File: watchguard.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (243 lines) | stat: -rw-r--r-- 18,563 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
# Sagan watchguard.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#

# Watchguard rules by Kenneth Comollo <kcomollo@quadrantsec.com>; 
# 2017/03/08

# Example log. 

# 10.1.1.1|local1|warning|warning|8c|2016-12-13|14:03:58|WatchGuard*| (2016-12-13T19:03:58) firewall: msg_id="3000-0149" Allow 1-Trusted 0-External 413 tcp 20 121 10.2.2.2 12.11.111.8 52976 443 offset 5 A 3999914994 win 1 app_name="SSL/TLS" cat_name="Network protocols" app_beh_name="Connection" app_id="185" app_cat_id="20" app_ctl_disp="2" msg="Application identified" src_user="bob@example.com"  (HTTPS-out-WG_GeneralUser-00)

# IPv4 source route attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 source route attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0152|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: misc-attack; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003055; rev:2;)

# IPv4 SYN flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 SYN flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0153|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003056; rev:2;)


# IPv4 ICMP flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 ICMP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0154|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto: icmp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003057; rev:2;)


# IPv4 UDP flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 UDP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0155|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto: udp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003058; rev:2;)


# IPv4 IPSEC flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET 500 (msg: "[WATCHGUARD] IPv4 IPSEC flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0156|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:udp; default_dst_port: 500; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003059; rev:2;)


# IPv4 IKE flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 IKE flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0157|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:udp; default_dst_port: 500; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003060; rev:2;)


# IPv4 scan attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 scan attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0158|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-scan; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003061; rev:2;)


# IPv4 port scan attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 port scan attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0159|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-scan; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003062; rev:2;)


# IPv4 DDOS attack against a server was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 DDOS attack against a server was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0160|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003063; rev:2;)


# IPv4 DDOS attack from a client was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv4 DDOS attack from a client was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0161|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003064; rev:2;)


# IPv6 SYN flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 SYN flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0162|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003065; rev:2;)


# IPv6 ICMP flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 ICMP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0163|22|"; default_proto: icmp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003066; rev:2;)


# IPv6 UDP flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 UDP flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0164|22|"; default_proto: udp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003067; rev:2;)


# IPv6 IPSEC flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 IPSEC flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0165|22|"; parse_proto; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003068; rev:2;)


# IPv6 IKE flood attack was detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPv6 IKE flood attack was detected"; program: WatchGuard*; content: "msg_id=|22|3000-0166|22|"; default_proto: udp; classtype: denial-of-service; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003069; rev:2;)


# Traffic was detected to or from a blocked site

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Traffic was detected to or from a blocked site"; program: WatchGuard*; content: "msg_id=|22|3000-0168|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003070; rev:2;)


# IP Spoofing Detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IP spoofing was detected from the IP address specified"; program: WatchGuard*; content: "msg_id=|22|3000-0169|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003071; rev:2;)


# Possible loop or ARP spoofing detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Possible loop or ARP spoofing detected"; program: WatchGuard*; content: "msg_id=|22|3000-012E|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003072; rev:2;)


# Firewall is shutting down

#alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Firewall is shutting down"; program: WatchGuard*; content: "msg_id=|22|3000-0028|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003073; rev:2;)


# Detected an ARP spoofing attack

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Detected an ARP spoofing attack"; program: WatchGuard*; content: "msg_id=|22|3000-012C|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003074; rev:2;)


# Feature key for Application Control subscription has expired

#alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Feature key for Application Control subscription has expired"; program: WatchGuard*; content: "msg_id=|22|3000-0004|22|"; classtype: system-event; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003075; rev:2;)


# Feature key for Intrusion Prevention Services subscription has expired

#alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Feature key for Intrusion Prevention Services subscription has expired"; program: WatchGuard*; content: "msg_id=|22|3000-0005|22|"; classtype: system-event; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003076; rev:2;)


# Capture stopped due to the specified reason

#alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Capture stopped due to the specified reason"; program: WatchGuard*; content: "msg_id=|22|3113-0001|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003077; rev:2;)


# Starting wireless AP service

#alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Starting wireless AP service"; program: WatchGuard*; content: "msg_id=|22|3100-0052|22|"; classtype: system-event; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003078; rev:2;)


# Wireless access point model mismatch

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Wireless access point model mismatch"; program: WatchGuard*; content: "msg_id=|22|6100-0002|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003079; rev:2;)


# Wireless access point activation failure

alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Wireless access point activation failure"; program: WatchGuard*; content: "msg_id=|22|6100-0003|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003080; rev:2;)


# APT threat identification and notification

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] APT threat identification and notification"; program: WatchGuard*; content: "msg_id=|22|0F00-0015|22|"; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003081; rev:2;)


# Gateway AntiVirus (GAV) detected a virus or malware in an email attachment.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) detected a virus or malware in an email attachment."; program: WatchGuard*; content: "msg_id=|22|1BFF-000C|22|"; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003082; rev:2;)


# Gateway AntiVirus (GAV) cannot perform scan

alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) cannot perform scan"; program: WatchGuard*; content: "msg_id=|22|1BFF-000E|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003083; rev:2;)


# APT threat detected

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] APT threat detected"; program: WatchGuard*; content: "msg_id=|22|1BFF-0028|22|"; parse_proto; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003084; rev:2;)


# Gateway AntiVirus (GAV) virus found - FTP

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) virus found - FTP"; program: WatchGuard*; content: "msg_id=|22|1CFF-000E|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003085; rev:2;)


# Gateway AntiVirus (GAV) scan error

alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) scan error"; program: WatchGuard*; content: "msg_id=|22|1CFF-000F|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003086; rev:2;)


# Gateway AntiVirus (GAV) virus found - POP3

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Gateway AntiVirus (GAV) virus found - POP3"; program: WatchGuard*; content: "msg_id=|22|21FF-000F|22|"; default_proto:tcp; default_dst_port: $POP3_PORT; classtype: suspicious-traffic; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003087; rev:2;)


# Administrative accounts reset to default

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Administrative accounts reset to default"; program: WatchGuard*; content: "msg_id=|22|0101-0002|22|"; classtype: configuration-change; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003088; rev:2;)


# LIVESECURITY feature not found

alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] LIVESECURITY feature not found"; program: WatchGuard*; content: "msg_id=|22|5501-0002|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003089; rev:2;)


# Member promoted to master

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Member promoted to master"; program: WatchGuard*; content: "msg_id=|22|3900-0005|22|"; classtype: configuration-change; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003090; rev:2;)


# Failed to start the signature update for the specified services

lert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Failed to start the signature update for the specified services"; program: WatchGuard*; content: "msg_id=|22|2E01-0018|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003091; rev:2;)


# VPN (PPTP) - User login

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] VPN - User login"; program: WatchGuard*; content: "msg_id=|22|1400-0000|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $PPTP_PORT; classtype: successful-user; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003092; rev:2;)


# VPN (SSL) - User login

# alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] VPN (SSL) - User login"; program: WatchGuard*; content: "msg_id=|22|2500-0000|22|"; parse_src_ip: 1; parse_dst_ip: 2; default_proto:tcp; default_dst_port: $HTTPS_PORT; classtype: successful-user; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003093; rev:2;)


alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WATCHGUARD] Failed Login Attempt - Brute force [WATCHGUARD] [5/5]"; program: WatchGuard*; content: "msg_id=|22|1100-0005|22|" content: "Authentication of"; content "rejected"; parse_src_ip: 1; parse_dst_ip: 2; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300;  classtype: unsuccessful-user; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003094; rev:1;)


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WATCHGUARD] Signature update process for the specified version failed"; program: WatchGuard*; content: "msg_id=|22|2E02-0067|22|"; classtype: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003097; rev:2;) 


alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IP spoofing was detected from the IP address specified"; program: WatchGuard*; content: "msg_id=|22|3000-0169|22|"; classtype: bad-unknown; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003098; rev:2;)


alert any $HOME_NET any -> $HOME_NET any (msg: "[WATCHGUARD] Wireless Access Point Model Mismatch"; program: WatchGuard*; content: "msg_id=|22|6100-0002|22|"; class-type: program-error; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003099; rev:1;)


alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WATCHGUARD] IPS detected an intrusion in the client request or server response content body"; program: WatchGuard*; content: "msg_id=|22|1AFF-0026|22|"; class-type: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.watchguard.com/help/docs/wsm/XTM_11/en-US/log_catalog/index.html; sid:5003100; rev:2;)