/etc/sagan-rules/windows.rules is in sagan-rules 10212010-r1-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 | # Sagan windows.rules
# Copyright (c) 2009-2010, Softwink, Inc.
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@softwink.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Windows based rules.
# Eventlog to syslog service. This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Unknown user name or bad password"; content: "Logon Failure"; content: "Unknown user name or bad password"; classtype: unsuccessful-user; program: Security; threshold:type limit, track by_src, count 5, seconds 120; parse_ip_simple; reference: url,wiki.softwink.com/bin/view/Main/5000302; sid: 5000302; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Account logon time restriction violation"; content: "Logon Failure"; content: "account logon time restriction violation"; classtype: unsuccessful-user; program: Userenv; reference: url,wiki.softwink.com/bin/view/Main/5000303; sid: 5000303; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Account locked out"; content: "Account locked out User Name"; classtype: unsuccessful-user; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000358; sid:5000358; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Successful user logoff"; content: "User Logoff"; classtype: not-suspicious; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000304; sid:5000304; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Successful user logon"; content: "Successful Logon"; classtype: successful-user; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000305; sid: 5000305; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Detection of net listening application"; content: "Windows Firewall has detected an application listening for incoming traffic"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000306; sid: 5000306; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Privileged Service Called"; content: "Privileged Service Called"; classtype: successful-admin; program: Security; reference: url,wiki.softwink.com/bin/view/Main/5000307; sid: 5000307; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Apple Bonjour service detect [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Bonjour; reference: url,wiki.softwink.com/bin/view/Main/5000308; sid: 5000308; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Application error"; content: "Application Error"; classtype: program-error; program: Application; reference: url,wiki.softwink.com/bin/view/Main/5000309; sid: 5000309; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Application hang"; content: "Application Hang"; classtype: program-error; program: Application; reference: url,wiki.softwink.com/bin/view/Main/5000310; sid: 5000310; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Application popup"; content: "Application Popup"; classtype: program-error; program: Application; reference: url,wiki.softwink.com/bin/view/Main/5000311; sid: 5000311; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] SCSI bug fault occurred"; content: "SCSI bus fault"; classtype: hardware-event; program: CPQCISSE; reference: url,wiki.softwink.com/bin/view/Main/5000316; sid: 5000316; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Job completed with exceptions"; content: "Job Completed with Exceptions"; classtype: program-error; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000312; sid: 5000312; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Job cancellation"; content: "Job Cancellation"; classtype: program-error; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000313; sid: 5000313; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Alert - insert media"; content: "Media Insert"; classtype: hardware-event; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000314; sid: 5000314; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Backup Exec - Service started"; content: "Service Start"; classtype: system-event; program: Backup; reference: url,wiki.softwink.com/bin/view/Main/5000315; sid: 5000315; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Citrix message"; content: "citrix"; nocase; classtype: system-event; program: Citrix; reference: url,wiki.softwink.com/bin/view/Main/5000317; sid: 5000317; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Trusted Platform Module [TPM] Error. User name not found"; content: "The user name could not be found"; nocase; classtype: unsuccessful-user; program: DAC; reference: url,wiki.softwink.com/bin/view/Main/5000318; sid: 5000318; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service was corrupted"; content: "Eventlog was corrupted"; classtype: program-error; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000319; sid: 5000319; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service was stopped"; content: "Eventlog to Syslog Service Stopped"; classtype: system-event; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000320; sid: 5000320; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service returned error"; content: "Eventlog returned error"; classtype: program-error; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000322; sid: 5000322; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Eventlog service reporting uptime [in seconds]"; content: "The system uptime"; classtype: not-suspicious; program: Eventlog; reference: url,wiki.softwink.com/bin/view/Main/5000323; sid: 5000323; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] IPSec message"; content: "IPSec"; nocase; classtype: not-suspicious; program: IPSec; reference: url,wiki.softwink.com/bin/view/Main/5000324; sid: 5000324; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] LSASRV - Could not establish a secure connection"; content: "could not establish a secured connection"; classtype: network-event; program: LSASRV; reference: url,wiki.softwink.com/bin/view/Main/5000381; sid: 5000381; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET 1433 (msg: "[WINDOWS] MS-SQL - Server started"; content: "Microsoft SQL Server"; classtype: system-event; program: MSSQLSERVER; reference: url,wiki.softwink.com/bin/view/Main/5000325; sid: 5000325; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET 1433 (msg: "[WINDOWS] MS-SQL - Server listening on network"; content: "SQL server listening"; classtype: network-event; program: MSSQLSERVER; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000326; sid: 5000326; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Client successfully installed software"; content: "installed successfully"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000327; sid: 5000327; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Google Toolbar installed"; content: "Google Toolbar"; content: "installed successfully"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000328; sid: 5000328; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Google Toolbar updated"; content: "Google Toolbar"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000329; sid: 5000329; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Google Toolbar updated"; content: "Google Update Helper"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000331; sid: 5000331; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - RegWork - Registry clearner"; content: "Product"; content: "RegWork"; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000330; sid: 5000330; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] MsiInstaller - Client successfully updated software"; content: "Update"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.softwink.com/bin/view/Main/5000332; sid: 5000332; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] NtServicePack messsage - package or hotfix installed"; content: "was installed"; classtype: not-suspicious; program: NtServicePack; reference: url,wiki.softwink.com/bin/view/Main/5000334; sid: 5000334; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] SNMP Service has started successfully"; content: "SNMP Service has started successfully"; classtype: system-event; program: SNMP; reference: url,wiki.softwink.com/bin/view/Main/5000335; sid: 5000335; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Google Software Updater service is active"; content: "Google Software Updater service"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000336; sid: 5000336; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000337; sid: 5000337; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000338; sid: 5000338; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Tenable Nessus service is active [pen-test tool]"; content: "Tenable Nessus"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000339; sid: 5000339; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Remote Access Connection Manager service is active"; content: "Remote Access Connection Manager"; classtype: network-event; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000340; sid: 5000340; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Bonjour service is active [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Service; reference: url,wiki.softwink.com/bin/view/Main/5000382; sid: 5000382; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus startup successful"; content: "services startup was successful"; classtype: system-event; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000341; sid: 5000341; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus couldn't scan some files or directories"; content: "Could not scan"; classtype: program-error; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000342; sid: 5000342; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus New virus definition file loaded"; content: "New virus definition file loaded"; classtype: not-suspicious; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000343; sid: 5000343; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Symantec AntiVirus Successful remote connect by administrator"; content: "User"; content: "connected from"; content: "with Admin role"; classtype: successful-admin; program: Symantec; reference: url,wiki.softwink.com/bin/view/Main/5000344; sid: 5000344; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Tenable Nessus started [pen-test tool]"; content: "started successfully"; classtype: suspicious-traffic; program: Tenable; reference: url,wiki.softwink.com/bin/view/Main/5000345; sid: 5000345; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] WinRM [Windows Remote Management] is started and listening"; content: "service is listening for WS-Management requests"; classtype: network-event; program: WinRM; reference: url,wiki.softwink.com/bin/view/Main/5000346; sid: 5000346; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection accepted"; content: "Connections"; content: "accepted"; classtype: network-event; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000347; sid: 5000347; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection closed - Requested security type not available"; content: "closed"; content: "Requested security type not available"; classtype: suspicious-traffic; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000348; sid: 5000348; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection blacklisted"; content: "Connections"; content: "blacklisted"; classtype: suspicious-traffic; parse_ip_simple; parse_port_simple; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000349; sid: 5000349; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection Authenticaiton failure"; content: "Authentication failure"; classtype: unsuccessful-user; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000350; sid: 5000350; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection close - reset by peer"; content: "closed"; content: "Connection reset by peer"; parse_ip_simple; parse_port_simple; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000351; sid: 5000351; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection close - reset by peer [Non-shared]"; content: "closed"; content: "Non-shared connection requested"; parse_ip_simple; parse_port_simple; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000352; sid: 5000352; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection close - reading version failed"; content: "closed"; content: "reading version failed"; parse_ip_simple; parse_port_simple; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000353; sid: 5000353; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 Connection closed"; content: "closed"; content: "Clean disconnection"; parse_ip_simple; parse_port_simple; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.softwink.com/bin/view/Main/5000354; sid: 5000354; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS] WinVNC4 HTTPServer event"; content: "HTTPServer"; classtype: network-event; program: WinVNC4; parse_ip_simple; parse_port_simple; reference: url,wiki.softwink.com/bin/view/Main/5000355; sid: 5000355; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] Crypt32 Failed to extract third-party root list"; content: "Failed extract of third-party root list"; classtype: program-error; program: crypt32; reference: url,wiki.softwink.com/bin/view/Main/5000356; sid: 5000356; rev:1;)
|