From 97d5f8f28d0fc5780dbeb19599dee2c5776613a2 Mon Sep 17 00:00:00 2001
From: BlackLight <blacklight@autistici.org>
Date: Wed, 15 Sep 2010 14:10:01 +0200
Subject: [PATCH] New correlation rules, now installing doc and share stuff

---
 corr_rules/1-1924-8.xml | 14 ++++++++++++++
 corr_rules/1-579-10.xml | 14 ++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 corr_rules/1-1924-8.xml
 create mode 100644 corr_rules/1-579-10.xml

diff --git a/corr_rules/1-1924-8.xml b/corr_rules/1-1924-8.xml
new file mode 100644
index 0000000..3963b99
--- /dev/null
+++ b/corr_rules/1-1924-8.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.1924.8</snort-id>
+	<desc>RPC mountd UDP export request</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+	<pre>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</pre>
+	
+	<post>HasNfsAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+
diff --git a/corr_rules/1-579-10.xml b/corr_rules/1-579-10.xml
new file mode 100644
index 0000000..186bd6a
--- /dev/null
+++ b/corr_rules/1-579-10.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE hyperalert PUBLIC "-//blacklighth//DTD HYPERALERT SNORT MODEL//EN" "http://0x00.ath.cx/hyperalert.dtd">
+
+<hyperalert>
+	<snort-id>1.579.10</snort-id>
+	<desc>RPC portmap mountd request UDP</desc>
+
+	<pre>HostExists(+DST_ADDR+)</pre>
+	<pre>HasService(+DST_ADDR+, +DST_PORT+)</pre>
+	<pre>HasRemoteAccess(+SRC_ADDR+, +DST_ADDR+)</pre>
+	
+	<post>HasNfsAccess(+SRC_ADDR+, +DST_ADDR+)</post>
+</hyperalert>
+