mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-27 22:25:12 +01:00
Fixing correlation rules
This commit is contained in:
parent
da77d08a25
commit
9449065aa0
12 changed files with 160 additions and 0 deletions
13
corr_rules/1-1200-10.xml
Normal file
13
corr_rules/1-1200-10.xml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.1200.10</snort-id>
|
||||||
|
<desc>ATTACK-RESPONSES Invalid URL</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
|
||||||
|
<post>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
13
corr_rules/1-1201-8.xml
Normal file
13
corr_rules/1-1201-8.xml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.1201.8</snort-id>
|
||||||
|
<desc>ATTACK-RESPONSES 403 Forbidden</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
|
||||||
|
<post>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
13
corr_rules/1-1390-8.xml
Normal file
13
corr_rules/1-1390-8.xml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.1380.8</snort-id>
|
||||||
|
<desc>Shellcode x86 inc ebx NOOP</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
|
||||||
|
<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
15
corr_rules/1-1463-9.xml
Normal file
15
corr_rules/1-1463-9.xml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.1463.9</snort-id>
|
||||||
|
<desc>CHAT IRC message</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
<pre>IRCConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
|
||||||
|
<pre>ChannelConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
|
||||||
|
|
||||||
|
<post>IRCSentMessage(+SRC_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
14
corr_rules/1-15306-2.xml
Normal file
14
corr_rules/1-15306-2.xml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.15306.2</snort-id>
|
||||||
|
<desc>WEB-CLIENT Portable Executable binary file transfer</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
<pre>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</pre>
|
||||||
|
|
||||||
|
<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
14
corr_rules/1-1729-8.xml
Normal file
14
corr_rules/1-1729-8.xml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.1729.8</snort-id>
|
||||||
|
<desc>CHAT IRC channel join</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
<pre>IRCConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
|
||||||
|
|
||||||
|
<post>ChannelConnected(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
13
corr_rules/1-2435-8.xml
Normal file
13
corr_rules/1-2435-8.xml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.2435.8</snort-id>
|
||||||
|
<desc>WEB-CLIENT Microsoft emf metafile access</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
|
||||||
|
<post>HasHttpInfo(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
15
corr_rules/1-542-14.xml
Normal file
15
corr_rules/1-542-14.xml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.542.14</snort-id>
|
||||||
|
<desc>CHAT IRC nick change</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
<pre>IRCConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
|
||||||
|
<pre>ChannelConnected(+SRC_ADDR+, +DST_ADDR+)</pre>
|
||||||
|
|
||||||
|
<post>IRCNickChanged(+SRC_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
13
corr_rules/1-648-10.xml
Normal file
13
corr_rules/1-648-10.xml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.648.10</snort-id>
|
||||||
|
<desc>Shellcode x86 NOOP</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
|
||||||
|
<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
13
corr_rules/1-718-10.xml
Normal file
13
corr_rules/1-718-10.xml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>1.718.10</snort-id>
|
||||||
|
<desc>TELNET login incorrect</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
|
||||||
|
<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
13
corr_rules/119-19-1.xml
Normal file
13
corr_rules/119-19-1.xml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>119.19.1</snort-id>
|
||||||
|
<desc>(http_inspect) LONG HEADER</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
|
||||||
|
|
||||||
|
<post>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
11
corr_rules/122-23-0.xml
Normal file
11
corr_rules/122-23-0.xml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE hyperalert PUBLIC "-//blacklight//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
|
||||||
|
|
||||||
|
<hyperalert>
|
||||||
|
<snort-id>122.23.0</snort-id>
|
||||||
|
<desc>(portscan) UDP Filtered Portsweep</desc>
|
||||||
|
|
||||||
|
<pre>HostExists(+DST_ADDR+)</pre>
|
||||||
|
<post>HasService(+DST_ADDR+, +ANY_PORT+)</post>
|
||||||
|
</hyperalert>
|
||||||
|
|
Loading…
Reference in a new issue