File: windows-misc.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (140 lines) | stat: -rw-r--r-- 24,573 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# Sagan windows-misc.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Windows based rules. 
# Eventlog to syslog service.  This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Detection of net listening application [0/5]"; pcre: "/ 861: | 5154: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000306; sid: 5000306; rev:8;;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Privileged Service Called"; pcre: "/ 577: | 4673: /"; classtype: successful-admin; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000307; sid: 5000307; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Apple Bonjour service detect [iTunes installed?]"; classtype: policy-violation; program: Bonjour; reference: url,wiki.quadrantsec.com/bin/view/Main/5000308; sid: 5000308; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application error"; content: " 1001|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000309; sid: 5000309; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application hang"; content: " 1002|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000310; sid: 5000310; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application popup"; content: " 333|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000311; sid: 5000311; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SCSI bug fault occurred"; content: "SCSI bus fault"; classtype: hardware-event; program: CPQCISSE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000316; sid: 5000316; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job completed with exceptions"; content: " 57755|3a| "; classtype: program-error; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000312; sid: 5000312; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job cancellation"; content: " 34114|3a| "; classtype: program-error; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000313; sid: 5000313; rev:4;) 
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Alert - insert media"; content: " 58061|3a| "; classtype: hardware-event; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000314; sid: 5000314; rev:4;) 
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Service started"; content: " 57996|3a| "; classtype: system-event; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000315; sid: 5000315; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Citrix message"; classtype: system-event; program: Citrix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000317; sid: 5000317; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Trusted Platform Module [TPM] Error.  User name not found"; content: " 17150|3a| "; classtype: unsuccessful-user; program: DAC; reference: url,wiki.quadrantsec.com/bin/view/Main/5000318; sid: 5000318; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was corrupted"; content: "was corrupted"; classtype: program-error; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000319; sid: 5000319; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was stopped"; content: "Service Stopped"; classtype: system-event; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000320; sid: 5000320; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service returned error"; content: "returned error"; classtype: program-error; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000322; sid: 5000322; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service reporting uptime [in seconds]"; content: "The system uptime"; classtype: not-suspicious; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000323; sid: 5000323; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] IPSec message"; classtype: not-suspicious; program: IPSec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000324; sid: 5000324; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] LSASRV - Could not establish a secure connection"; content: " 40961|3a| "; classtype: network-event; program: LSASRV; reference: url,wiki.quadrantsec.com/bin/view/Main/5000381; sid: 5000381; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server started"; content: "Microsoft SQL Server"; classtype: system-event; program: MSSQLSERVER; reference: url,wiki.quadrantsec.com/bin/view/Main/5000325; sid: 5000325; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server listening on network"; content: "SQL server listening"; classtype: network-event; program: MSSQLSERVER; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000326; sid: 5000326; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully installed software"; content: "installed successfully"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000327; sid: 5000327; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar installed"; content: "Google Toolbar"; content: "installed successfully"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000328; sid: 5000328; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Toolbar"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000329; sid: 5000329; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Update Helper"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000331; sid: 5000331; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - RegWork - Registry clearner"; content: "RegWork"; content: "Product"; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000330; sid: 5000330; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully updated software"; content: "Update"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000332; sid: 5000332; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] NtServicePack messsage - package or hotfix installed"; content: "was installed"; classtype: not-suspicious; program: NtServicePack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000334; sid: 5000334; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SNMP Service has started successfully"; content: " 1001|3a| ""; classtype: system-event; program: SNMP; reference: url,wiki.quadrantsec.com/bin/view/Main/5000335; sid: 5000335; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google Software Updater service is active"; content: "Google Software Updater service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000336; sid: 5000336; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000337; sid: 5000337; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000338; sid: 5000338; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus service is active [pen-test tool]"; content: "Tenable Nessus"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000339; sid: 5000339; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Remote Access Connection Manager service is active"; content: "Remote Access Connection Manager"; classtype: network-event; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000340; sid: 5000340; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Bonjour service is active [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000382; sid: 5000382; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus startup successful"; content: "startup was successful"; classtype: system-event; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000341; sid: 5000341; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus couldn't scan some files or directories"; content: "Could not scan"; classtype: program-error; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000342; sid: 5000342; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus New virus definition file loaded"; content: "New virus definition file loaded"; classtype: not-suspicious; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000343; sid: 5000343; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus Successful remote connect by administrator"; content: "with Admin role"; content: "User"; content: "connected from"; classtype: successful-admin; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000344; sid: 5000344; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus started [pen-test tool]"; content: "started successfully"; classtype: suspicious-traffic; program: Tenable; reference: url,wiki.quadrantsec.com/bin/view/Main/5000345; sid: 5000345; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinRM [Windows Remote Management] is started and listening"; content: " 10148|3a| "; classtype: network-event; program: WinRM; reference: url,wiki.quadrantsec.com/bin/view/Main/5000346; sid: 5000346; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection accepted"; content: "Connections"; content: "accepted"; default_proto: tcp; default_dst_port: 5900; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000347; sid: 5000347; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection closed - Requested security type not available"; content: "Requested security type not available"; content: "closed"; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000348; sid: 5000348; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection blacklisted"; content: "blacklisted"; content: "Connections"; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; parse_src_ip: 1; parse_port; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000349; sid: 5000349; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection Authentication failure"; content: "Authentication failure"; default_proto: tcp; default_dst_port: 5900; classtype: unsuccessful-user; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000350; sid: 5000350; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer"; content: "Connection reset by peer"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000351; sid: 5000351; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer [Non-shared]"; content: "Non-shared connection requested"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000352; sid: 5000352; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reading version failed"; content: "reading version failed"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000353; sid: 5000353; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 Connection closed"; content: "Clean disconnection"; content: "closed"; parse_src_ip: 1; parse_port; default_proto: tcp; default_dst_port: 5900; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000354; sid: 5000354; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinVNC4 HTTPServer event"; content: "HTTPServer"; default_proto: tcp; default_dst_port: 5900; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000355; sid: 5000355; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Crypt32 Failed to extract third-party root list"; content: " 4107|3a| "; classtype: program-error; program: crypt32; reference: url,wiki.quadrantsec.com/bin/view/Main/5000356; sid: 5000356; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Disk corruption [0/2]"; content: " 55|3a| "; classtype: hardware-event; program: Ntfs; threshold:type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001056; sid: 5001056; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MSSQLServer I/O error"; content: " 823|3a| "; classtype: program-error; program: Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001096; sid: 5001096; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application uninstall"; content: " 11724|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001182; sid: 5001182; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application install"; content: " 11707|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001183; sid: 5001183; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows is shutting down"; pcre: "/ 513: | 4609: /"; classtype: program-error; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001184; sid: 5001184; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] File system full"; content: " 13570|3a| "; classtype: system-error; program: NtFrs|Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001191; sid: 5001191; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] System time has changed"; pcre: "/ 520: | 4616: /"; content:!"|3a|\Program Files\VMware\VMware Tools\vmtoolsd.exe"; classtype: system-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001194; sid: 5001194; rev:9;)

# DHCP-Server| 1063: There are no IP addresses available for lease in the scope or superscope "VLAN_311_Example".
# DHCP-Server| 1020: Scope, 10.100.1.0, is 97 percent full with only 2 IP addresses remaining.

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is almost full"; content: " 1020|3a| "; classtype: program-error; program: DHCP-Server; threshold: type limit, track by_src, count 1, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5001649; sid: 5001649; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is FULL";  content: "100 percent full"; content: " 1020|3a| "; classtype: program-error; program: DHCP-Server; threshold: type limit, track by_src, count 1, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5001716; sid: 5001716; rev:5;)

# BAD RULE BELOW
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope if full.  No IP addresses left"; content: " 5001650|3a| "; classtype: network-event; program: DHCP-Server; reference: url,wiki.quadrantsec.com/bin/view/Main/5001650; sid: 5001650; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows audit log was cleared"; pcre: "/ 517: | 1102: /"; content: "audit log was cleared"; classtype: system-event; program: *Security*|Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5001185; sid: 5001185; rev:8;;)

# Brian Echeverry - 05/07/2015
# SID 5002272 and 5002273 are noisy. 
 
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was modified"; content: " 5136|3a| "; classtype: configuration-change; program: *Security*; sid:5002272; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was created"; content: " 5137|3a| "; classtype: configuration-change; program: *Security*; sid:5002273; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was undeleted"; content: " 5138|3a| "; classtype: configuration-change; program: *Security*; sid:5002274; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was moved"; content: " 5139|3a| "; classtype: configuration-change; program: *Security*; sid:5002275; rev:3;)


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [XBIT SET]"; content: " 1074|3a| "; program: System|USER32; xbits: set, reboot.windows,900; xbits:nounified2; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:22;)

# Added by Brian Echeverry (09/22/2015)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures"; program: Microsoft_Antimalware; content: " 2001|3A| "; reference: url,wiki.quadrantsec.com/bin/view/Main/5002392; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; sid:5002392; rev:3;)

# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Unable to log events to security log"; content: " 521|3a| "; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002564; sid:5002564; rev:4;)

# Added by Champ Clark III (04/20/2016) - Great read at http://pastebin.com/raw/0SNSvyjJ

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of service via SCM"; content: " 7045|3a| "; content:!"ForeScout"; nocase; content:!"nxlog"; nocase; content:!"ccmsetup"; nocase; classtype: suspicious-traffic; program: System|Service_Control_Manager; reference: url,wiki.quadrantsec.com/bin/view/Main/5002817; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5002817; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of new service via Security Audit "; pcre: "/ 4697: | 601: /"; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002818; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5002818; rev:3;)

# Added by Champ Clark III (08/19/2016) 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Suspicious event logging service shut down."; content: " 1100|3a| "; xbits: isnotset,by_src,reboot.windows; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002941; sid:5002941; rev:4;)

# Added by Champ Clark III (09/01/2016)
# These target strange errors seen by evtsys.  

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Event log has been cleared."; content: " 104|3a| "; content: "cleared"; classtype: suspicious-traffic; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5002954; sid:5002954; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Logging has been stopped on this device"; content: " 570|3a| "; content: "callback"; classtype: suspicious-traffic; program: The; reference: url,wiki.quadrantsec.com/bin/view/Main/5002955; sid:5002955; rev:3;)

alert any $HOME_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Fan failure detected"; content:" 10|3a| Fan "; content:" has failed"; classtype: hardware-event; program: System; reference: url,wiki.quadrantsec.com/bin/view/Main/5003040; sid:5003040; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of PSEXEC service via Security Audit "; content: "PSEXEC"; nocase; pcre: "/ 4697: | 601: /"; classtype: suspicious-traffic; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5003105; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5003105; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Installation of PSEXEC service via SCM"; content: "PSEXEC"; nocase; content: " 7045|3a| "; content:!"ForeScout"; nocase; content:!"nxlog"; nocase; content:!"ccmsetup"; nocase; classtype: suspicious-traffic; program: System|Service_Control_Manager; reference: url,wiki.quadrantsec.com/bin/view/Main/5003106; reference: url,pastebin.com/raw/0SNSvyjJ; sid:5003106; rev:2;)