] Burp Suite tool activity. portswigger.net resolve"; dns_query; content: "portswigger.net"; reference: url, github.com/ptresearch/AttackDetection; classtype: string-detect; sid: 10006023; rev: 2;) 2 | -------------------------------------------------------------------------------- /vBulletin_5.x_rce/vbulletin_5.x_rce.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> any any (msg: "ATTACK [PTsecurity] vBulletin 5.x pre-auth RCE"; flow: established, to_server; content: "POST"; http_method; content: "routestring"; http_client_body; content: "widget_php"; within: 30; http_client_body; pcre: "/ajax.{1,6}render.{1,6}widget_php/P"; pcre: "/widgetConfig.{1,6}code/P"; reference: url, seclists.org/fulldisclosure/2019/Sep/31; reference: url, github.com/ptresearch/AttackDetection; classtype: attempted-admin; sid: 10005417; rev: 1;) 2 | -------------------------------------------------------------------------------- /wannamine/pcap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ptresearch/AttackDetection/c97fab325bba4baaf7a80d1c2e398ffe7161a163/wannamine/pcap.zip -------------------------------------------------------------------------------- /wannamine/wannamine.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $DC_SERVERS 88 (msg: "ATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5"; flow: no_stream, established, to_server; content: "|A1 03 02 01 05 A2 03 02 01 0A|"; offset: 12; depth: 10; content: "|A1 03 02 01 02|"; distance: 5; within: 6; content: "|A0 03 02 01 17|"; distance: 6; within: 6; content: "krbtgt"; distance: 0; xbits: set, Krb5.AsReq, track ip_src, expire: 10; classtype: attempted-user; reference: url, github.com/ptresearch/AttackDetection; sid: 10002228; rev: 1; ) 2 | 3 | alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Flowbits for SMB NTTrans Request"; flow: established, to_server, no_stream; content: "|FF|SMB|A0|"; flowbits: set, SMB.NTTrans.Req; flowbits: unset, SMB.NTTrans2.Req; flowbits: noalert; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001724; rev: 1; ) 4 | 5 | alert smb any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Metasploit MS17-010 ETERNALBLUE Exploitation (CVE-2017-0144)"; flow: established, to_server, no_stream; content: "|FF|SMB|33|"; byte_test: 2, >, 61000, 42, relative, little; flowbits: isset, SMB.NTTrans.Req; flowbits: isnotset, SMB.NTTrans2.Req; reference: cve, 2017-0144; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001726; rev: 1; ) 6 | 7 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Remote WMI Win32_Process create"; flow: established, to_server; content: "|05 00 00|"; depth: 3; content: "W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00 00 00|"; fast_pattern; content: "c|00|r|00|e|00|a|00|t|00|e|00|"; distance: 16; within: 12; nocase; flowbits: set, WMI.Win32_Process.Create; threshold: type limit, track by_src, count 1, seconds 10; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10001999; rev: 3; ) 8 | 9 | alert tcp any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Suspicious Remote WMI Win32_Process create"; flow: established, to_server; content: "__PARAMETERS|00 00|"; content: "http://"; distance: 0; pcre: "/__PARAMETERS\x00\x00[^\x00]+?(?:cmd|powershell)[^\x00]+?http:\/\//"; flowbits: isset, WMI.Win32_Process.Create; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002000; rev: 2; ) 10 | 11 | -------------------------------------------------------------------------------- /wordpress LearnDash plugin arbitrary file upload/wordpress_learnlash_plugin_arbitrary_file_upload.rules: -------------------------------------------------------------------------------- 1 | alert http any any -> $HOME_NET any (msg: "ATTACK [PTsecurity] WordPress Plugin LearnDash LMS <2.5.4 Arbitrary file upload"; flow: established, to_server; content: "POST"; http_method; content: "multipart/form-data"; http_header; content: "course_id"; http_client_body; content: "uploadfile"; http_client_body; content: "uploadfiles[]"; http_client_body; content: "filename"; http_client_body; distance: 0; content: ".php.php"; http_client_body; distance: 0; pcre: "/\.php\.php\s*[\x22\']/P"; reference: url, seclists.org/fulldisclosure/2018/Jan/37; classtype: attempted-admin; reference: url, github.com/ptresearch/AttackDetection; sid: 10002405; rev: 2; ) 2 | 3 | -------------------------------------------------------------------------------- /xfreerdp/xfreerdp.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> any any (msg: "TOOLS [PTsecurity] Possible xfreerdp RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; isdataat: !11, relative; reference: url, github.com/ptresearch/AttackDetection; classtype: bad-unknown; sid: 10005928; rev: 2;) 2 | --------------------------------------------------------------------------------