File: windows-bluedot.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (94 lines) | stat: -rw-r--r-- 38,103 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Sagan windows-bluedot.rules  
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.  
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list  
#
#*************************************************************  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:  
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following  
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the  
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE  
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#  
# *************************************************************
# Windows Bluedot rules.   
# Eventlog to syslog service.  This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLUEDOT] RDP / Logon type 10 from a Bluedot listed IP"; program: *Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; program: *Security*; parse_src_ip: 1; normalize; default_proto: tcp; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002344; sid:5002344; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [0/5]"; program: *Security*; content: " 529|3a| "; classtype: unsuccessful-user; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002345; sid:5002345; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5002346; sid:5002346; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002347; sid:5002347; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002348; sid:5002348; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002349; sid:5002349; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; fwsam: src, 1 day; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002350; sid:5002350; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Logon Failure from Bluedot listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: *Security*; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; normalize; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002351; sid:5002351; rev:6;)

#  Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002455; sid: 5002455; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; xbits: set,brute_force,21600; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002456; sid: 5002456; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002457; sid: 5002457; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002458; sid: 5002458; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002459; sid: 5002459; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002460; sid: 5002460; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy;  reference: url,wiki.quadrantsec.com/bin/view/Main/5002461; sid: 5002461; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002462; sid: 5002462; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002463; sid: 5002463; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002464; sid: 5002464; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002465; sid: 5002465; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002466; sid: 5002466; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002467; sid: 5002467; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002468; sid: 5002468; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002469; sid: 5002469; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002470; sid: 5002470; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002471; sid: 5002471; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002472; sid: 5002472; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002473; sid: 5002473; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002475; sid: 5002475; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002476; sid: 5002476; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002477; sid: 5002477; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002478; sid: 5002478; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002479; sid: 5002479; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002480; sid: 5002480; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002481; sid: 5002481; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002482; sid: 5002482; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002483; sid: 5002483; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002484; sid: 5002484; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002485; sid: 5002485; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002486; sid: 5002486; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002487; sid: 5002487; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002488; sid: 5002488; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002489; sid: 5002489; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002490; sid: 5002490; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002491; sid: 5002491; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002492; sid: 5002492; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002493; sid: 5002493; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002494; sid: 5002494; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002495; sid: 5002495; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002496; sid: 5002496; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: *Security; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002497; sid: 5002497; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002498; sid: 5002498; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002499; sid: 5002499; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002500; sid: 5002500; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002501; sid: 5002501; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002502; sid: 5002502; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002503; sid: 5002503; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002504; sid: 5002504; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002505; sid: 5002505; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002506; sid: 5002506; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002507; sid: 5002507; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: *Security*; xbits: set,brute_force,21600; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; reference: url,wiki.quadrantsec.com/bin/view/Main/5002508; sid: 5002508; rev:6;)