File: huawei.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (91 lines) | stat: -rw-r--r-- 18,958 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Sagan huawei.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Huawei router rules.  Create by Robert Nunley (rnunley@quadrantsec.com)
# 08/06/2012

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ARP_DUPLICATE_IPADDR"; content: "ARP/4/ARP_DUPLICATE_IPADDR"; default_proto: udp; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001533; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] DHCPC_LOG_NAK"; content: "DHCPC/4/DHCPC_LOG_NAK"; default_proto: udp; default_dst_port: 68; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001534; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] DHCPC_LOG_REQIP_SUCCESS"; content: "DHCPC/4/DHCPC_LOG_REQIP_SUCCESS"; content: "has acquired ip address successfully"; default_proto: udp; default_dst_port: 68; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001535; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] DHCPC_LOG_REQIP_SUCCESS"; content: "DHCPC/4/DHCPC_LOG_REQIP_SUCCESS"; content: "vlan"; content: "has acquired ip address successfully"; default_proto: udp; default_dst_port: 68; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001536; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - USERIN Login successful"; content: "FTPS/4/USERIN"; content: "login succeeded"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001537; rev:3)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - USERIN Login failed"; content: "FTPS/4/USERIN"; content: "login failed"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001538; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - USEROUT Logout"; content: "FTPS/4/USEROUT"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001539; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - RECVDATA"; content: "FTPS/5/RECVDATA"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001540; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - REQUEST"; content: "FTPS/5/REQUEST"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001541; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FTPS - SENDDATA"; content: "FTPS/5/SENDDATA"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001542; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] HTTPD - FAIL"; content: "HTTPD/4/FAIL"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001543; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] HTTPD - OUT"; content: "HTTPD/4/OUT"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001544; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] HTTPD - PASS"; content: "HTTPD/4/PASS"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001545; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - IP spoof attack"; content: "SEC/4/ATCKDF"; content: "IP spoof attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001546; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Fraggle attack"; content: "SEC/4/ATCKDF"; content: "fraggle attack"; default_proto: udp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001547; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Smurf attack"; content: "SEC/4/ATCKDF"; content: "Smurf attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001548; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Land attack"; content: "SEC/4/ATCKDF"; content: "land attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001549; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Time stamp attack"; content: "SEC/4/ATCKDF"; content: "Time stamp attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001550; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip options attack"; content: "SEC/4/ATCKDF"; content: "Ip options attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001551; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip option source route attack"; content: "SEC/4/ATCKDF"; content: "Ip option source route attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001552; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - ICMP flood attack"; content: "SEC/4/ATCKDF"; content: "ICMP flood attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001553; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Redirect attack"; content: "SEC/4/ATCKDF"; content: "Redirect attack"; default_proto: icmp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001554; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - TCP flood attack"; content: "SEC/4/ATCKDF"; content: "TCP flood attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001555; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Winnuke attack"; content: "SEC/4/ATCKDF"; content: "Winnuke attack"; default_proto: tcp; default_dst_port: 139; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001556; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ping of death attack"; content: "SEC/4/ATCKDF"; content: "Ping of death attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001557; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Tear drop attack"; content: "SEC/4/ATCKDF"; content: "Tear drop attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001558; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Trace route attack"; content: "SEC/4/ATCKDF"; content: "Trace route attack"; default_proto: icmp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001559; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip options route record attack"; content: "SEC/4/ATCKDF"; content: "Ip options route record attack"; default_proto: tcp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001560; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Port scan attack"; content: "SEC/4/ATCKDF"; content: "Port scan attack"; default_proto: udp; classtype: network-scan; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001561; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Unreachable attack"; content: "SEC/4/ATCKDF"; content: "Unreachable attack"; default_proto: icmp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001562; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - UDP flood attack"; content: "SEC/4/ATCKDF"; content: "Udp flood attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001563; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Syn flood attack"; content: "SEC/4/ATCKDF"; content: "Syn flood attack"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001564; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Other-protocol attack"; content: "SEC/4/ATCKDF"; content: "other-protocol attack"; default_proto: udp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001565; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Large ICMP attack"; content: "SEC/4/ATCKDF"; content: "Large ICMP attack"; default_proto: icmp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001566; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - IP Fragment attack"; content: "SEC/4/ATCKDF"; content: "IP Fragment attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001567; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] ATCKDF - Ftp Bounce attack"; content: "SEC/4/ATCKDF"; content: "Ftp Bounce attack"; default_proto: tcp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001568; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Too much Half Con of SYN Flood"; content: "SEC/4/ATCKDF"; content: "Too much Half Con of SYN Flood"; default_proto: tcp; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001569; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Tcp flag attack"; content: "SEC/4/ATCKDF"; content: "Tcp flag attack"; default_proto: tcp; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001570; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BIND - VPN bound IP address"; content: "SEC/4/BIND"; content: "vpn:"; content: "is binded to Ip Address"; default_proto: udp; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001571; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BIND - VPN unbound IP address"; content: "SEC/4/BIND"; content: "vpn:"; content: "is unbinded to Ip Address"; default_proto: udp; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001572; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - VPN added to blacklist"; content: "SEC/4/BLACKLIST"; content: "is added to blacklist"; default_proto: udp; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001573; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - VPN removed from blacklist"; content: "SEC/4/BLACKLIST"; content: "is removed from blacklist"; default_proto: udp; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001574; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - Blacklist cleared"; content: "SEC/4/BLACKLIST"; content: "Clear All blacklist"; default_proto: udp; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001575; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SESSION"; content: "SEC/4/SESSION"; default_proto: udp; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001576; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SHELL - LOGIN"; content: "SHELL/4/LOGIN "; default_proto: tcp; default_dst_port: 514; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001577; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SHELL - LOGIN_FAIL"; content: "SHELL/4/LOGIN_FAIL"; default_proto: tcp; default_dst_port: 514; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001578; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET 514 (msg:"[HUAWEI] SHELL - LOGOUT"; content: "SHELL/4/LOGOUT"; default_proto: tcp; default_dst_port: 514; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001579; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SHELL - CMD"; content: "SHELL/4/CMD"; default_proto: tcp; classtype: system-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001580; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FanAbnormal"; content: "SRM/3/FanAbnormal"; default_proto: udp; classtype: hardware-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001581; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] VentTemp2Hot"; content: "SRM/3/VentTemp2Hot"; default_proto: udp; classtype: hardware-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001582; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - add_success"; content: "SSH/4/add_success"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: system-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001583; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL"; content: "SSH/4/LOGIN_FAIL "; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001584; rev:3;)
drop any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL - Brute force [5/5]"; content: "SSH/4/LOGIN_FAIL "; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001592; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_CHALLENGE_ERR"; content: "SSH/4/LOGIN_FAIL_CHALLENGE_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001585; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_COOKIE_ERR"; content: "SSH/4/LOGIN_FAIL_COOKIE_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001586; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_DISSCONNECT"; content: "SSH/4/LOGIN_FAIL_DISSCONNECT"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001587; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_PWD_ERR"; content: "SSH/4/LOGIN_FAIL_PWD_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001588; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_RETRY_OUT"; content: "SSH/4/LOGIN_FAIL_RETRY_OUT"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001589; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SSH - LOGIN_FAIL_RSA_ERR"; content: "SSH/4/LOGIN_FAIL_RSA_ERR"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001590; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] VRRP - LogAuthFailed"; content: "VRRP/3/LogAuthFailed"; default_proto: udp; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001591; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] USER_NOT_EXIST"; content:"SSH/4/LOGIN_FAIL_USER_NOT_EXIST"; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-user; threshold: type limit, track by_src, count 5, seconds 300;  reference: url, http://www.huaweisymantec.com/en//download.do?id=658891; sid: 5001532; rev:5;)