├── .last_used_sid ├── ChangeLog ├── LICENSE ├── README.md ├── adtran.rules ├── airtables.rules ├── apache.rules ├── apc-emu.rules ├── arp.rules ├── artillery.rules ├── as400.rules ├── asterisk.rules ├── attack.rules ├── auditd.rules ├── aws-access-analyzer.rules ├── aws-account.rules ├── aws-apigateway.rules ├── aws-appconfig.rules ├── aws-application-insights.rules ├── aws-appsync.rules ├── aws-artifact.rules ├── aws-athena.rules ├── aws-autoscaling.rules ├── aws-cloudtrail.rules ├── aws-cognito.rules ├── aws-detective.rules ├── aws-guardduty.rules ├── aws-iam.rules ├── aws-secretsmanager.rules ├── aws-signin.rules ├── aws-sts.rules ├── azure-eventhub-ad-geoip.rules ├── azure-eventhub-ad.rules ├── azureEventHub_azureActivity.rules ├── azureEventHub_entra.rules ├── azureEventHub_mssql.rules ├── azureEventHub_windows-aetas.rules ├── azureEventHub_windows-applocker.rules ├── azureEventHub_windows-auth.rules ├── azureEventHub_windows-blacklist.rules ├── azureEventHub_windows-clipboard.rules ├── azureEventHub_windows-correlated.rules ├── azureEventHub_windows-emet.rules ├── azureEventHub_windows-geoip.rules ├── azureEventHub_windows-malware.rules ├── azureEventHub_windows-misc.rules ├── azureEventHub_windows-mssql.rules ├── azureEventHub_windows-powershell.rules ├── azureEventHub_windows-security.rules ├── azureEventHub_windows-sysmon.rules ├── azureEventHub_windows-zeekintel.rules ├── barracuda-email-gw-defense.rules ├── barracuda-impersonation.rules ├── barracuda-ir.rules ├── barracuda-waf.rules ├── bash.rules ├── bind.rules ├── bitdefenderGZ.rules ├── blacklist.rules ├── bluedot-categories.conf ├── bluedot.rules ├── bomgar.rules ├── bonding.rules ├── box.rules ├── cacti-thold.rules ├── carbonblack-app-control.rules ├── carbonblack-cloud.rules ├── carbonblack-endpoint-standard.rules ├── centrify.rules ├── checkpoint-aetas.rules ├── checkpoint-blacklist.rules ├── checkpoint-bluedot.rules ├── checkpoint-geoip.rules ├── checkpoint.rules ├── cisco-aetas.rules ├── cisco-amp.rules ├── cisco-blacklist.rules ├── cisco-bluedot.rules ├── cisco-correlated.rules ├── cisco-cucm.rules ├── cisco-geoip.rules ├── cisco-ios.rules ├── cisco-ise-blacklist.rules ├── cisco-ise-bluedot.rules ├── cisco-ise-geoip.rules ├── cisco-ise-zeek-intel.rules ├── cisco-ise.rules ├── cisco-malware.rules ├── cisco-meraki.rules ├── cisco-pixasa.rules ├── cisco-prime.rules ├── cisco-sca-alarms.rules ├── cisco-sca-observables.rules ├── cisco-sdee.rules ├── cisco-tacacs.rules ├── cisco-umbrella.rules ├── cisco-wlc.rules ├── cisco-zeek-intel.rules ├── citrix-blacklist.rules ├── citrix-bluedot.rules ├── citrix-correlated.rules ├── citrix-geoip.rules ├── citrix-zeek-intel.rules ├── citrix.rules ├── classification.config ├── cloudgenix-bluedot.rules ├── cloudgenix.rules ├── cloudtrail.rules ├── confluent.rules ├── courier-bluedot.rules ├── courier-correlated.rules ├── courier-geoip.rules ├── courier.rules ├── crowdstrike.rules ├── cyberark.rules ├── cylance.rules ├── darktrace.rules ├── ddr.rules ├── deleted.rules ├── dellemcunity.rules ├── digitalpersona.rules ├── dovecot.rules ├── duo.rules ├── dynamic.rules ├── eset.rules ├── f5-big-ip-bluedot.rules ├── f5-big-ip-geoip.rules ├── f5-big-ip.rules ├── fatpipe-aetas.rules ├── fatpipe-bluedot.rules ├── fatpipe-correlated.rules ├── fatpipe-geoip.rules ├── fatpipe.rules ├── fingerprint.rules ├── fipaypin.rules ├── forescout.rules ├── fortiSandbox.rules ├── fortinet-aetas.rules ├── fortinet-bluedot.rules ├── fortinet-correlated.rules ├── fortinet-geoip.rules ├── fortinet-json.rules ├── fortinet-malware.rules ├── fortinet.rules ├── ftpd.rules ├── gcp-cloud-audit.rules ├── gcp-scc.rules ├── github.rules ├── grsec.rules ├── halcyon.rules ├── honeyd.rules ├── hordeimp.rules ├── hostapd.rules ├── huawei.rules ├── imapd-bluedot.rules ├── imapd-correlated.rules ├── imapd-geoip.rules ├── imapd.rules ├── imperva.rules ├── ipop3d.rules ├── jamf-protect.rules ├── json-input.map ├── juniper-aetas.rules ├── juniper-bluedot.rules ├── juniper-geoip.rules ├── juniper.rules ├── key9.rules ├── kismet.rules ├── knockd.rules ├── knowbe4.rules ├── librenms.rules ├── linux-auditd.rules ├── linux-kernel.rules ├── linux-security.rules ├── mcafee-web-gateway.rules ├── mcas-geoip.rules ├── mcas.rules ├── microsoft-atp.rules ├── microsoft-defender-endpoint.rules ├── milter.rules ├── mimecast.rules ├── mongodb.rules ├── ms-defender.rules ├── msapi-airinvestigation.rules ├── msapi-azuread-bluedot.rules ├── msapi-azuread-geoip.rules ├── msapi-azuread.rules ├── msapi-defender.rules ├── msapi-exchange-bluedot.rules ├── msapi-exchange-geoip.rules ├── msapi-exchange.rules ├── msapi-mcas.rules ├── msapi-microsoftflow-bluedot.rules ├── msapi-microsoftflow-geoip.rules ├── msapi-microsoftforms-bluedot.rules ├── msapi-microsoftforms-geoip.rules ├── msapi-microsoftstream-bluedot.rules ├── msapi-microsoftstream-geoip.rules ├── msapi-microsoftteams-bluedot.rules ├── msapi-microsoftteams-geoip.rules ├── msapi-onedrive-bluedot.rules ├── msapi-onedrive-geoip.rules ├── msapi-onedrive.rules ├── msapi-powerbi-bluedot.rules ├── msapi-powerbi-geoip.rules ├── msapi-securitycompliancecenter.rules ├── msapi-sharepoint-bluedot.rules ├── msapi-sharepoint-geoip.rules ├── msapi-sharepoint.rules ├── msapi-threatintelligence.rules ├── msdns-audit.rules ├── msexchange-activemonitoring.rules ├── msexchange-management.rules ├── mysql.rules ├── netskope.rules ├── netwrix-api-integration.rules ├── netwrix.rules ├── nexpose.rules ├── nfcapd-malware.rules ├── nfcapd.rules ├── nginx.rules ├── ninjarmm.rules ├── normalization.rulebase ├── ntp.rules ├── nxlog.rules ├── okta.rules ├── onelogin.rules ├── openssh-aetas.rules ├── openssh-bluedot.rules ├── openssh-correlated.rules ├── openssh-geoip.rules ├── openssh.rules ├── openvpn.rules ├── oracle.rules ├── palo-alto-geoip.rules ├── palo-alto.rules ├── passwordstate.rules ├── pfsense.rules ├── php.rules ├── postfix.rules ├── postgresql.rules ├── pptp.rules ├── procurve.rules ├── proftpd-aetas.rules ├── proftpd-bluedot.rules ├── proftpd-geoip.rules ├── proftpd.rules ├── proofpoint.rules ├── proofpoint_od.rules ├── protocol.map ├── proxy-malware.rules ├── pure-ftpd.rules ├── racoon.rules ├── ransomcare.rules ├── reference.config ├── riverbed-aetas.rules ├── riverbed-bluedot.rules ├── riverbed-geoip.rules ├── riverbed.rules ├── roundcube.rules ├── rsa-dpm.rules ├── rsync.rules ├── rules.yaml ├── sagan-sid-msg.map ├── sagan.rules ├── salesforce.rules ├── samba.rules ├── screenconnect.rules ├── sendmail.rules ├── sentinelone.rules ├── snort-bluedot.rules ├── snort-geoip.rules ├── snort.rules ├── solaris.rules ├── sonicwall.rules ├── sophos.rules ├── squid.rules ├── ssh-tectia-server-aetas.rules ├── ssh-tectia-server-bluedot.rules ├── ssh-tectia-server-correlated.rules ├── ssh-tectia-server-geoip.rules ├── ssh-tectia-server.rules ├── su.rules ├── symantec-ems.rules ├── syslog.rules ├── systemd.rules ├── tcp.rules ├── telnet.rules ├── tenable.rules ├── trendmicro.rules ├── tripwire.rules ├── veeam.rules ├── vmpop3d.rules ├── vmware-bluedot.rules ├── vmware-correlated.rules ├── vmware-geoip.rules ├── vmware.rules ├── vpopmail.rules ├── vsftpd-bluedot.rules ├── vsftpd-correlated.rules ├── vsftpd-geoip.rules ├── vsftpd.rules ├── watchguard-geoip.rules ├── watchguard.rules ├── web-attack.rules ├── weblabrinth.rules ├── windows-aetas.rules ├── windows-applocker.rules ├── windows-auth.rules ├── windows-blacklist.rules ├── windows-bluedot.rules ├── windows-clipboard.rules ├── windows-correlated.rules ├── windows-emet.rules ├── windows-geoip.rules ├── windows-malware.rules ├── windows-misc.rules ├── windows-mssql.rules ├── windows-owa-blacklist.rules ├── windows-owa-bluedot.rules ├── windows-owa-correlated.rules ├── windows-owa-geoip.rules ├── windows-owa-zeekintel.rules ├── windows-owa.rules ├── windows-powershell.rules ├── windows-security.rules ├── windows-sysmon.rules ├── windows-zeekintel.rules ├── windows.rules ├── wordpress.rules ├── xinetd.rules ├── yubikey.rules ├── zeek-bluedot.rules ├── zeek-intel.rules ├── zeeks.rules ├── zeus.rules ├── zimbra-geoip.rules ├── zimbra.rules ├── zingbox.rules ├── zscaler-bluedot.rules └── zscaler.rules /.last_used_sid: -------------------------------------------------------------------------------- 1 | <<<<<<< HEAD 2 | Normal Rule: 5016030 3 | ======= 4 | Normal Rule: 5015984 5 | >>>>>>> 8b4ea01a70638ce93e2d14944881a131765d98f7 6 | Fingerprint: 5100196 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Welcome to the "Sagan Rules" 2 | ---------------------------- 3 | 4 | This is the Git repository for the Sagan engine rule sets. You 5 | probably won't find these useful unless you're actually using Sagan! 6 | For more information, check out the Sagan main web site at: 7 | 8 | https://quadrantsec.com/sagan_log_analysis_engine/ 9 | 10 | Github related site: 11 | 12 | http://github.com/quadrantsec/sagan 13 | 14 | What is Sagan? 15 | -------------- 16 | 17 | Sagan is an open source (GNU/GPLv2) high performance, real-time log 18 | analysis & correlation engine. It is written in C and uses a 19 | multi-threaded architecture to deliver high performance log & event 20 | analysis. The Sagan structure and Sagan rules work similarly to the 21 | Sourcefire "Snort" and "Suricata" IDS engine. This was intentionally 22 | done to maintain compatibility with rule management software 23 | (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events 24 | with your Suricata/Snort IDS/IPS systems. 25 | 26 | For more information, please visit the Sagan web site: 27 | http://sagan.readthedocs.org and http://sagan.quadrantsec.com . 28 | 29 | -------------------------------------------------------------------------------- /adtran.rules: -------------------------------------------------------------------------------- 1 | # Sagan adtran.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | # Adtran rules by James Lay - 06/25/2012 (actually, added well before that.. hrmph). 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] TCP INTERNAL BLOCK"; content: "Access Policy"; content: "tcp"; default_proto: tcp; program: FIREWALL; normalize; classtype: bad-unknown; sid:5001126; rev:4;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] UDP INTERNAL BLOCK"; content: "Access Policy"; content: "udp"; default_proto: udp; program: FIREWALL; normalize; classtype: bad-unknown; sid:5001127; rev:4;) 30 | -------------------------------------------------------------------------------- /apc-emu.rules: -------------------------------------------------------------------------------- 1 | # Sagan apc-emu.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | 29 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Humidity violation"; content: "humidity violation,"; classtype: hardware-event; program: EMU; sid: 5001057; rev:2;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Humidity violation cleared"; content: "humidity violation cleared,"; classtype: hardware-event; program: EMU; sid: 5001058; rev:2;) 31 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Front door opened"; content: "Front Door' opened,"; classtype: hardware-event; program: EMU; sid: 5001059; rev:2;) 32 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Front door closed"; content: "Front Door' closed,"; classtype: hardware-event; program: EMU; sid: 5001060; rev:2;) 33 | 34 | 35 | -------------------------------------------------------------------------------- /auditd.rules: -------------------------------------------------------------------------------- 1 | #auditd.rules moved to linux-auditd.rules 2 | -------------------------------------------------------------------------------- /blacklist.rules: -------------------------------------------------------------------------------- 1 | # Sagan blacklist.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | # These are CATCH ALL rules. This means it will parse _all_ logs. 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLACKLIST] Suspicious communications detected via Blacklist"; blacklist: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type suppress, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize; parse_proto; parse_proto_program; sid: 5002271; rev:3;) 30 | 31 | -------------------------------------------------------------------------------- /bluedot-categories.conf: -------------------------------------------------------------------------------- 1 | 0 || Neutral 2 | 1 || Whitelisted 3 | 2 || Client 4 | 3 || Malicious 5 | 4 || Honeypot 6 | 7 || Advisory 7 | 8 || Scanners 8 | 9 || Tor 9 | 10 || Proxy 10 | -------------------------------------------------------------------------------- /bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | # These are CATCH ALL rules. This means it will parse _all_ logs. 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious IP detected via Bluedot"; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; content:!"drop"; nocase; content:!"denied"; nocase; content:!"deny"; nocase; content:!"qipapikey"; normalize; classtype: suspicious-traffic; after: track by_src, count 10, seconds 30; threshold: type suppress, track by_src, count 2, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; parse_proto_program; sid:5002288; rev:9;) 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Malicious MD5 hash detected via Bluedot"; bluedot: type file_hash,Malicious; parse_hash: md5; classtype: suspicious-traffic; parse_src_ip: 1; normalize; sid:5003118; rev:1;) 32 | 33 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Malicious SHA1 hash detected via Bluedot"; bluedot: type file_hash,Malicious; parse_hash: sha1; classtype: suspicious-traffic; parse_src_ip: 1; normalize; sid:5003119; rev:1;) 34 | 35 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Malicious SHA256 hash detected via Bluedot"; bluedot: type file_hash,Malicious; parse_hash: sha256; classtype: suspicious-traffic; parse_src_ip: 1; normalize; sid:5003120; rev:1;) 36 | 37 | 38 | -------------------------------------------------------------------------------- /cacti-thold.rules: -------------------------------------------------------------------------------- 1 | # Sagan cacti-thold.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | 29 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CACTI] CPU went above threshold"; content: "CPU went above threshold"; classtype: system-event; program: CactiTholdLog; sid: 5001076; rev:2;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CACTI] CPU restored to normal"; content: "CPU restored to normal"; classtype: system-event; program: CactiTholdLog; sid: 5001077; rev:2;) 31 | 32 | -------------------------------------------------------------------------------- /carbonblack-endpoint-standard.rules: -------------------------------------------------------------------------------- 1 | # Sagan carbonblack-endpoint-standard.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # This ruleset is intended for use with Quadrant's in-house API integration with carbonblack's Device Control API. 29 | # ref: https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/device-control-api/#approvals 30 | 31 | # rules by "Casey Pennington" 32 | # 02/21/2023 33 | # 06/07/2023 Bryant Smith - file renamed from carbonblack-device-control.rules to carbonblack-endpoint-standard.rules 34 | # 35 | # https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/ 36 | 37 | alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-USB-APPROVAL] created usb approval"; program:cb_usb_approval_data; content:"|22|action|22 3a 20 22|created|22|"; classtype:system-event; reference:url,https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/device-control-api/; sid:5010940; rev:1;) 38 | 39 | alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-USB-APPROVAL] updated usb approval"; program:cb_usb_approval_data; content:"|22|action|22 3a 20 22|updated|22|"; classtype:system-event; reference:url,https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/device-control-api/; sid:5010941; rev:1;) 40 | -------------------------------------------------------------------------------- /checkpoint-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan checkpoint-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CHECKPOINT-AETAS] Log In at suspicious time"; content: "[action|3a 22|Log In|22 3b|"; parse_dst_ip: 1; parse_src_ip: 3; parse_proto; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: suspicious-traffic; sid:5005733; rev:1;) 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CHECKPOINT-AETAS] Log Out at suspicious time"; content: "[action|3a 22|Log Out|22 3b|"; parse_dst_ip: 1; parse_src_ip: 3; parse_proto; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: suspicious-traffic; sid:5005734; rev:1;) 32 | 33 | 34 | -------------------------------------------------------------------------------- /cisco-cucm.rules: -------------------------------------------------------------------------------- 1 | # Sagan cisco-cucm.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # These rules are for the Cisco Unified Call Manager (VoIP) systems. 28 | 29 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Call Manager Telephony Subsystem Shutdown"; content: "SS_SHUTDOWN"; content: "CMT subsystem"; classtype: system-event; sid: 5001709; rev:2;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Call Manager Telephony Subsystem ModuleStop"; content: "ModuleStop"; content: "CMT Subsystem"; classtype: system-event; sid: 5001710; rev:2;) 31 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Grammar Manager Telephony Subsystem ModuleStop"; content: "ModuleStop"; content: "Grammar Manager"; classtype: system-event; sid: 5001711; rev:2;) 32 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Cisco Unified CCX MGR Shutdown"; content: "MGR_SHUTDOWN"; content: "Cisco Unified CCX"; classtype: system-event; sid: 5001712; rev:2;) 33 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Socket Manager Telephony Subsystem ModuleStart"; content: "ModuleStart"; content: "Socket Manager"; classtype: system-event; sid: 5001713; rev:2;) 34 | 35 | -------------------------------------------------------------------------------- /cisco-ise-blacklist.rules: -------------------------------------------------------------------------------- 1 | # Sagan cisco-ise-blacklist.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #10.0.0.1|local6|notice|notice|b5|2018-05-23|20:22:11|CISE_Passed_Authentications| 0000511111 3 0 2018-05-23 20:22:11.910 -04:00 0067111111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=139, Device IP Address=10.10.254.13, DestinationIPAddress=10.10.2.53, DestinationPort=1812, UserName=00-11-11-11-11-11, Protocol=Radius, RequestLatency=8, NetworkDeviceName=DEMO, User-Name=001111111111, NAS-IP-Address=10.10.254.13, NAS-Port=50002, Service-Type=Call Check, Framed-IP-Address=10.10.251.75, Framed-MTU=1500, Called-Station-ID=00-11-11-11-11-11, Calling-Station-ID=00-11-11-11-11-11, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/2, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1711111111111111111111, OriginalUserName=001111111111, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=11111111-1111-1111-1111-111111111111, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=00-11-11-11-11-11, AcsSessionID=nac-dc1/11111111l/1111111, 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-ISE-BLACKLIST] Successful authentication from outside HOME_COUNTRY"; program: CISE_Passed_Authentications; content: "Device IP Address"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; blacklist: by_src; sid:5003783; rev:1;) 31 | 32 | -------------------------------------------------------------------------------- /cisco-ise-zeek-intel.rules: -------------------------------------------------------------------------------- 1 | # Sagan cisco-ise-zeek-intel.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #10.0.0.1|local6|notice|notice|b5|2018-05-23|20:22:11|CISE_Passed_Authentications| 0000511111 3 0 2018-05-23 20:22:11.910 -04:00 0067111111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=139, Device IP Address=10.10.254.13, DestinationIPAddress=10.10.2.53, DestinationPort=1812, UserName=00-11-11-11-11-11, Protocol=Radius, RequestLatency=8, NetworkDeviceName=DEMO, User-Name=001111111111, NAS-IP-Address=10.10.254.13, NAS-Port=50002, Service-Type=Call Check, Framed-IP-Address=10.10.251.75, Framed-MTU=1500, Called-Station-ID=00-11-11-11-11-11, Calling-Station-ID=00-11-11-11-11-11, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/2, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1711111111111111111111, OriginalUserName=001111111111, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=11111111-1111-1111-1111-111111111111, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=00-11-11-11-11-11, AcsSessionID=nac-dc1/11111111l/1111111, 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-ISE-ZEEK-INTEL] Successful authentication from outside HOME_COUNTRY"; program: CISE_Passed_Authentications; content: "Device IP Address"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; zeek-intel: by_src; sid:5003784; rev:2;) 31 | 32 | -------------------------------------------------------------------------------- /cisco-sdee.rules: -------------------------------------------------------------------------------- 1 | 2 | # README * README * README * README * README * README * README * README 3 | # ---------------------------------------------------------------------------- 4 | # 5 | # This ruleset is EOL. See deleted.rules. 6 | # 7 | # ---------------------------------------------------------------------------- 8 | 9 | -------------------------------------------------------------------------------- /cisco-tacacs.rules: -------------------------------------------------------------------------------- 1 | # Sagan cisco-tacacs.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # rules by "Bryant Smith" 29 | # 11/15/2023 30 | 31 | alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-TACACS] Multiple Failed Login Attempts [Brute Force][25/1]"; program:*TACACS*; content:"Authentication failed"; parse_src_ip:2; after:track by_src,count 25,seconds 300; threshold:type suppress,track by_src,count 1,seconds 86400; xbits:set,brute_force,track ip_src, expire 21600; classtype:unsuccessful-user; sid:5014062; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_11_09, updated_at 2023_11_09, mitre_tactic_id TA0006, mitre_technique_id T1110;) 32 | -------------------------------------------------------------------------------- /citrix-blacklist.rules: -------------------------------------------------------------------------------- 1 | # Sagan citrix-blacklist.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # Citrix applicances/devices/software 28 | 29 | # Login from blacklisted IP (Champ Clark / 04/01/2015) 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-BLACKLIST] Login from outside blacklisted IP"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; blacklist: by_src; reference: url,support.citrix.com/article/CTX123875; sid: 5002261; rev:3;) 32 | 33 | #alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] AAA LOGIN_FAILED from blacklisted IP"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; blacklist: by_src; reference: url,support.citrix.com/article/CTX123875; sid:5002281; rev:3;) 34 | 35 | alert any $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] SSLVPN HTTPREQUEST from blacklisted IP"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; blacklist: by_src; reference: url,support.citrix.com/article/CTX123875; sid:5002285; rev:4;) 36 | 37 | 38 | -------------------------------------------------------------------------------- /citrix-zeek-intel.rules: -------------------------------------------------------------------------------- 1 | # Sagan citrix-zeek-intel.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # Citrix applicances/devices/software 28 | 29 | # Login from Bro Intel IP (Champ Clark / 04/01/2015) 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-ZEEK-INTEL] Login from outside Bro Intel listed IP"; content: "SSLVPN LOGIN"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; zeek-intel: by_src; reference: url,support.citrix.com/article/CTX123875; sid: 5002262; rev:4;) 32 | 33 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-ZEEK-INTEL] AAA LOGIN_FAILED from Bro Intel listed IP"; content: "AAA LOGIN_FAILED"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; zeek-intel: by_src; reference: url,support.citrix.com/article/CTX123875; sid:5002282; rev:5;) 34 | 35 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX-ZEEK-INTEL] SSLVPN HTTPREQUEST from Bro Intel listed IP"; content: "SSLVPN HTTPREQUEST"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: unsuccessful-user; parse_src_ip: 1; normalize; zeek-intel: by_src; reference: url,support.citrix.com/article/CTX123875; sid:5002286; rev:6;) 36 | 37 | 38 | -------------------------------------------------------------------------------- /cloudgenix-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan cloudgenix-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # Cloudgenix signatures by Justin Kling / jkling _AT_ quadrantsec.com / 20210422 29 | 30 | #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CLOUDGENIX] Inbound traffic to suspicious source"; content: "cgxFlowLog"; parse_src_ip: 1; parse_dest_ip: 2; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; classtype: bad-unknown; sid:5005780; rev: 1;) 31 | 32 | #alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[CLOUDGENIX] Outbound traffic to suspicious source"; content: "cgxFlowLog"; parse_src_ip: 1; parse_dest_ip: 2; bluedot: type ip_reputation, track by_dest, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; classtype: bad-unknown; sid:5005781; rev: 1;) 33 | 34 | -------------------------------------------------------------------------------- /courier-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan courier-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Authentication failure from outside HOME_COUNTRY"; content: "LOGIN FAILED,"; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; country_code: track by_src, isnot $HOME_COUNTRY; sid:5002394; rev:2;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Logout/disconnect from outside HOME_COUNTRY"; meta_content: "%sagan%",LOGOUT,DISCONNECTED; default_proto: tcp; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; sid:5002395; rev:3;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] User login from outside HOME_COUNTRY"; content: "LOGIN,"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; sid:5002396; rev:2;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Timeout from outside HOME_COUNTRY"; content: "TIMEOUT"; parse_src_ip: 1; default_proto: tcp; classtype: successful-user; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; sid:5002397; rev:2;) 32 | 33 | -------------------------------------------------------------------------------- /dovecot.rules: -------------------------------------------------------------------------------- 1 | # Sagan dovecot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Authentication success"; content: "login"; content: "Login"; default_proto: tcp; classtype: successful-user; program: dovecot; sid:5000264; rev:2;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Failed login"; content: "Password mismatch"; default_proto: tcp; classtype: unsuccessful-user; program: dovecot; sid:5000265; rev:2;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Starting up"; content: "starting up"; default_proto: tcp; classtype: system-event; program: dovecot; sid:5000266; rev:2;) 31 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Fatal error"; content: "Fatal"; default_proto: tcp; classtype: program-error; program: dovecot; sid:5000267; rev:2;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Invalid username"; pcre: "/user not found|User not known|unknown user/i"; default_proto: tcp; classtype: unsuccessful-user; program: dovecot; sid:5000268; rev:2;) 33 | 34 | -------------------------------------------------------------------------------- /f5-big-ip.rules: -------------------------------------------------------------------------------- 1 | # Sagan f5-big-ip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[F5-BIG-IP] Brute force Attempt [5/1]"; content: "failed to login after"; content: "sshd"; xbits: set,brute_force,track ip_src,expire 21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: brute-force; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 1, seconds 300; reference: url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13426.html; sid:5002946; rev:4;) 29 | 30 | -------------------------------------------------------------------------------- /fatpipe-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan fatpipe-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | 29 | # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-AETAS] Login Success at suspicious time"; content: "Login|3a| Success"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002041; rev:2;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-AETAS] Login Success - ADMINISTRATOR - at supicious time"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002042; rev:2;) 33 | 34 | -------------------------------------------------------------------------------- /fatpipe-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan fatpipe-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | 29 | # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-BLUEDOT] Login Success from suspicious source"; content: "Login|3a| Success"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; sid:5002895; rev:4;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-BLUEDOT] Login Success - ADMINISTRATOR - from suspicious source"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; sid:5002896; rev:4;) 33 | 34 | -------------------------------------------------------------------------------- /fatpipe-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan fatpipe-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | 29 | # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-GEOIP] Login Success from outside HOME_COUNTRY"; content: "Login|3a| Success"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001959; rev:3;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[FATPIPE-GEOIP] Login Success - ADMINISTRATOR - from outside HOME_COUNTRY"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; program: xtremed; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001960; rev:3;) 33 | 34 | -------------------------------------------------------------------------------- /fortinet-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan fortinet-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Login accepted at suspicious time"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; sid: 5002043; rev:4;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Administrator Login at suspicious time"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002044; rev:3;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Admin authentication access at suspicious time"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; sid: 5002045; rev:3;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] SSH traffic detected at suspicious time"; content: " service=SSH "; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002046; rev:4;) 32 | 33 | -------------------------------------------------------------------------------- /fortinet-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan fortinet-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Login accepted from outside HOME_COUNTRY"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-admin; sid: 5001947; rev:5;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Administrator Login from outside HOME_COUNTRY"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001948; rev:4;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Admin authentication success outside HOME_COUNTRY"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-admin; sid: 5001949; rev:4;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] SSH traffic detected from outside HOME_COUNTRY"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001971; rev:5;) 32 | 33 | -------------------------------------------------------------------------------- /grsec.rules: -------------------------------------------------------------------------------- 1 | # Sagan grsec.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rule sets are for systems with hardened kernels (PaX/GRSec). If you don't run a hardened kernel, you won't 29 | # see these alerts. For more information, see: http://www.grsecurity.net/ 30 | 31 | 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Time set"; content:"time set by";classtype: not-suspicious; program: grsec; parse_src_ip: 1; sid: 5000029; rev:6;) 33 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Signal 11 sent"; content:"signal 11 sent";classtype: program-error; parse_src_ip: 1; program: grsec; sid: 5000030; rev:6;) 34 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[GRSEC] Denied resource overstep"; content:"denied resource overstep"; xbits: set,brute_force, track ip_src, expire 21600; classtype: exploit-attempt; program: grsec; parse_src_ip: 1; sid: 5000042; rev:7;) 35 | -------------------------------------------------------------------------------- /hordeimp.rules: -------------------------------------------------------------------------------- 1 | # Sagan hordeimp.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Informational message"; content: "[info]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: HORDE; sid:5000371; rev:3;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Notice message"; content: "[notice]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: HORDE; sid:5000263; rev:3;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Error message"; content: "[error]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: network-event; program: HORDE; sid:5000372; rev:3;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Emergency message"; content: "[emergency]"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: network-event; program: HORDE; sid:5000369; rev:3;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] IMP successful login"; content: "Login success for"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: successful-user; program: HORDE; sid:5000370; rev:3;) 33 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[HORDEIMP] Failed login"; content: "FAILED LOGIN"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: HORDE; sid:5000368; rev:3;) 34 | 35 | -------------------------------------------------------------------------------- /ipop3d.rules: -------------------------------------------------------------------------------- 1 | # Sagan ipop3d.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[IPOP3D] Excessive login failures"; content:"Login excessive login failures"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: brute-force; program: ipop3d|ipop3d-ssl; threshold:type suppress, track by_src, count 5, seconds 300; xbits: set,brute_force,track ip_src, expire 21600; sid:5000032; rev:9;) 29 | 30 | -------------------------------------------------------------------------------- /juniper-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan juniper-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | 29 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-AETAS] VPN Login at suspicious time"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; sid:5002047; rev:3;) 30 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-AETAS] VPN Logout at suspicious time"; program: Juniper; content: "Logout from"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; sid:5002048; rev:3;) 31 | 32 | 33 | -------------------------------------------------------------------------------- /juniper-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan juniper-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | 29 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-GEOIP] VPN Login from outside HOME_COUNTRY"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; sid:5002028; rev:2;) 30 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-GEOIP] VPN Logout from outside HOME_COUNTRY"; program: Juniper; content: "Logout from"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 1; sid:5002029; rev:2;) 31 | 32 | # Juniper alerts for CVE 2015-7755 - Robert Nunley (rnunley@quadrantsec.com) 33 | 34 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[JUNIPER-GEOIP] Juniper ScreenOS Admin Login from Outside of Home Country"; content: "Admin user"; content:"has logged on via"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search; sid:5002773; rev:3;) 35 | 36 | -------------------------------------------------------------------------------- /knockd.rules: -------------------------------------------------------------------------------- 1 | # Sagan knockd.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Open Sesame"; content: "OPEN SESAME"; classtype: successful-user; program: knockd; parse_src_ip: 1; sid:5000383; rev:3;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Sequence timeout"; content: "sequence timeout"; classtype: unsuccessful-user; program: knockd; sid:5000384; rev:2;) 30 | 31 | -------------------------------------------------------------------------------- /librenms.rules: -------------------------------------------------------------------------------- 1 | # Sagan librenms.rules 2 | # Copyright (c) 2022. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[LibreNMS] - Warning Alert"; content: " [Warning] "; classtype: system-event; program: librenms; sid: 5008385; rev:1;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[LibreNMS] - Warning Alert"; content: " [Critical] "; classtype: system-event; program: librenms; sid: 5008386; rev:1;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[LibreNMS] - Warning Alert"; content: " [OK] "; classtype: system-event; program: librenms; sid: 5008387; rev:1;) 31 | -------------------------------------------------------------------------------- /mcafee-web-gateway.rules: -------------------------------------------------------------------------------- 1 | # Sagan mcafee-web-gateway.rules 2 | # Copyright (c) 2009-2023, Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # Josh Johnson 28 | # 2018/04/28 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[McAfee-Web-Gateway] High Risk Connection Attempt Detected"; content: "High Risk"; meta_content: " 200 %sagan% ",GET,POST; program: mwg; parse_src_ip: 1; classtype: suspicious-traffic; sid:5003801; rev:1;) 31 | 32 | 33 | -------------------------------------------------------------------------------- /mcas-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan mcas-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MCAS] EVENT_CATEGORY_FAILED_LOGIN from outside HOME_COUNTRY"; content:"EVENT_CATEGORY_FAILED_LOGIN"; content:"cs2=APPID_"; parse_src_ip:1; country_code:track by_src, isnot $HOME_COUNTRY; after:track by_src, count 5,seconds 600; threshold: type suppress, track by_src, count 1, seconds 86400; xbits:set,brute_force,track ip_src,expire 28800; classtype:unsuccessful-user; reference:url,learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps; sid:5011592; rev:2;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MCAS] EVENT_CATEGORY_LOGIN from outside HOME_COUNTRY"; content:"EVENT_CATEGORY_LOGIN"; content:"cs2=APPID_"; parse_src_ip:1; country_code: track by_src, isnot $HOME_COUNTRY; classtype:successful-user; reference:url,learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps; sid:5011593; rev:1;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[MCAS] EVENT_CATEGORY_LOGIN from outside HOME_COUNTRY after Brute Force"; content:"EVENT_CATEGORY_LOGIN"; content:"cs2=APPID_"; parse_src_ip:1; country_code: track by_src, isnot $HOME_COUNTRY; xbits:isset,brute_force,track ip_src; classtype:successful-user; reference:url,learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps; sid:5014147; rev:1;) 31 | -------------------------------------------------------------------------------- /milter.rules: -------------------------------------------------------------------------------- 1 | # Sagan milter.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #alert any $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] Milter error state"; content:"Milter"; classtype: program-error; program: sm-mta; sid: 5000038; rev:3;) 29 | #alert any $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] Mimedefang - No response from slave"; content: "No response from slave"; classtype: program-error; program: mimedefang; sid: 5000039; rev:3;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] SMF-SAV sendmail milter unable to verify"; pcre: "/sender check failed|sender check tempfailed/i"; classtype: program-error; program: smf-sav; sid: 5000143; rev:3;) 31 | -------------------------------------------------------------------------------- /msapi-defender.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-defender.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | 29 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-DEFENDER] WindowsDefenderAtp alert detected"; json_content: ".detectionSource","WindowsDefenderAtp"; classtype: suspicious-traffic; sid:5006525; rev: 1;) 30 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-DEFENDER] WindowsDefenderAv alert detected"; json_content: ".detectionSource","WindowsDefenderAv"; classtype: suspicious-traffic; sid:5006526; rev: 1;) 31 | 32 | -------------------------------------------------------------------------------- /msapi-microsoftflow-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftflow-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTFLOW-BLUEDOT] Flow action from Bluedot listed IP address"; content:"ClientIP"; json_content: ".Workload","MicrosoftFlow"; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5004887; rev: 2; metadata:updated_at 2023_08_01;) 36 | 37 | -------------------------------------------------------------------------------- /msapi-microsoftflow-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftflow-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTFLOW-GEOIP] Flow action from outside HOME_COUNTRY"; content:"ClientIP"; json_content: ".Workload","MicrosoftFlow"; country_code: track by_src, isnot $HOME_COUNTRY; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5004884; rev: 2; metadata:updated_at 2023_08_01;) 36 | 37 | 38 | -------------------------------------------------------------------------------- /msapi-microsoftforms-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftforms-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTFORMS-GEOIP] Action from Bluedot listed IP"; content:"ClientIP"; json_content: ".Workload","MicrosoftForms"; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; sid:5004893; rev: 2; metadata:updated_at 2024_04_11;) 36 | 37 | -------------------------------------------------------------------------------- /msapi-microsoftforms-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftforms-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTFORMS-GEOIP] Action from outside from outside HOME_COUNTRY"; content:"ClientIP"; json_content: ".Workload","MicrosoftForms"; country_code: track by_src, isnot $HOME_COUNTRY; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5004890; rev: 2; metadata:updated_at 2023_08_01;) 36 | 37 | -------------------------------------------------------------------------------- /msapi-microsoftstream-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftstream-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTSTREAM-BLUEDOT] Stream action from Bluedot listed IP address"; content:"ClientIP"; json_content: ".Workload","MicrosoftStream"; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5004892; rev: 2; metadata:updated_at 2023_08_01;) 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /msapi-microsoftstream-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftstream-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTSTREAM-GEOIP] Stream action from outside HOME_COUNTRY"; content:"ClientIP"; json_content: ".Workload","MicrosoftStream"; country_code: track by_src, isnot $HOME_COUNTRY; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5004891; rev: 2; metadata:updated_at 2023_08_01;) 36 | 37 | 38 | -------------------------------------------------------------------------------- /msapi-microsoftteams-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftteams-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTTEAMS-BLUEDOT] Teams session started from Bluedot listed IP address"; content:"ClientIP"; json_content: ".Workload","MicrosoftTeams"; json_content: ".Operation", "TeamsSessionStarted"; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5004894; rev: 2; metadata:updated_at 2023_08_01;) 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /msapi-microsoftteams-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-microsoftteams-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-MICROSOFTTEAMS-GEOIP] Teams session started from outside HOME_COUNTRY"; content:"ClientIP"; json_content: ".Workload","MicrosoftTeams"; json_content: ".Operation", "TeamsSessionStarted"; country_code: track by_src, isnot $HOME_COUNTRY; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5004895; rev: 2; metadata:updated_at 2023_08_01;) 36 | 37 | 38 | -------------------------------------------------------------------------------- /msapi-onedrive.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-onedrive.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-ONEDRIVE] DLP Rule Match"; json_content: ".Workload","OneDrive"; json_content: ".Operation", "DLPRuleMatch"; content:"DetectedValues["; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5005014; rev: 4; metadata: mitre_technique_id T1008, mitre_technique_id T1048;) 36 | -------------------------------------------------------------------------------- /msapi-sharepoint.rules: -------------------------------------------------------------------------------- 1 | # Sagan msapi-sharepoint.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the Office 365 Management API 29 | # https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview 30 | # 31 | # These rules work best with a JSON input map. See the "msapi" mapping. See the Sagan 32 | # JSON documentation for more information 33 | # 34 | 35 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-SHAREPOINT] Data loss prevention rule match."; json_content: ".Workload","SharePoint"; json_content: ".Operation", "DlpRuleMatch"; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: suspicious-traffic; sid:5005158; rev: 2;) 36 | -------------------------------------------------------------------------------- /nexpose.rules: -------------------------------------------------------------------------------- 1 | # Sagan nexpose.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # Brian Echeverry - NeXpose rules (security scanning software) 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan paused"; content: "SCAN PAUSED|3a|"; classtype: not-suspicious; program: NeXpose; sid:5002276; rev:3;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan failed"; content: "SCAN FAILED|3a|"; classtype: not-suspicious; program: NeXpose; sid:5002277; rev:3;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan stopped"; content: "SCAN STOPPED|3a|"; classtype: not-suspicious; program: NeXpose; sid:5002289; rev:2;) 33 | 34 | 35 | -------------------------------------------------------------------------------- /ninjarmm.rules: -------------------------------------------------------------------------------- 1 | # Sagan ninjarmm.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # rules by "Bryant Smith" 29 | # 08/23/2022 30 | 31 | # NOTE These rules are for NinjaRMM but they are generated by Bitdefender. 32 | 33 | alert any $HOME_NET any -> $HOME_NET any (msg:"[NINJARMM] Bitdefender - Threat Blocked"; program:ninjarmm; json_content:".type","Antivirus"; json_content:".statusCode","BDAS_BITDEFENDER_THREAT_BLOCKED"; classtype:malware; sid:5007160; rev:1;) 34 | 35 | alert any $HOME_NET any -> $HOME_NET any (msg:"[NINJARMM] Bitdefender - Threat Deleted"; program:ninjarmm; json_content:".type","Antivirus"; json_content:".statusCode","BDAS_BITDEFENDER_THREAT_DELETED"; classtype:malware; sid:5007161; rev:1;) 36 | -------------------------------------------------------------------------------- /ntp.rules: -------------------------------------------------------------------------------- 1 | # Sagan ntp.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[NTP] Permission denied error"; content:"permission denied"; program: ntpd*; default_proto: udp; default_dst_port: $NTp_PORT; classtype: program-error; sid: 5000041; rev:4;) 29 | 30 | 31 | -------------------------------------------------------------------------------- /openvpn.rules: -------------------------------------------------------------------------------- 1 | # Sagan openvpn.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # OpenVPN rules. Created by Robert Nunley (rnunley@quadrantsec.com) 28 | # 03/11/2013 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENVPN] Authentication failure [0/5]"; content: "Decrypt packet error"; parse_src_ip: 1; default_proto: udp; default_dst_port: $OPENVPN_PORT; classtype: unsuccessful-user; program: openvpn; threshold:type suppress, track by_src, count 5, seconds 300; sid: 5001651; rev:4;) 31 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENVPN] Authentication success"; content: "Initialization Sequence Completed"; parse_src_ip: 1; default_proto: udp; default_dst_port: $OPENVPN_PORT; classtype: successful-user; program: openvpn; sid: 5001652; rev:3;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENVPN] Unencrypted VPN connection initiated"; content: "tunnelled as cleartext"; parse_src_ip: 1; default_proto: udp; default_dst_port: $OPENVPN_PORT; classtype: network-event; program: openvpn; sid: 5001653; rev:3;) 33 | 34 | -------------------------------------------------------------------------------- /postfix.rules: -------------------------------------------------------------------------------- 1 | # Sagan postfix.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[POSTFIX] IP Address black-listed by anti-spam [blocked]"; content: "blocked using"; default_proto: tcp; default_dst_port: $SMTP_PORT; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: spam; program: postfix; sid: 5000225; rev:3;) 29 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[POSTFIX] Processing error"; pcre: "/defer service failure|resource temporarily unavailable/i"; default_proto: tcp; default_dst_port: $SMTP_PORT; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: program-error; program: postfix; sid: 5000226; rev:3;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[POSTFIX] SASL authentication failure"; content: "authentication failed"; default_proto: tcp; default_dst_port: $SMTP_PORT; default_proto: tcp; default_dst_port: $SMTP_PORT; classtype: unsuccessful-user; program: postfix; sid: 5000227; rev:3;) 31 | -------------------------------------------------------------------------------- /pptp.rules: -------------------------------------------------------------------------------- 1 | # Sagan pptp.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PPTP] Failed message [communications error]"; pcre: "/GRE: \S+ from \S+ failed: status = -1/"; default_proto: tcp; default_dst_port: $PPTP_PORT; classtype: network-event; program: pptpd; sid: 5000134; rev:3;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PPTP] Connection established"; content: "control connection started"; default_proto: tcp; default_dst_port: $PPTP_PORT; classtype: successful-user; program: pptpd; sid:5000135; rev:3;) 30 | 31 | 32 | -------------------------------------------------------------------------------- /proftpd-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan proftpd-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | # 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD-AETAS] Authentication success at suspicious time"; content: "Login successful"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; parse_src_ip: 3; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; sid: 5002052; rev:4;) 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /proftpd-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan proftpd-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | # 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD-BLUEDOT] Authentication success from suspicious source"; content: "Login successful"; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; parse_src_ip: 3; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; sid:5002908; rev:4;) 29 | 30 | -------------------------------------------------------------------------------- /proftpd-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan proftpd-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | # 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD-GEOIP] Authentication success from outside HOME_COUNTRY"; content: "Login successful"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 3; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; sid: 5001870; rev:5;) 29 | 30 | -------------------------------------------------------------------------------- /ransomcare.rules: -------------------------------------------------------------------------------- 1 | # Sagan ransomcare.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # rules by "Bryant Smith" 29 | # 09/22/2023 30 | 31 | alert any $HOME_NET any -> $HOME_NET any (msg:"[RANSOMCARE][CRITICAL & CALL] Critical Alert"; program:RansomCare; content:"Critical Alert"; classtype:trojan-activity; sid:5013731; rev:1; metadata:deployment Both,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag ransomware, created_at 2023_09_22, updated_at 2023_09_22, mitre_tactic_id TA0040, mitre_technique_id T1486;) 32 | -------------------------------------------------------------------------------- /reference.config: -------------------------------------------------------------------------------- 1 | # Sagan reference.config 2 | # Copyright (c) 2009-2017, Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # The following defines URLs for the references found in the rules 29 | # config reference: system URL. Most of these are from Sourcefire's 30 | # 'Snort'. 31 | 32 | config reference: bugtraq,http://www.securityfocus.com/bid/ 33 | config reference: cve,http://cve.mitre.org/cgi-bin/cvename.cgi?name= 34 | config reference: arachNIDS,http://www.whitehats.com/info/IDS 35 | config reference: McAfee,http://vil.nai.com/vil/content/v_ 36 | config reference: nessus,http://cgi.nessus.org/plugins/dump.php3?id= 37 | config reference: url,https:// 38 | 39 | #config reference: quadrantsec,https://wiki.quadrantsec.com/bin/view/Main/ 40 | -------------------------------------------------------------------------------- /riverbed-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan riverbed-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules 29 | # Champ Clark (04/15/2014) 30 | 31 | # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. 32 | 33 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED-AETAS] Administrator Login at suspicious time"; content: "logged in"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; program: webasd; sid: 5002053; rev:3;) 34 | 35 | -------------------------------------------------------------------------------- /riverbed-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan riverbed-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED-BLUEDOT] Administrator Login a suspicious source"; content: "logged in"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; program: webasd; sid:5002909; rev:4;) 31 | 32 | -------------------------------------------------------------------------------- /riverbed-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan riverbed-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules 29 | # Champ Clark (04/15/2014) 30 | 31 | # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. 32 | 33 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[RIVERBED-GEOIP] Administrator Login outside of HOME_COUNTRY"; content: "logged in"; parse_src_ip: 1; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: webasd; sid: 5002032; rev:3;) 34 | 35 | -------------------------------------------------------------------------------- /roundcube.rules: -------------------------------------------------------------------------------- 1 | # Sagan roundcube.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication failed"; content: "failed"; content: "LOGIN"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: roundcube; sid: 5000277; rev:2;) 29 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication success"; content: "Successful login"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: successful-user; program: roundcube; sid: 5000278; rev:2;) 30 | 31 | -------------------------------------------------------------------------------- /sagan.rules: -------------------------------------------------------------------------------- 1 | # Sagan sagan.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # These are rule for the Sagan engine. Sagan processor generate syslog data, which these 29 | # rules can create alerts on! 30 | 31 | # These are for tracking who is logging to Sagan. This requires that the Sagan 32 | # "track-clients" be configured and enabled. 33 | 34 | alert any $HOME_NET any -> $HOME_NET any (msg:"[SAGAN] System stop sending logs"; content: "TRACK-CLIENT-NOLOGS"; normalize; classtype: network-event; sid:5010938; rev:1;) 35 | 36 | alert any $HOME_NET any -> $HOME_NET any (msg:"[SAGAN] System has started sending logs again"; content: "TRACK-CLIENT-LOGS"; normalize; classtype: network-event; sid:5010939; rev:2;) 37 | 38 | -------------------------------------------------------------------------------- /samba.rules: -------------------------------------------------------------------------------- 1 | # Sagan samba.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Startup network problem"; content: "getpeername failed. Error was Transport endpoint"; classtype: program-error; program: smbd; sid: 5000145; rev:2;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection denied"; pcre: "/denied connection from|connection denied from/i"; classtype: unsuccessful-user; program: smbd; sid: 5000146; rev:2;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection reset by peer"; content: "Connection reset by peer"; classtype: not-suspicious; program: smbd; sid: 5000147; rev:2;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] User action denied by configuration"; content: "Permission denied"; classtype: unsuccessful-user; program: smbd; sid: 5000375; rev:2;) 32 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Unable to connect to CUPS server"; content: "Unable to connect to CUPS server"; classtype: program-error; program: smbd; sid: 5000148; rev:2;) 33 | 34 | 35 | -------------------------------------------------------------------------------- /solaris.rules: -------------------------------------------------------------------------------- 1 | # Sagan solaris.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] kcfd - Unable to open certificate file"; program: kcfd; content: "unable to open certificate file"; classtype: program-error; sid: 5000393; rev:2;) 29 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] rmclomv - Power Supply FAULT!"; program: rmclomv; content: "PSU"; content: "has FAULTED"; classtype: hardware-event; sid: 5000405; rev:2;) 30 | 31 | -------------------------------------------------------------------------------- /ssh-tectia-server-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan ssh-tectia-server-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the SSH Tectia Server for Windows systems. 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-AETAS] Authentication success at suspicious time"; content: "Login_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002054; rev:3;) 31 | -------------------------------------------------------------------------------- /ssh-tectia-server-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan ssh-tectia-server-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the SSH Tectia Server for Windows systems. 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-BLUEDOT] Authentication success from a suspicious source"; content: "Login_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; sid:5002915; rev:4;) 31 | -------------------------------------------------------------------------------- /ssh-tectia-server-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan ssh-tectia-server-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the SSH Tectia Server for Windows systems. 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER-GEOIP] Authentication success from outside HOME_COUNTRY"; content: "Login_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001878; rev:4;) 31 | -------------------------------------------------------------------------------- /ssh-tectia-server.rules: -------------------------------------------------------------------------------- 1 | # Sagan ssh-tectia-server.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # 28 | # These rules are for the SSH Tectia Server for Windows systems. 29 | 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SSH-TECTIA-SERVER] Authentication Failure - Brute force [5/5]"; content: "Login_failure"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: brute-force; xbits: set,brute_force,track ip_src, expire 21600; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001877; rev:6;) 31 | -------------------------------------------------------------------------------- /tcp.rules: -------------------------------------------------------------------------------- 1 | # Sagan tcp.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP Treason uncloaked"; content: "Treason uncloaked"; default_proto: tcp; classtype: bad-unknown; program: TCP; parse_src_ip: 1; sid: 5000031; rev:4;) 29 | 30 | -------------------------------------------------------------------------------- /telnet.rules: -------------------------------------------------------------------------------- 1 | # Sagan telnet.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Connection refused by TCP Wrappers"; content: "refused connect from"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: tcp-connection; program: telnetd; sid: 5000243; rev:3;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Remote host established a telnet connection"; content: "connection from"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: not-suspicious; program: telnetd; sid: 5000244; rev:3;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Remote host invalid connection"; content: "ttloop"; pcre: "/peer died|read/i"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: network-event; program: telnetd; sid: 5000245; rev:2;) 31 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Reverse lookup error"; content: "can't verify hostname"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: network-event; program: telnetd; sid: 5000246; rev:3;) 32 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TELNET] Attempt to login with an option"; content: "Attempt to login with an option"; default_proto: tcp; default_dst_port: $TELNET_PORT; classtype: exploit-attempt; program: telnetd; sid: 5000392; rev:3;) 33 | 34 | -------------------------------------------------------------------------------- /tripwire.rules: -------------------------------------------------------------------------------- 1 | # Sagan tripwire.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[TRIPWIRE] Integrity Check failed"; content: "Integrity Check failed"; content: "File could not"; classtype: system-event; program: tripwire; sid: 5000129; rev:2;) 29 | -------------------------------------------------------------------------------- /vmpop3d.rules: -------------------------------------------------------------------------------- 1 | # Sagan vmpop3d.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMPOP3D] Authentication failure for POP3"; content: "failed auth"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vm-pop3d; sid: 5000215; rev:4;) 29 | 30 | 31 | -------------------------------------------------------------------------------- /vmware-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan vmware-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # VMWare ESX 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; pcre: "/Accepted password for|login from/i"; default_proto: tcp; classtype: successful-admin; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; program: vmware-hostd|vmware-authd; parse_src_ip: 1; sid:5002916; rev:4;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; content: " logged in "; default_proto: tcp; classtype: successful-admin; program: Hostd; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; parse_src_ip: 1; sid:5002917; rev:4;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-BLUEDOT] User login successful from a suspicious source"; content: "Accepted password"; default_proto: tcp; classtype: successful-admin; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; program: Hostd; normalize; parse_src_ip: 1; sid:5002918; rev:3;) 32 | -------------------------------------------------------------------------------- /vmware-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan vmware-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | # VMWare ESX 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; pcre: "/Accepted password for|login from/i"; default_proto:tcp; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: vmware-hostd|vmware-authd; parse_src_ip: 1; sid:5002381; rev:2;) 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; content: " logged in "; default_proto:tcp; classtype: successful-admin; program: Hostd; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; sid:5002382; rev:2;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful"; content: "Accepted password"; default_proto:tcp; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: Hostd; normalize; parse_src_ip: 1; sid:5002383; rev:3;) 32 | -------------------------------------------------------------------------------- /vpopmail.rules: -------------------------------------------------------------------------------- 1 | # Sagan vpopmail.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] Authentication failure for POP3 service"; content: "password fail"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vpopmail; sid: 5000211; rev:4;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] User not found/Invalid login for POP3 service"; content: "vpopmail user not found"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vpopmail; sid: 5000212; rev:4;) 30 | #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] Successful POP3 login"; content: "login success"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: successful-user; program: vpopmail; sid: 5000213; rev:4;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VPOPMAIL] Null password given for POP3 service"; content: "null password given"; default_proto: tcp; default_dst_port: $POP3_PORT; classtype: unsuccessful-user; program: vpopmail; sid: 5000214; rev:4;) 32 | 33 | -------------------------------------------------------------------------------- /vsftpd-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan vsftpd-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-BLUEDOT] Authentication successful from a suspicious IP"; content: "OK LOGIN"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: vsftpd; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; sid:5002919; rev:4;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-BLUEDOT] File uploaded from a suspicious IP"; content: "OK UPLOAD"; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; program: vsftpd; sid:5002920; rev:4;) 30 | 31 | -------------------------------------------------------------------------------- /vsftpd-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan vsftpd-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-GEOIP] Authentication successful from outside HOME_COUNTRY"; content: "OK LOGIN"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: vsftpd; country_code: track by_src, isnot $HOME_COUNTRY; sid:5002387; rev:2;) 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[VSFTPD-GEOIP] File uploaded from outside HOME_COUNTRY"; content: "OK UPLOAD"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; country_code: track by_src, isnot $HOME_COUNTRY; program: vsftpd; sid:5002388; rev:2;) 30 | 31 | -------------------------------------------------------------------------------- /watchguard-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan watchguard-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | # 27 | 28 | # Watchguard rules by Kenneth Comollo ; 29 | # 2017/03/08 30 | 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD-GEOIP] VPN login from outside HOME_COUNTRY"; program: WatchGuard*; content: "msg_id=|22|0207-0001|22|"; country_code: track by_src, isnot $HOME_COUNTRY; default_proto:tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; parse_src_ip: 2; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003095; rev:3;) 32 | 33 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WATCHGUARD-GEOIP] FTP file transfer to outside HOME_COUNTRY"; program: WatchGuard*; country_code: track by_dst, isnot $HOME_COUNTRY; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003096; rev:2;) 34 | 35 | 36 | -------------------------------------------------------------------------------- /weblabrinth.rules: -------------------------------------------------------------------------------- 1 | # Sagan weblabrinth.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | # Detect Weblabrinth traffic. See Ben Jackson's https://code.google.com/p/weblabyrinth/ 29 | # 30 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WEBLABYRINTH] New host logged!"; default_proto:tcp; default_dst_port: $HTTP_PORT; xbits: set,recon,track ip_src,expire 86400; classtype: misc-activity; program: weblabyrinth; content: "New host logged!"; parse_src_ip: 1; sid: 5001093; rev:8;) 31 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WEBLABYRINTH] Weblabyrinth - Crawler Ensnared!"; default_proto:tcp; default_dst_port: $HTTP_PORT; xbits: set,recon,track ip_src,expire 86400; classtype: misc-activity; program: weblabyrinth; content: "Crawler Ensnared!"; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001095; rev:5;) 32 | 33 | 34 | -------------------------------------------------------------------------------- /windows-aetas.rules: -------------------------------------------------------------------------------- 1 | # Sagan windows-aetas.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | # Aetas rules are used to alert for activities outside of the defined day/time. 27 | # https://sagan.readthedocs.io/en/latest/rule-keywords.html#alert-time 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AETAS] Windows Logon at suspicious time"; event_id: 4624,540,528; classtype: successful-user; program: *Security*; parse_src_ip: 1; parse_port; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002055; rev:9;) 30 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AETAS] RDP / Logon type 10 at suspicious time"; event_id: 4624,540,528; content: "Logon Type|3a| 10 "; program: *Security*; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; classtype: successful-user; sid: 5002056; rev:8;) 31 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AETAS] Logon attempt using explicit credentials at suspicious time"; event_id: 4648,552; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: *Security*; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; default_proto: tcp; classtype: successful-user; sid: 5002057; rev:7;) 32 | 33 | -------------------------------------------------------------------------------- /windows-owa-blacklist.rules: -------------------------------------------------------------------------------- 1 | # Sagan windows-owa-blacklist.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-BLACKLIST] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; blacklist: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: brute-force; parse_src_ip: 1; parse_dst_ip: 2; sid: 5002267; rev:4;) 28 | 29 | 30 | -------------------------------------------------------------------------------- /windows-owa-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan windows-owa-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-BLUEDOT] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; content:!" 200"; bluedot: type ip_reputation, track by_src, mdate_effective_period 3 months, Malicious,Tor,Honeypot,Proxy; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: brute-force; parse_src_ip: 1; parse_dst_ip: 2; sid:5002352; rev:8;) 28 | 29 | 30 | -------------------------------------------------------------------------------- /windows-owa-geoip.rules: -------------------------------------------------------------------------------- 1 | # Sagan windows-owa-geoip.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:33 10.1.2.1 POST /ews/exchange.asmx - 443 - 12.12.12.12 MS-WebServices/1.0 - - 401 0 0 0 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-GEOIP] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx "; nocase; content:!" 200"; country_code: track by_src, isnot $HOME_COUNTRY; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; xbits: set,brute_force,track ip_src,expire 21600; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: brute-force; parse_src_ip: 1; parse_dst_ip: 2; sid: 5002265; rev:8;) 30 | -------------------------------------------------------------------------------- /windows-owa-zeekintel.rules: -------------------------------------------------------------------------------- 1 | # Sagan windows-owa-zeek-intel.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-OWA-ZEEK-INTEL] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; bro-intel: by_src; default_proto: tcp; default_dst_port: $HTTPS_PORT; classtype: brute-force; parse_src_ip: 1; parse_dst_ip: 2; sid: 5002266; rev:6;) 28 | 29 | 30 | -------------------------------------------------------------------------------- /windows.rules: -------------------------------------------------------------------------------- 1 | # Sagan windows.rules 2 | 3 | # README * README * README * README * README * README * README * README 4 | # ---------------------------------------------------------------------------- 5 | # 6 | # The "windows.rules" has been broken up into multiple rule sets. Please 7 | # see the windows*.rules for more information 8 | # 9 | # ---------------------------------------------------------------------------- 10 | 11 | -------------------------------------------------------------------------------- /yubikey.rules: -------------------------------------------------------------------------------- 1 | # Sagan yubikey.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[YUBIKEY] Invalid OTP"; program: yk_chkpwd; content: "password check failed for user"; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; default_proto: tcp; classtype: unsuccessful-user; sid:5002735; rev:3; metadata: mitre_technique_id T1078, mitre_technique_id T1110;) 29 | -------------------------------------------------------------------------------- /zeek-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan bro-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious file hash detected"; content: " files: "; bluedot: type: file_hash, Malicious; classtype: suspicious-traffic; normalize; parse_proto; sid:5002940; rev:3;) 28 | -------------------------------------------------------------------------------- /zeek-intel.rules: -------------------------------------------------------------------------------- 1 | # Sagan bro-intel.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | 27 | # These are CATCH ALL rules. This means it will parse _all_ logs. 28 | 29 | alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO-INTEL] Suspicious communications detected via Bro-Intel"; bro-intel: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type suppress, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize; parse_proto; parse_proto_program; sid: 5002270; rev:3;) 30 | 31 | -------------------------------------------------------------------------------- /zscaler-bluedot.rules: -------------------------------------------------------------------------------- 1 | # Sagan zscaler-bluedot.rules 2 | # Copyright (c) 2009-2023. Quadrant Information Security 3 | # All rights reserved. 4 | # 5 | # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list 6 | # 7 | #************************************************************* 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 9 | # following conditions are met: 10 | # 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 12 | # disclaimer. 13 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 14 | # following disclaimer in the documentation and/or other materials provided with the distribution. 15 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 19 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 23 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 24 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | # 26 | #************************************************************* 27 | 28 | alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[ZSCALER] Suspicious IP detected via Bluedot "; threshold: type suppress, track by_dst, count 2, seconds 3600; parse_src_ip: 2; parse_dst_ip: 1; program: CEF; content: "Zscaler"; content:"act=Allowed"; bluedot: type ip_reputation, track all, mdate_effective_period 1 months, Malicious,Tor,Proxy; default_dst_port: $HTTP_PORT; default_proto: tcp; classtype:trojan-activity; sid:5003199; rev:2;) 29 | 30 | 31 | --------------------------------------------------------------------------------