File: sonicwall.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster
  • size: 3,460 kB
  • sloc: makefile: 5
file content (168 lines) | stat: -rw-r--r-- 45,415 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# Sagan sonicwall.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible TCP Port Scan"; content: "Possible port scan detected"; content: "TCP scanned port list"; default_proto: tcp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001083; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible UDP Port Scan"; content: "Possible port scan detected"; content: "UDP scanned port list"; default_proto: udp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001085; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; content: "ICMP PING"; default_proto: icmp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001084; sid: 5001084; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; default_proto: icmp; classtype: network-scan; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001090; sid: 5001090; rev:4;)

# These where created by Kevin Gross (kgross@quadrantsec.com)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible restart for system maintenance"; content: "As per Diagnostic Auto-restart configuration request, restarting system"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002601; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Auto-Dial Failure"; content: "auto-dial failed: Current Connection Model is configured as Ethernet Only"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002602; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Down"; content: "Ethernet Port Down"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002603; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Ethernet Port Up"; content: "Ethernet Port Up"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002604; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Registration Update Needed"; content: "Registration Update Needed"; content: "Restore your existing security service subscRIPtions by clicking"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002605; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Device Detected"; content: "3G"; content: "device detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002606; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] 3G Data Limit Reached"; content: "3G"; content: "data usage limit reached"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002607; rev:3; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No 3G Sim Card Detected"; content: "3G"; content: "No SIM detected"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002608; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Preferences File Inaccessable"; content: "A prior version of preferences was loaded because the most recent preferences file was inaccessible"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002609; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] OS Upgrade Performed"; content: "A SonicOS Standard to Enhanced Upgrade was performed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002610; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Attempted access from host out of compliance with GSC policy"; content: "Access attempt from host out of compliance with GSC policy"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002611; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Access attempt from host without Anti-Virus agent installed"; content: "Access attempt from host without Anti-Virus agent installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002612; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Security Services"; content: "Access attempt from host without GSC installed"; classtype: configuration-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002613; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Added"; content: "Access rule added"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002614; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Deleted"; content: "Access rule deleted"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002615; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule Modified"; content: "Access rule modified"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002616; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Rule reset to defaults"; content: "Access rules restored to defaults"; classtype: configuration-change; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002617; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Network Access to proxy server denied"; content: "Access to proxy server denied"; classtype: permissions-violation; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002618; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX access denied"; content: "ActiveX access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002619; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ActiveX or Java archive access denied"; content: "ActiveX or Java archive access denied"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002620; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Successful Administrator Access"; content: "Administrator login allowed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002621; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Access denied due to bad credentials"; content: "Administrator login denied due to bad credentials"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002622; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Access not allowed on this interface"; content: "Administrator login denied from"; content: "logins disabled from this interface"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002623; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Account Name Changed"; content: "Administrator name changed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002624; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall preferences reset to factory defaults"; content: "All preference values have been set to factory default values"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002625; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Allowed LDAP server certificate with wrong host name"; content: "Allowed LDAP server certificate with wrong host name"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002626; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible Intrusion detection - Anti-Spyware detected"; content: "Anti-Spyware Detection Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002627; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible Intrusion detection - Anti-Spyware detected"; content: "Anti-Spyware Prevention Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002628; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Suspicious Application detected"; content: "Application Filter Detection Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002629; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Suspicious Application detected"; content: "Application Filters Block Alert"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002630; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] ASOC Flood detected from WLAN station"; content: "Association Flood from WLAN station"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002631; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Back Orifice Attack Dropped"; content: "Back Orifice attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002632; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup active"; content: "Backup active"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002633; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability/Failover - Backup Firewall Active"; content: "Backup firewall has transitioned to Active"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002634; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability/Failover - Backup Firewall transitioned to idle"; content: "Backup firewall has transitioned to Idle"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002635; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup Firewall Rebooting"; content: "Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002636; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Backup WAN link down"; content: "Backup WAN link down, Primary going Active"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002637; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN PKI - Bad CRL format"; content: "Bad CRL format"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002638; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN PKI - Blacklisted Certificate"; content: "Certificate on Revoked list(CRL)"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002639; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator Login - Commandline login successful"; content: "CLI administrator login allowed"; classtype: successful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002640; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Administrator login failed due to bad credentials"; content: "CLI administrator login denied due to bad credentials"; classtype: unsuccessful-admin; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002641; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall event - Diagnostic Reboot"; content: "Diagnostic Auto-restart scheduled for"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002642; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code A"; content: "Diagnostic Code A"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002643; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code B"; content: "Diagnostic Code B"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002644; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code C"; content: "Diagnostic Code C"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002645; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code D"; content: "Diagnostic Code D"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002646; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code E"; content: "Diagnostic Code E"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002647; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code F"; content: "Diagnostic Code F"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002648; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code G"; content: "Diagnostic Code G"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002649; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code H"; content: "Diagnostic Code H"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002650; rev:4; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code I"; content: "Diagnostic Code I"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002651; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware Diagnostic Code J"; content: "Diagnostic Code J"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002652; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection Non-Sonicpoint WLAN traffic dropped"; content: "Drop WLAN traffic from nonSonicPoint devices"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002653; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Error initializing Hardware acceleration for VPN"; content: "Error initializing Hardware acceleration for VPN"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002654; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Error rebooting peer firewall"; content: "Error Rebooting HA Peer Firewall"; classtype: system-hardware; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002655; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] High Availability - Error setting up IP address of the backup"; content: "Error setting the IP address of the backup, please manually set to backup LAN IP"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002656; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Security Services - License Sync Failed"; content: "Failed to synchronize license information with Licensing Server"; classtype: system-error; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002657; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "FIN Flood Blacklist on"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002658; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "FIN-Flooding machine"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002659; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN IDS - Rouge Access Point"; content: "Found Rogue Access Point"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002660; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Fraudulent Microsoft Certificate"; content: "Fraudulent Microsoft certificate found"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002661; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] FTP - Login Failed"; content: "FTP client user logged in failed"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002662; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Network Access - Dropped access from non-default port"; content: "Data connection from non default port dropped"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002663; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Bounce attack dropped"; content: "PASV response bounce attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002664; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Spoof attack dropped"; content: "PASV response spoof attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002665; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account created"; content: "Guest account"; content: "created"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002666; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account deleted"; content: "Guest account"; content: "deleted"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002667; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account disabled"; content: "Guest account"; content: "disabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002668; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account pruned"; content: "Guest account"; content: "pruned"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002669; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account re-enabled"; content: "Guest account"; content: "re-enabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002670; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Guest account re-generated"; content: "Guest account"; content: "re-generated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002671; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Heartbeat detected from incompatable source"; content: "Heartbeat received from incompatible source"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002672; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] HTTP management port has changed"; content: "HTTP management port has changed"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002673; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wireless - Unauthorized user"; content: "Internet Access restricted to authorized users"; classtype: permissions-violation; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002674; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible IP spoof detected"; content: "IP spoof detected on packet to Central Gateway"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002675; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Possible IP spoof dropped"; content: "IP spoof dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002676; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002677; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] IPS Prevention Alert"; content: "IPS Prevention Alert"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002678; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Land attack dropped"; content: "Land attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002679; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from FIN flood blacklist"; content: "removed from FIN flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002680; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from RST flood blacklist"; content: "removed from RST flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002681; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - removed from SYN flood blacklist"; content: "removed from SYN flood blacklist"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002682; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall logging - Maximum events per second threshold exceeded"; content: "Maximum events per second threshold exceeded"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002683; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] PPP dialup - Maximum sequential failed dial attempts"; content: "Maximum sequential failed dial attempts"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002684; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall logging - Maximum syslog data per second threshold exceeded"; content: "Maximum syslog data per second threshold exceeded"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002685; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Multiple DHCP servers detected on network"; content: "Multiple DHCP Servers are detected on network"; classtype: network-event; parse_src_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002686; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Net Spy attack dropped"; content: "Net Spy attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002687; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - NetBus attack dropped"; content: "NetBus attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002688; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wireless - Packet dropped by WLAN"; content: "Packet dropped by WLAN"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002689; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] No firewall rule exists for VPN policy"; content: " No firewall rule associated with VPN policy"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002690; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Ping of Death dropped"; content: "Ping of death dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002691; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible DNS rebind attack detected"; content: "Possible DNS rebind attack detected"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002692; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible FIN Flood"; content: "Possible FIN Flood"; classtype: attempted-dos; parse_src_ip: 2; parse_dst_ip: 3; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002693; rev:4;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible port scan detected"; content: "Possible port scan detected"; classtype: network-scan ; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002694; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible RST Flood"; content: "Possible RST Flood"; classtype: attempted-dos; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002695; rev:4; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Possible SYN Flood"; content: "Possible SYN Flood"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002696; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Priority attack dropped"; content: "Priority attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002697; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable port scan detected"; content: "Probable port scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002698; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP FIN scan detected"; content: "Probable TCP FIN scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002699; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP NULL scan detected"; content: "Probable TCP NULL scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002700; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Probable TCP XMAS scan detected"; content: "Probable TCP XMAS scan detected"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002701; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Possible recon attempt"; content: "Probing failure on"; classtype: attempted-recon; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002702; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Recon attempt"; content: "Probing suceeded on"; classtype: successful-recon-limited; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002703; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall Hardware - Clock battery has failed"; content: "Real time clock battery failure Time values may be incorrect"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002704; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Wan Failover - Possible recon"; content: "Probing suceeded on"; classtype: successful-recon-limited; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002705; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Sonicwall License Expired"; content: "SonicWALL"; content: "expired"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002706; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall rebooting"; content: "Restarting SonicWALL"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002707; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RIPper attack dropped"; content: "RIPper attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002708; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RST Flood Blacklist"; content: "RST Flood Blacklist on IF"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002709; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - RST Flood"; content: "RST"; content: "Flooding machine"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002710; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Senna Spy attack dropped"; content: "Senna Spy attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002711; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall activated"; content: "SonicWALL activated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002712; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Firewall starting up"; content: "SonicWALL initializing"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002713; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SonicWALL SSO agent is down"; content: "SonicWALL SSO agent is down"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002714; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SonicWALL SSO agent is up"; content: "SonicWALL SSO agent is up"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002715; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Domain name too long"; content: "SonicWALL SSO agent returned domain name too long"; classtype: system-event; normalize; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002716; rev:3; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] SSO agent returned error"; content: "SonicWALL SSO agent returned error"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002717; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] User name too long"; content: "SonicWALL SSO agent returned user name too long"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002718; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Source routed IP packet dropped"; content: "Source routed IP packet dropped"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002719; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Spank attack dropped"; content: "Spank attack multicast packet dropped"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002720; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] VPN policy enforced"; content: "VPN enforcement"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002721; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Striker attack dropped"; content: "Striker attack dropped"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002722; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - Sub Seven attack dropped"; content: "Sub Seven attack dropped"; classtype: exploit-attempt; normalize; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002723; rev:4; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN Flood blacklisting enabled by user"; content: "SYN Flood blacklisting enabled by user"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002724; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN flood ceased or flooding machines blacklisted"; content: "SYN flood ceased or flooding machines blacklisted"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002725; rev:3; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - SYN Flood Mode changed by user"; content: "SYN Flood Mode changed by user to"; classtype: attempted-dos; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002726; rev:3; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] System clock manually updated"; content: "System clock manually updated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002727; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Intrusion Detection - TCP Xmas Tree dropped"; content: "TCP Xmas Tree dropped"; classtype: network-scan; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002728; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Virtual Access Point is disabled"; content: "Virtual Access Point is disabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002729; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Virtual Access Point is enabled"; content: "Virtual Access Point is enabled"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002730; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Hardware failure - Voltages Out of Tolerance"; content: "Voltages Out of Tolerance"; classtype: hardware-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002731; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN firmware image has been updated"; content: "WLAN firmware image has been updated"; classtype: system-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002732; rev:2; )
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] Radio frequency threat detected"; content: "WLAN radio frequency threat detected"; classtype: exploit-attempt; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002733; rev:2; )
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[SONICWALL] WLAN sequence number out of order - sequencing error/EMF interference/rogue AP"; content: "WLAN sequence number out of order"; classtype: network-event; parse_src_ip: 1; parse_dst_ip: 2; reference: url,www.sonicwall.com/downloads/SonicOS_Log_Event_Reference_Guide.pdf; sid:5002734; rev:2; )