File: syslog.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (77 lines) | stat: -rw-r--r-- 13,465 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Sagan syslog.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
# Rules outside the scope of application specific rules.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Redirect from"; classtype: bad-unknown; program: Redirect;facility: kern;reference: url,wiki.quadrantsec.com/bin/view/Main/5000056; sid: 5000056; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Advised path"; classtype: bad-unknown; program: Advised; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000057; sid: 5000057; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] init respawning to fast"; content: "respawning too fast"; classtype: program-error; program: init; threshold: type limit, track by_src, count 5, seconds 60; reference: url,wiki.quadrantsec.com/bin/view/Main/5000058; sid: 5000058; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Martian source packet"; content: "martian source"; parse_src_ip: 2; parse_dst_ip: 1; classtype: bad-unknown; program: martian; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000059; sid: 5000059; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible unknown problem on a system"; pcre: "/core_dump|core dump| fatal |segmentation fault| corrupt /i"; threshold: type limit, track by_src, count 1, seconds 300; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000114; meta_content:!"%sagan%",abcnews,cnn,cbsnews,foxnews,msnbc; meta_nocase; sid: 5000114; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] /etc/securetty missing, root access unrestricted"; content: "couldn't open /etc/securetty"; nocase; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000115; sid: 5000115; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of disk space"; pcre: "/file system full|No space left on device/i"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000116; sid:5000116; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount NFS share"; content: "mount failure"; classtype: program-error; program: nfs; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000117; sid: 5000117; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount the NFS directory"; content: "refused mount request from"; classtype: program-error; program: rpc.mountd; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000118; sid: 5000118; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; content: !"|24| Session ID|3a|"; content:!"access denied by ACL"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000119; sid: 5000119; rev:14;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [10 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001621; sid: 5001621; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [20 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001622; sid: 5001622; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [50 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001623; sid: 5001623; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [100 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001624; sid: 5001624; rev:3;)
#
# Catch all for all Authentication failures. 
#
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001528; sid: 5001528; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Illegal root login"; pcre: "/ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED/"; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000120; sid: 5000120; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Connection blocked by TCP Wrappers"; pcre: "/refused connect from|libwrap refused connection|connection from \S+ denied/i"; parse_src_ip: 1; classtype: tcp-connection; reference: url,wiki.quadrantsec.com/bin/view/Main/5000121; sid: 5000121; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Physical root login"; content: "ROOT LOGIN  on"; nocase; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000122; sid: 5000122; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Oversized packet - ping of death?"; content: "Oversized packet received from"; classtype: attempted-dos; reference: url,wiki.quadrantsec.com/bin/view/Main/5000123; sid: 5000123; facility: kern; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Interface entered promiscuous mode"; pcre: "/Promiscuous mode enabled|device \S+ entered promiscuous mode/i"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000124; sid: 5000124; facility: kern; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of memory!"; content: "out of memory"; nocase; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000125; sid: 5000125; facility: kern; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel log daemon terminating"; content: "kernel log daemon terminating"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000126; sid: 5000126; facility: kern; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is up"; content: "ADSL line is up"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000127; sid: 5000127; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is down"; content: "ADSL line is down"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000128; sid: 5000128; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New group added to the system"; content: "new group"; nocase; program: useradd|adduser; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000130; sid: 5000130; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New user added to the system"; pcre: "/new user|new account added/i"; program: useradd|adduser; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000131; sid: 5000131; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] User or group was deleted from the system"; pcre: "/delete user|account deleted|remove group/i"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000376; sid: 5000376; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Information for a user was changed"; content: "changed user"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000377; sid: 5000377; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] automount - Couldn't stat filesystem"; program: automount; content: "could not stat fs of"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000395; sid: 5000395; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Nagios npre - Host not allowed"; program: npre; content: "is not allowed to talk to us"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000410; sid: 5000410; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng I/O error"; program: syslog-ng; content: "I/O error occurred while writing"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001011; sid: 5001011; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng suspend write"; program: syslog-ng; content: "Suspending write operation"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001012; sid: 5001012; rev:1;)

# Linux system "password changed" rules.  Created by Brian Echeverry (becheverry@quadrantsec.com)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] password changed for user"; content: "passwd"; content: "changed"; classtype: successful-user; program: passwd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001704; sid:5001704; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] password changed for user root"; content: "passwd"; content: "changed"; content: "root"; classtype: successful-admin; program: passwd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001705; sid:5001705; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Redhat Linux not updating"; content: "your system is up-to-date"; classtype: program-error; program: rhsmd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001961; sid:5001961; rev:1;)

# Added by Robert Nunley 02/20/2014 (rnunley@quadantsec.com)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYSLOG] SCSI task abort"; content: "scsi"; content: "task abort"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001972; program: kernel; sid: 5001972; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYSLOG] Remounting filesystem read-only"; content: "Remounting filesystem read-only"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001973; program: kernel; sid: 5001973; rev:1;)