Fixing correlation rules

corr_rules/1-1200-10.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.1200.10</snort-id>
+	<desc>ATTACK-RESPONSES Invalid URL</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-1201-8.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.1201.8</snort-id>
+	<desc>ATTACK-RESPONSES 403 Forbidden</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-1390-8.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.1380.8</snort-id>
+	<desc>Shellcode x86 inc ebx NOOP</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-1463-9.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.1463.9</snort-id>
+	<desc>CHAT IRC message</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+	<pre>IRCConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
+	<pre>ChannelConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
+
+	<post>IRCSentMessage(+SRC_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-15306-2.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.15306.2</snort-id>
+	<desc>WEB-CLIENT Portable Executable binary file transfer</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+	<pre>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</pre>
+
+	<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-1729-8.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.1729.8</snort-id>
+	<desc>CHAT IRC channel join</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+	<pre>IRCConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
+
+	<post>ChannelConnected(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-2435-8.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.2435.8</snort-id>
+	<desc>WEB-CLIENT Microsoft emf metafile access</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-542-14.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.542.14</snort-id>
+	<desc>CHAT IRC nick change</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+	<pre>IRCConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
+	<pre>ChannelConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
+
+	<post>IRCNickChanged(+SRC_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-648-10.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.648.10</snort-id>
+	<desc>Shellcode x86 NOOP</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/1-718-10.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.718.10</snort-id>
+	<desc>TELNET login incorrect</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/119-19-1.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>119.19.1</snort-id>
+	<desc>(http_inspect) LONG HEADER</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+
+	<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+

corr_rules/122-23-0.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>122.23.0</snort-id>
+	<desc>(portscan) UDP Filtered Portsweep</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<post>HasService(+DST_ADDR+, +ANY_PORT+)</post>
+</hyperalert>
+