From 9449065aa09143ead4d550e3e52f0384cc54071c Mon Sep 17 00:00:00 2001 From: BlackLight Date: Wed, 24 Nov 2010 16:51:31 +0100 Subject: [PATCH] Fixing correlation rules --- corr_rules/1-1200-10.xml | 13 +++++++++++++ corr_rules/1-1201-8.xml | 13 +++++++++++++ corr_rules/1-1390-8.xml | 13 +++++++++++++ corr_rules/1-1463-9.xml | 15 +++++++++++++++ corr_rules/1-15306-2.xml | 14 ++++++++++++++ corr_rules/1-1729-8.xml | 14 ++++++++++++++ corr_rules/1-2435-8.xml | 13 +++++++++++++ corr_rules/1-542-14.xml | 15 +++++++++++++++ corr_rules/1-648-10.xml | 13 +++++++++++++ corr_rules/1-718-10.xml | 13 +++++++++++++ corr_rules/119-19-1.xml | 13 +++++++++++++ corr_rules/122-23-0.xml | 11 +++++++++++ 12 files changed, 160 insertions(+) create mode 100644 corr_rules/1-1200-10.xml create mode 100644 corr_rules/1-1201-8.xml create mode 100644 corr_rules/1-1390-8.xml create mode 100644 corr_rules/1-1463-9.xml create mode 100644 corr_rules/1-15306-2.xml create mode 100644 corr_rules/1-1729-8.xml create mode 100644 corr_rules/1-2435-8.xml create mode 100644 corr_rules/1-542-14.xml create mode 100644 corr_rules/1-648-10.xml create mode 100644 corr_rules/1-718-10.xml create mode 100644 corr_rules/119-19-1.xml create mode 100644 corr_rules/122-23-0.xml diff --git a/corr_rules/1-1200-10.xml b/corr_rules/1-1200-10.xml new file mode 100644 index 0000000..c6999d1 --- /dev/null +++ b/corr_rules/1-1200-10.xml @@ -0,0 +1,13 @@ + + + + + 1.1200.10 + ATTACK-RESPONSES Invalid URL + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+ + HasHttpInfo(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/1-1201-8.xml b/corr_rules/1-1201-8.xml new file mode 100644 index 0000000..0258110 --- /dev/null +++ b/corr_rules/1-1201-8.xml @@ -0,0 +1,13 @@ + + + + + 1.1201.8 + ATTACK-RESPONSES 403 Forbidden + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+ + HasHttpInfo(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/1-1390-8.xml b/corr_rules/1-1390-8.xml new file mode 100644 index 0000000..4ab130b --- /dev/null +++ b/corr_rules/1-1390-8.xml @@ -0,0 +1,13 @@ + + + + + 1.1380.8 + Shellcode x86 inc ebx NOOP + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+ + HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/1-1463-9.xml b/corr_rules/1-1463-9.xml new file mode 100644 index 0000000..473f018 --- /dev/null +++ b/corr_rules/1-1463-9.xml @@ -0,0 +1,15 @@ + + + + + 1.1463.9 + CHAT IRC message + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+
IRCConnected(+SRC_ADDR+, +DST_ADDR+)
+
ChannelConnected(+SRC_ADDR+, +DST_ADDR+)
+ + IRCSentMessage(+SRC_ADDR+) +
+ diff --git a/corr_rules/1-15306-2.xml b/corr_rules/1-15306-2.xml new file mode 100644 index 0000000..d105cd9 --- /dev/null +++ b/corr_rules/1-15306-2.xml @@ -0,0 +1,14 @@ + + + + + 1.15306.2 + WEB-CLIENT Portable Executable binary file transfer + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+
HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)
+ + HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/1-1729-8.xml b/corr_rules/1-1729-8.xml new file mode 100644 index 0000000..5b5b45e --- /dev/null +++ b/corr_rules/1-1729-8.xml @@ -0,0 +1,14 @@ + + + + + 1.1729.8 + CHAT IRC channel join + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+
IRCConnected(+SRC_ADDR+, +DST_ADDR+)
+ + ChannelConnected(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/1-2435-8.xml b/corr_rules/1-2435-8.xml new file mode 100644 index 0000000..07cdd01 --- /dev/null +++ b/corr_rules/1-2435-8.xml @@ -0,0 +1,13 @@ + + + + + 1.2435.8 + WEB-CLIENT Microsoft emf metafile access + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+ + HasHttpInfo(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/1-542-14.xml b/corr_rules/1-542-14.xml new file mode 100644 index 0000000..0bc42f8 --- /dev/null +++ b/corr_rules/1-542-14.xml @@ -0,0 +1,15 @@ + + + + + 1.542.14 + CHAT IRC nick change + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+
IRCConnected(+SRC_ADDR+, +DST_ADDR+)
+
ChannelConnected(+SRC_ADDR+, +DST_ADDR+)
+ + IRCNickChanged(+SRC_ADDR+) +
+ diff --git a/corr_rules/1-648-10.xml b/corr_rules/1-648-10.xml new file mode 100644 index 0000000..4f8744f --- /dev/null +++ b/corr_rules/1-648-10.xml @@ -0,0 +1,13 @@ + + + + + 1.648.10 + Shellcode x86 NOOP + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+ + HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/1-718-10.xml b/corr_rules/1-718-10.xml new file mode 100644 index 0000000..c62e859 --- /dev/null +++ b/corr_rules/1-718-10.xml @@ -0,0 +1,13 @@ + + + + + 1.718.10 + TELNET login incorrect + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+ + HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/119-19-1.xml b/corr_rules/119-19-1.xml new file mode 100644 index 0000000..9bbc961 --- /dev/null +++ b/corr_rules/119-19-1.xml @@ -0,0 +1,13 @@ + + + + + 119.19.1 + (http_inspect) LONG HEADER + +
HostExists(+DST_ADDR+)
+
HasService(+DST_ADDR+, +DST_PORT+)
+ + HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+) +
+ diff --git a/corr_rules/122-23-0.xml b/corr_rules/122-23-0.xml new file mode 100644 index 0000000..2e34fdf --- /dev/null +++ b/corr_rules/122-23-0.xml @@ -0,0 +1,11 @@ + + + + + 122.23.0 + (portscan) UDP Filtered Portsweep + +
HostExists(+DST_ADDR+)
+ HasService(+DST_ADDR+, +ANY_PORT+) +
+