File: palo-alto.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (89 lines) | stat: -rw-r--r-- 14,215 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# palo-alto.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>  
# All rights reserved.
#  
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#  
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Palo Alto Rules  Created by Robert Nunley (rnunley@quadrantsec.com)
# 10/23/2015

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Certificate has illegal URL"; content: "Certificate"; content: "has illegal URL"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002580; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] AntiVirus update job failed"; content: "AntiVirus update job failed"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002582; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Authorization failed - Brute Force [25/1] "; content: "Authorization failed for user "; default_proto: tcp; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002583; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Chassis Master Alarm"; content: "Chassis Master Alarm"; classtype: hardware-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002584; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed to connect to Panorama Server"; content: "Failed to connect to Panorama Server"; classtype: system-event; reference: url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002585; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed Interactive Login - Brute Force [15/1]"; content: "Failed keyboard-interactive/pam for invalid user"; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; xbits: set,brute_force,21600; after: track by_src, count 15, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002586; rev:4;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Failed to install software"; content: "Failed to install software"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002587; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] NTLM Authentication Brute Force - [25/1]"; content: "NTLM authentication failed for user"; after: track by_src, count 15, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002588; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] User Authentication - Brute Force [25/1]"; content: "User"; content: "failed authentication"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_prot: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002591; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Possible Replay Attempt Caused Disconnection"; content: "Disconnecting due to possible replay attempt"; default_proto: tcp; classtype: network-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002592; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] PPPoE Brute Force Attempt - [25/1]"; content: "PPPoE session failed to connect"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002595; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN User Authentication Failure - Brute Force [25/1]"; content: "SSL VPN user authentication failed"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,ive.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002596; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] SSL VPN Login - Brute Force [25/1]"; content: "SSL VPN user login failed"; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; parse_src_ip: 1; default_proto: tcp; classtype: unsuccessful-user; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002598; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Certificate is revoked"; content: "Certificate"; content: "is revoked"; classtype: system-event; reference: url,live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/428/1/System_log_PANOS4.1rev3.xlsx; sid: 5002600; rev:2;)


#####Below Contributed by ~Cyber.Tao.Flow~

########URLZ

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Malware URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",malware-sites,"; threshold: type limit, count 1, seconds 1800, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002749; rev:5;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Phishing URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",phishing-and-other-frauds,"; threshold: type limit, count 1, seconds 600, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002750; rev:4;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Spyware or Adware URL Blocked"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:",spyware-and-adware,"; threshold: type limit, count 1, seconds 1800, track by_src; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002751; rev:4;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url Blocked by policy or category"; content:",THREAT,url,"; content:",block-url,"; content:!",online-personal-storage,"; content:!",malware-sites,"; content:!",phishing-and-other-frauds,"; content:!",spyware-and-adware,"; threshold: type limit, count 1, seconds 1800, track by_dst; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp: default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002752; rev:3;)

#####
##### Following rule is used in conjunction with meta_content variable IGNOREDL and set silent xbit which are checked in rule 5002762

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Url silent xbit set"; content:",THREAT,url,"; content:!",block-url,"; meta_content: "%sagan%",$IGNOREDL; meta_nocase; xbits:set,downloadnolog,60; xbits:nounified2; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,www.brightcloud.com/tools/url-ip-lookup.php; sid: 5002754; rev:4;)

#####VIRI

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PALO-ALTO] Virus Detected"; content:"THREAT,virus"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-traffic; reference: url,threatvault.paloaltonetworks.com; sid: 5002755; rev:2;)

#####VULNZPloitZ By Direction

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Critical Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external,/i"; content:",critical,"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002756; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Critical Severity Exploit Outbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",critical,"; normalize; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002757; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] High Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external/i"; content:",high,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002758; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] High Severity Exploit Outbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",high,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002759; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Medium Severity Exploit Inbound"; content:"THREAT,vulnerability"; pcre: "/vsys\d{1,2},Untrust,|vsys\d{1,2},Outside,|vsys\d{1,2},external/i";; content:",medium,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: exploit-attempt; reference: url,threatvault.paloaltonetworks.com; sid: 5002760; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Medium Severity Exploit Outbound"; content:"THREAT,vulnerability";pcre: "/vsys\d{1,2},Trust,|vsys\d{1,2},Inside,|vsys\d{1,2},DMZ,|vsys\d{1,2},internal,/i"; content:",medium,"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: bad-unknown; reference: url,threatvault.paloaltonetworks.com; sid: 5002761; rev:3;)

######FILE
###Uses xbit set in rule 5002754.  Only enable after setting IGNOREDL domains for meta_content.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Executable File Download"; content:"THREAT,file"; pcre: "/Microsoft PE File|Windows Executable/i"; xbits: isnotset,both,downloadnolog; content:!"ms-update"; content:!"adobe-update"; content:!"google-update"; content:!"java-update"; normalize; parse_port; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto: tcp; classtype: suspicious-filename-detect; sid:5002762; rev: 6;)
###

######Spyware DNS

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PALO-ALTO] Suspicious DNS Request"; content:"THREAT,spyware,"; content:",Suspicious DNS Query"; normalize; parse_proto; parse_port; parse_src_ip: 1; parse_dst_ip: 2; default_proto: udp; default_dst_port: $DNS_PORT; classtype: network-event; threshold: type limit, track by_src, count 5, seconds 1800; reference: url,threatvault.paloaltonetworks.com; sid:5002763; rev:5;)