sagan-rules 1:20160923-0.1 / etc / sagan-rules / bro-ids.rules

This file is indexed.

/etc/sagan-rules/bro-ids.rules is in sagan-rules 1:20160923-0.1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
# Sagan bro-ids.rules
# Copyright (c) 2009-2016, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*****************************************************************************
#
# Note:  Your syslog daemon will need to forward Bro logs to your Sagan server.  With syslog-ng,  you would do 
# something like this:
#
# destination sagan_box { udp("10.10.10.10" port(514)); } ;
# source s_bro_notice { file("/var/log/bro/log/current/notice.log" flags(no-parse) program_override("bro")); };
# log { source(s_bro_notice); destination(sagan_box); };
# 
# For rsyslog,  see: http://www.rsyslog.com/doc/imfile.html
# 
# The syslog "program" field will _need_ to be "bro"! 
#
#*****************************************************************************
#
# Submitted by Brad Doctor (July 2nd, 2010).  For more information see
# http://www.bro-ids.org/ 
# 
# (Legacy Bro rules) - Now disbaled by default

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Successful Password Guessing [0/5]"; content: "SuccessfulPasswordGuessing"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000883; sid: 5000883; threshold: type limit, track by_src, count 5, seconds 120; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Protocol Violation [0/5]"; content: "ProtocolViolation"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000884; sid: 5000884; threshold: type limit, track by_src, count 5, seconds 120; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Login [0/5]"; content: "SensitiveLogin"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-login; reference: url,wiki.quadrantsec.com/bin/view/Main/5000885; sid: 5000885; threshold: type limit, track by_src, count 5, seconds 120; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Connection [0/5]"; content: "SensitiveConnection"; program: parse_src_ip: 1; parse_dst_ip: 2; bro; classtype: suspicious-traffic;   reference: url,wiki.quadrantsec.com/bin/view/Main/5000886; sid: 5000886; threshold: type limit, track by_src, count 5, seconds 120; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Username in password [0/5]"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; content: "SensitiveUsernameInPassword"; classtype: successful-admin; url,wiki.quadrantsec.com/bin/view/Main/5000887; sid: 5000887; threshold: type limit, track by_src, count 5, seconds 120; rev:3;)

# Robert Nunley & Champ Clark -  06/10/2014

alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[BRO] SSH Password_Guessing [0/5]"; content: "SSH|3a 3a|Password_Guessing"; program: bro; classtype: misc-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 1, seconds 120; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002063; sid: 5002063; rev:4;) 

# Note: You will need licensing to use the Team Cymru Malware Hash Registry for corporate use.  See http://www.team-cymru.org/Services/MHR/
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] TeamCymruMalwareHashRegistry Match"; content: "TeamCymruMalwareHashRegistry|3a 3a|Match"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,www.team-cymru.org/Services/MHR/; classtype: trojan-activity; sid: 5002064; rev:2;) 

# Triggers many F/P
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] HTTP SQL_Injection_Attacker"; content: "HTTP|3a 3a|SQL_Injection_Attacker"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,wiki.quadrantsec.com/bin/view/Main/5002065; classtype: web-application-attack; sid: 5002065; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HTTP_PORT any (msg: "[BRO] HTTP SQL_Injection_Victim"; content: "HTTP|3a 3a|SQL_Injection_Victim"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002066; classtype: web-application-attack; sid: 5002066; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[BRO] SSH Login_By_Password_Guesser"; content: "SSH|3a 3a|Login_By_Password_Guesser"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5002067; classtype: successful-user; sid: 5002067; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[BRO] SSH Watched_Country_Login"; content: "SSH|3a 3a|Watched_Country_Login"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002068; classtype: successful-user; sid: 5002068; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] 10+ SSL Invalid_Server_Cert in 30 seconds [10/5]"; content: "SSL|3a 3a|Invalid_Server_Cert"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002069; classtype: suspicious-traffic; sid: 5002069; rev:4;)

# Robert Nunley & Champ Clark -  06/11/2014

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] 10+ unable to get local issuer certificate in 30 seconds [10/5]"; content: "unable to get local issuer certificate"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; classtype: suspicious-traffic; sid: 5002070; rev:3;)

# These rules are based on Bro scripts from Liam Randall.   They are located at: https://github.com/LiamRandall/BroMalware-Exercise.  These will need to be loaded into Bro to trigger!

# https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] ZeroAccess ZeroAccess_Client [0/5]"; content: "ZeroAccess|3a 3a|ZeroAccess_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 5, seconds 300; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess; sid: 5002071; rev:3;)

# https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0
# Bitcoin mining detection

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] Bitcoin Miner [0/10]"; content: "Bitcoin|3a 3a|Miner"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 10, seconds 300; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002074; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002074; rev:3;)

# https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0
# Lurk0 RAT ::Lurk0_Client

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] Probable LURK0 RAT C&C Access"; content: "Lurk0|3a 3a|Lurk0_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002072; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002072; rev:2;)

# Sidejacking
# Added in the main Bro repo.  See http://matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro/ for more details.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] Sidejacking attach detected"; content: "Sidejacking"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002073; reference: url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro; sid: 5002073; rev:2;)


# This rule detect internal (rfc1918) systems port scanning,  but ignores everything else!


# Example log:

#1459283371.705967       -       -       -       -       -       -       -       -       -       Scan::Port_Scan 10.1.0.34 scanned at least 15 unique ports of host 10.1.0.4 in 0m2s        local   10.1.0.34     10.1.0.4     -       -     bro      Notice::ACTION_LOG      3600.000000     F       -       -       -       -       - 

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] RFC1918 address scanning the network"; content: "Scan|3a 3a|Port_Scan"; pcre:"/((192)\.(168)\.(\d+)\.(\d+)|(10)\.(\d+)\.(\d+)\.(\d+)|(172)\.(1[6,7,8,9])\.(\d+)\.(\d+)|(172)\.(2[0,1,2,3,4,5,6,7,8,9])\.(\d+)\.(\d+)|(172)\.(3[0,1])\.(\d+)\.(\d+)) scanned at least \d+ unique ports/smi"; program: bro; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,recon,86400; classtype: attempted-recon; reference: url,wiki.quadrantsec.com/bin/view/Main/5002798; sid:5002798; rev:3;)

APT Browse - Built by Thomas Orozco.