RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker
-
NOTICE to forum moderators/admins: please read the last paragraph before and after reading the whole topic. Thank you.
This is an update to my post on the sticky: http://forum.pfsense.org/index.php/topic,61018.0.html
Before selecting which categories to enable for snort, please go through the list for any entries starting with "DO NOT USE >". Those are categories wasting processing power and should be handled by pfblocker since connections to/from those IPs should be handled by the firewall already. No need to waste "snort-time" for analyzing those packets, since a) snort leaks some packets already and by the time it's finished analyzing and blocking, some packets will hit your servers behind pfsense, b) it saves a couple of % of RAM and c) it's a set it and forget it process. A slight warning, do not use any of this if you do not have enough RAM. I'm using 2GB with rarely 30% used, mostly hovers around 25%.
The new list for what should be enabled for snort (insert drumroll) is:
In tab "Rules", under "Category" select:
(–- means blank table at time of writing)emerging-activex > all
emerging-attack_responses > all
emerging-botcc > all
emerging-chat > all except:
2010784 ET CHAT Facebook Chat (send message)
2010785 ET CHAT Facebook Chat (buddy list)
2010786 ET CHAT Facebook Chat (settings)
2010819 ET CHAT Facebook Chat using XMPP
2002327 ET CHAT Google Talk (Jabber) Client Login
2002334 ET CHAT Google IM traffic Jabber client sign-on
2001241 ET CHAT MSN file transfer request
2001242 ET CHAT MSN file transfer accept
2001243 ET CHAT MSN file transfer reject
2001682 ET CHAT MSN IM Poll via HTTP
2002192 ET CHAT MSN status change
2008289 ET CHAT Possible MSN Messenger File Transfer
2009375 ET CHAT General MSN Chat Activity
2009376 ET CHAT MSN User-Agent Activityemerging-ciarmy > all
DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
emerging-current_events > all
emerging-deleted > ---
emerging-dns > all except:
2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10
seconds) - possible Cache Poisoning Attempt
2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
2001117 ET DNS Standard query response, Name Erroremerging-dos > all
DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
DO NOT USE! > emerging-dshield > use pfblocker with: (cannot find specific list, but ip listed in pfblocker tables, NEED HELP HERE<<<<)
emerging-exploit > all except:
2001058 ET EXPLOIT libpng tRNS overflow attempt
2002913 ET EXPLOIT VNC Client response
2002914 ET EXPLOIT VNC Server VNC Auth Offer
2002919 ET EXPLOIT VNC Good Authentication Reply
2002915 ET EXPLOIT VNC Authentication Reply
2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3emerging-ftp > all
emerging-games > all
emerging-icmp > ---
emerging-icmp_info > ---
emerging-imap > ---
emerging-inappropriate > all except:
2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
2001608 ET INAPPROPRIATE Likely Pornemerging-info > all except:
2014472 ET INFO JAVA - Java Archive Download
2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
2014819 ET INFO Packed Executable Download
2015016 ET INFO FTP STOR to External Network
2015561 ET INFO PDF Using CCITTFax Filter
2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2016360 ET INFO JAVA - ClassID
2016361 ET INFO JAVA - ClassID
2016404 ET INFO MPEG Download Over HTTP (1)emerging-malware > all except:
2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Relatedemerging-misc > all
emerging-mobile_malware > all except:
2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URIemerging-netbios > all
emerging-p2p > all except:
2000369 ET P2P BitTorrent Announce
2007727 ET P2P possible torrent download
2008581 ET P2P BitTorrent DHT ping request
2008583 ET P2P BitTorrent DHT nodes reply
2008585 ET P2P BitTorrent DHT announce_peers request
2010144 ET P2P Vuze BT UDP Connection (5)
2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hostsemerging-policy > all except:
2000419 ET POLICY PE EXE or DLL Windows file download
2000428 ET POLICY ZIP file download
2001115 ET POLICY MSI (microsoft installer file) download
2003595 ET POLICY exe download via HTTP - Informational
2001898 ET POLICY eBay Bid Placed
2001907 ET POLICY eBay Placing Item for sale
2001908 ET POLICY eBay View Item
2001909 ET POLICY eBay Watch This Item
2003303 ET POLICY FTP Login Attempt (non-anonymous)
2003410 ET POLICY FTP Login Successful
2003121 ET POLICY docs.google.com Activity
2003597 ET POLICY Google Calendar in Use
2002801 ET POLICY Google Desktop User-Agent Detected
2002838 ET POLICY Google Search Appliance browsing the Internet
2000035 ET POLICY Hotmail Inbox Access
2000036 ET POLICY Hotmail Message Access
2000037 ET POLICY Hotmail Compose Message Access
2000038 ET POLICY Hotmail Compose Message Submit
2000039 ET POLICY Hotmail Compose Message Submit Data
2008238 ET POLICY Hotmail Inbox Access
2008239 ET POLICY Hotmail Message Access
2008240 ET POLICY Hotmail Compose Message Access
2008242 ET POLICY Hotmail Access Full Mode
2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
2002330 ET POLICY Google Talk TLS Client Traffic
2002332 ET POLICY Google IM traffic Windows client user sign-on
2002333 ET POLICY Google IM traffic friend invited
2002878 ET POLICY iTunes User Agent
2002722 ET POLICY MP3 File Transfer Outbound
2002723 ET POLICY MP3 File Transfer Inbound
2001114 ET POLICY Mozilla XPI install files download
2001973 ET POLICY SSH Server Banner Detected on Expected Port
2001974 ET POLICY SSH Client Banner Detected on Expected Port
2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
2001978 ET POLICY SSH session in progress on Expected Port
2001979 ET POLICY SSH Server Banner Detected on Unusual Port
2001980 ET POLICY SSH Client Banner Detected on Unusual Port
2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
2001984 ET POLICY SSH session in progress on Unusual Port
2009001 ET POLICY Login Credentials Possibly Passed in URI
2009004 ET POLICY Login Credentials Possibly Passed in POST Data
2003214 ET POLICY Pingdom.com Monitoring detected
2003215 ET POLICY Pingdom.com Monitoring Node Active
2001669 ET POLICY Proxy GET Request
2001670 ET POLICY Proxy HEAD Request
2001674 ET POLICY Proxy POST Request
2001675 ET POLICY Proxy CONNECT Request
2002922 ET POLICY VNC Authentication Successful
2002920 ET POLICY VNC Authentication Failure
2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
2001595 ET POLICY Skype VOIP Checking Version (Startup)
2002157 ET POLICY Skype User-Agent detected
2003022 ET POLICY Skype Bootstrap Node (udp)
2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
2001449 ET POLICY Proxy Connection detected
2002822 ET POLICY Wget User Agent
2002823 ET POLICY POSSIBLE Web Crawl using Wget
2002824 ET POLICY CURL User Agent
2002934 ET POLICY libwww-perl User Agent
2002828 ET POLICY Googlebot User Agent
2002829 ET POLICY Googlebot Crawl
2002830 ET POLICY Msnbot User Agent
2002831 ET POLICY Msnbot Crawl
2002832 ET POLICY Yahoo Crawler User Agent
2002833 ET POLICY Yahoo Crawler Crawl
2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
2002948 ET POLICY External Windows Update in Progress
2002949 ET POLICY Windows Update in Progress
2001402 ET POLICY ZIPPED DOC in transit
2001403 ET POLICY ZIPPED XLS in transit
2001404 ET POLICY ZIPPED EXE in transit
2001405 ET POLICY ZIPPED PPT in transit
2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2012648 ET POLICY Dropbox Client Broadcasting
2013028 ET POLICY curl User-Agent Outbound
2013030 ET POLICY libwww-perl User-Agent
2013031 ET POLICY Python-urllib/ Suspicious User Agent
2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2013414 ET POLICY Executable served from Amazon S3
2013458 ET POLICY Facebook Like Button Clicked (1)
2013459 ET POLICY Facebook Like Button Clicked (2)
2013503 ET POLICY OS X Software Update Request Outbound
2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
2014313 ET POLICY Executable Download From DropBox
2014734 ET POLICY BitTorrent - Torrent File Downloaded
2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
2017015 ET POLICY DropBox User Content Access over SSL
2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
2001328 ET POLICY SSN Detected in Clear Text (dashed)
2001384 ET POLICY SSN Detected in Clear Text (spaced)
2007971 ET POLICY SSN Detected in Clear Text (SSN )
2007972 ET POLICY SSN Detected in Clear Text (SSN# )
2011854 ET POLICY Java JAR file downloademerging-pop3 > ---
emerging-rbn-malvertisers > all
DO NOT USE! > emerging-rbn > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
emerging-rpc > ---
emerging-scada > all
emerging-scan > all except
2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attackemerging-shellcode > all except
2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0aemerging-smtp > all
emerging-snmp > all
emerging-sql > all
emerging-telnet > all
emerging-tftp > all
DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p
emerging-trojan > all except
2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)emerging-user_agents > all except:
2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojanemerging-voip > all
emerging-web_client > all except
2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
2011507 ET WEB_CLIENT PDF With Embedded File
2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attemptemerging-web_server > all except
2003099 ET WEB_SERVER Poison Null Byte
2015526 ET WEB_SERVER Fake Googlebot UA 1 Inboundemerging-web_specific_apps > all except:
2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)emerging-worm > all
GPLv2 community rules > all except
254 DNS SPOOF query response with TTL of 1 min. and no authority
384 PROTOCOL-ICMP PING
385 PROTOCOL-ICMP traceroute
399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
408 PROTOCOL-ICMP Echo Reply
540 POLICY-SOCIAL Microsoft MSN message
648 INDICATOR-SHELLCODE x86 NOOP
649 INDICATOR-SHELLCODE x86 setgid 0
1200 INDICATOR-COMPROMISE Invalid URL
1201 INDICATOR-COMPROMISE 403 Forbidden
1292 INDICATOR-COMPROMISE directory listing
1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
1437 FILE-IDENTIFY Microsoft Windows Media download detected
1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
1852 SERVER-WEBAPP robots.txt access
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
2180 PUA-P2P BitTorrent announce request
2181 PUA-P2P BitTorrent transfer
2707 FILE-IMAGE JPEG parser multipacket heap overflow
3463 SERVER-WEBAPP awstats access
25518 OS-OTHER Apple iPod User-Agent detected
25519 OS-OTHER Apple iPad User-Agent detected
25520 OS-OTHER Apple iPhone User-Agent detected
25521 OS-OTHER Android User-Agent detected
25522 OS-OTHER Nokia User-Agent detected
25523 OS-OTHER Samsung User-Agent detected
25524 OS-OTHER Kindle User-Agent detected
25525 OS-OTHER Nintendo User-Agent detectedIPS Policy - Security > all except
26354 BROWSER-IE Microsoft Internet Explorer expression clause in style tag cross site scripting attempt
20278 BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt
19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
15147 BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt
13964 BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption
11257 BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt
8375 BROWSER-PLUGINS QuickTime Object ActiveX clsid access
4152 BROWSER-PLUGINS Microsoft Windows Media Player 6.4 ActiveX object access
24891 FILE-FLASH Action InitArray stack overflow attempt
24889 FILE-FLASH Action InitArray stack overflow attempt
12183 FILE-FLASH Adobe FLV long string script data buffer overflow
16435 FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected
24714 FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt
24713 FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt
2707 FILE-IMAGE JPEG parser multipacket heap overflow
23170 FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt
13919 FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt
21927 FILE-OFFICE Microsoft Office Excel style handling overflow attempt
15866 FILE-OTHER libxml2 file processing long entity overflow attempt
23101 FILE-OTHER Cisco WebEx recording integer overflow attempt
23100 FILE-OTHER Cisco WebEx recording integer overflow attempt
24229 FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt
6504 FILE-OTHER Sophos Anti-Virus CAB file overflow attempt
16295 FILE-OTHER Kaspersky antivirus library heap buffer overflow - without optional fields
25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
15362 INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack
26616 INDICATOR-OBFUSCATION Javascript indexOf rename attempt
13864 POLICY-OTHER Microsoft Watson error reporting attempt
540 POLICY-SOCIAL Microsoft MSN message
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
5694 PUA-P2P Skype client setup get newest version attempt
5693 PUA-P2P Skype client start up get latest version attempt
5999 PUA-P2P Skype client login
5998 PUA-P2P Skype client login startup
16281 PUA-P2P BitTorrent scrape request
5692 PUA-P2P Skype client successful install
16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
15317 BROWSER-PLUGINS Akamai DownloadManager ActiveX function call access
26926 FILE-OTHER Multiple products ZIP archive virus detection bypass attempt
26879 BROWSER-OTHER local loopback address in htmlNow, on to the Suppression List:
#GLOBALgen_id 1
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 20122758
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9Unknown
suppress gen_id 120, sig_id 10
#(portscan) TCP Portscan
suppress gen_id 122, sig_id 1
#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3
#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1
#(spp_dnp3): DNP3 Link-Layer Frame was dropped.
suppress gen_id 145, sig_id 2Now that we are finished setting up snort, let's move on to pfblocker. The way I use pfblocker is a single alias with multiple lists assigned to it. The pro of this is that all IPs are in a single table (that's where Diagnostics > Tables comes in) which helps me see if an IP belongs to the bad guys easily. The con is that there is no easy way of determining which list has a specific IP (see dshield above).
pfblocker lists:
Type List
gz http://list.iblocklist.com/?list=bt_hijacked&fileformat=p2p
gz http://list.iblocklist.com/?list=bt_dshield&fileformat=p2p
gz http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p
gz http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p
gz http://list.iblocklist.com/?list=tbnuqfclfkemqivekikv&fileformat=p2p
gz http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
gz http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p
gz http://list.iblocklist.com/?list=npkuuhuxcsllnhoamkvm&fileformat=p2p
gz http://list.iblocklist.com/?list=pbqcylkejciyhmwttify&fileformat=p2p
gz http://list.iblocklist.com/?list=ynkdjqsjyfmilsgbogqf&fileformat=p2p
gz http://list.iblocklist.com/?list=zvjxsfuvdhoxktpeiokq&fileformat=p2p
gz http://list.iblocklist.com/?list=erqajhwrxiuvjxqrrwfj&fileformat=p2p
txt http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
txt http://rules.emergingthreats.net/blockrules/compromised-ips.txt
txt http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
gz http://list.iblocklist.com/?list=bt_templist&fileformat=p2p
gz http://list.iblocklist.com/?list=tor&fileformat=p2p
txt http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
txt http://www.ciarmy.com/list/ci-badguys.txtBE CAREFUL WITH THE TYPE.
More on some lists. I cannot find specific IPs listed in the list when examining the list manually, but those IPs are listed in the pfblocker table. Don't know why, but any help on this is highly appreciated. This is the reason why I have posted all the lists I use, since the table contains multiple lists.
More fine tuning on the pfsense side (EXPERIMENTAL, need more help with this).
Instead of having a block (you should NEVER have a reject rule) on the WAN and a reject (there is a very specific reasoning for this) rule on each and every single interface, you can use the "magical" floating rules. I need some help with setting up those since there should be a single rule matching block on the wan and a single rule matching reject on all other interfaces. They should be quick rules (those dealing with floating rules know what I mean) but I cannot wrap my head around the block/reject part. If there is a way of selecting multiple interfaces for a rule, that takes care of this problem. Again, I need more help with this.Please test this setup and report any problems with it. I do not claim any credit for snort and/or pfblocker, those were created by others. I'm just making this lists public as my contribution to the community. What to enable/disable was determined by (let's go the beaten to death way) years and years of production use. This setup is running on a pfsense cluster in use in our company, protecting a production server environment, clients, and personal computers. So far not a single problem with it, except the odd false positive from snort. Most of those have been identified already, but since snort rules are updated (mostly) daily new ones are introduced all the time.
Moderator/Admin paragraph
I'm asking this in the nicest possible way. If you would be so kind as to please allow me (or other members) to edit our posts. The reason is that I cannot PM a moderator every time I need to update this list (which is weekly) and furthermore I cannot spam the forum with multiple threads/posts just to keep track of a single list. Take the sticky for example. The current way of keeping the list updated is to PM a mod, and wait if and when my post is edited. Or just go ahead and post a new reply, with the hope that new members will go to the end of the sticky and work their way backwards to find the latest update. I understand that there are problems with editing old posts, but in this case it is my opinion that it should be an exception. Please consider this, to allow me to keep this list updated in a regular and timely way.EDIT: I would appreciate it if a copy of this post replaced my post on the sticky, to simplify things further.
EDIT2: Tested floating rules for outbound traffic. Setting up a floating rule as reject, quick ticked, selecting multiple LAN interfaces (lan,dmz etc…) using ctrl+clicking on the names,direction any, protocol any, source any and destination pfblocker alias works perfectly. Bug listed here: http://redmine.pfsense.org/issues/2009 applies, had to change reject to block and then it logs. The same should apply for WAN connections, except you invert the source and destination. Before anyone asks why use a floating rule on a WAN interface, the answer is not a, its any WAN interface, as in multiple WAN interfaces. Keeps everything nice and tidy. I'll crawl back to my corner now.
-
Once again a great post, and very valuable to me. I agree that this should be stickied, for other people to benefit from.
Thanks for your sharing your knowledge ;D
-
When I try to load this list: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt I get a php error from pfblocker.inc line 262. Increasing max table entries doesn't seem to help. Is there another setting I need to tweak?
-
When I try to load this list: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt I get a php error from pfblocker.inc line 262. Increasing max table entries doesn't seem to help. Is there another setting I need to tweak?
Can you please post the exact error? Are you sure you increased the tables high enough? I'm using 10,000,000 for max tables (no comment on that, I can neither deny nor confirm anything :P) and the same for max table entries. Did you select txt as the list format (where you enter the list)? Do you have enough RAM to hold all that? Also make sure that pfblocker is set to ONLY create an alias for the lists, not attempt to use the lists directly. Afterwards you should set up rules in your interfaces refering to that alias (have a look above, floating rules help a lot).
Just tested and the file downloads ok to a non pfsense box, and is populated correctly as far as I can tell. Haven't noticed any error on the production machines and I've been monitoring them (almost) constantly for the past 48 hours (just making sure everything works as it should, because the usual alarms have been quiet all month, the NSA must have dialed their systems down due to the recent exposure they got ;D) and I've seen them update the lists twice so far, which means it's something wrong with your configuration. As stated in the IBM manual, don't use the hammer yet, I'm sure someone will figure it out.
Edit: changed max table and max table entries. Was under the wrong impression they were a mil. They are 10mil, just confirmed it on the systems.
-
Thank you for this post!!! :)
So I've applied your list as outlined above and I've done a complete backup of my pfSense from within the webConfigurator. Is there anything that would change these applied settings and thus mess up this config? Snort updates?Thank you again.
EDIT: removed memory usage paragraph. For some reason on the "Dashboard", "System Information" widget the numbers were off. Closed browser, reopened and was fine. hum?
-
If you followed my instructions nothing will change the settings, except updates creating new rules (in which case you have to manually enable them just to be sure) or deleting old rules (doesn't matter since they are deleted anyway). I think bmeeks said a while back (when we discussed the CARP sync feature) that all snort settings are stored in the snort files related to the package.
My guess is that since that package file is backed up during the pfsense full backup (which includes installed packages) then the settings should be included in that backup. I'm sure a more knowledgeable person will come along and correct me.Missed the memory usage paragraph so I'll blindly try to answer anything related to memory. If you just started snort and the memory in dashboard still shows a small amount used (5% on my systems) then snort has not yet finished initializing. You'll notice this by the CPU usage, since it will not be near idle (normal use) but could be up to 50% (HT CPU, means 1 "core" used fully, therefore the system is doing "something").
After a while ram should shoot way up (25% in my case) and this indicates that snort has been fully initialized and is working as it should. If ram does not shoot up, head over to the system logs and you'll find that snort has failed to start and it will give you a reason. Usually it's related to a rule depending on a preprocessor and that preprocessor is not enabled. -
Could I ask a quick question ;D
If you write 'ALL EXCEPT', and there are also some default disabled items in the category, do you then mean to enable these disabled items, or keep them at their default (disabled in this case), and in addition disable the ones you mention after 'EXCEPT'?
Thank you for your answer :P
-
Certainly enable ALL the default disabled ones. An example is the nmap rules. They are disabled but if enabled you'll see a lot of the nmap scans (I'll take a wild guess and say ALL) caught by snort.
EDIT: Special thanks to awsiemieniec for pointing out that some items I have listed are no longer valid. I have looked into this and some rules have been moved to more appropriate categories. For example skype rules used to be under policy and are now under chat. I'll have to update my list and upload a new copy of it. Thanks to all for your understanding and cooperation. Guess summer holidays are not holidays anymore. ;D
EDIT-EDIT: Forgot to mention that on my systems they are still disabled even if moved to a different category, since the enabling/disabling is based on the rule id which is still the same. -
EXTRA EXTRA!!!! Updated list!!! Read all about it!!! First on the pfsense forums!!! EXTRA EXTRA!!!
In tab "Rules", under "Category" select:
(–- means blank table at time of writing)emerging-activex > all
emerging-attack_responses > all
DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
emerging-chat > all except:
2010784 ET CHAT Facebook Chat (send message)
2010785 ET CHAT Facebook Chat (buddy list)
2010786 ET CHAT Facebook Chat (settings)
2010819 ET CHAT Facebook Chat using XMPP
2002327 ET CHAT Google Talk (Jabber) Client Login
2002334 ET CHAT Google IM traffic Jabber client sign-on
2001241 ET CHAT MSN file transfer request
2001242 ET CHAT MSN file transfer accept
2001243 ET CHAT MSN file transfer reject
2001682 ET CHAT MSN IM Poll via HTTP
2002192 ET CHAT MSN status change
2008289 ET CHAT Possible MSN Messenger File Transfer
2009375 ET CHAT General MSN Chat Activity
2009376 ET CHAT MSN User-Agent Activity
2001595 ET CHAT Skype VOIP Checking Version (Startup)
2002157 ET CHAT Skype User-Agent detected
2003022 ET CHAT Skype Bootstrap Node (udp)DO NOT USE! > emerging-ciarmy > use pfblocker with:
http://www.ciarmy.com/list/ci-badguys.txtDO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
emerging-current_events > all
emerging-deleted > ---
emerging-dns > all except:
2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10
seconds) - possible Cache Poisoning Attempt
2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
2001117 ET DNS Standard query response, Name Erroremerging-dos > all
DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
DO NOT USE! > emerging-dshield > use pfblocker with: (cannot find specific list, but ip listed in pfblocker tables, NEED HELP HERE<<<<) Could be due to ET list used by pfblocker. http://rules.emergingthreats.net/blockrules/compromised-ips.txt <<< includes IP related to different subjects, so its a misc list, likely including the hosts I could not find on specific lists.
emerging-exploit > all except:
2001058 ET EXPLOIT libpng tRNS overflow attempt
2002913 ET EXPLOIT VNC Client response
2002914 ET EXPLOIT VNC Server VNC Auth Offer
2002919 ET EXPLOIT VNC Good Authentication Reply
2002915 ET EXPLOIT VNC Authentication Reply
2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3emerging-ftp > all
emerging-games > all
emerging-icmp > ---
emerging-icmp_info > ---
emerging-imap > ---
emerging-inappropriate > all except:
2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
2001608 ET INAPPROPRIATE Likely Pornemerging-info > all except:
2014472 ET INFO JAVA - Java Archive Download
2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
2014819 ET INFO Packed Executable Download
2015016 ET INFO FTP STOR to External Network
2015561 ET INFO PDF Using CCITTFax Filter
2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2016360 ET INFO JAVA - ClassID
2016361 ET INFO JAVA - ClassID
2016404 ET INFO MPEG Download Over HTTP (1)emerging-malware > all except:
2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Relatedemerging-misc > all
emerging-mobile_malware > all except:
2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URIemerging-netbios > all
emerging-p2p > all except:
2000369 ET P2P BitTorrent Announce
2007727 ET P2P possible torrent download
2008581 ET P2P BitTorrent DHT ping request
2008583 ET P2P BitTorrent DHT nodes reply
2008585 ET P2P BitTorrent DHT announce_peers request
2010144 ET P2P Vuze BT UDP Connection (5)
2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
2014734 ET P2P BitTorrent - Torrent File Downloadedemerging-policy > all except:
2000419 ET POLICY PE EXE or DLL Windows file download
2000428 ET POLICY ZIP file download
2001115 ET POLICY MSI (microsoft installer file) download
2003595 ET POLICY exe download via HTTP - Informational
2001898 ET POLICY eBay Bid Placed
2001907 ET POLICY eBay Placing Item for sale
2001908 ET POLICY eBay View Item
2001909 ET POLICY eBay Watch This Item
2003303 ET POLICY FTP Login Attempt (non-anonymous)
2003410 ET POLICY FTP Login Successful
2003121 ET POLICY docs.google.com Activity
2003597 ET POLICY Google Calendar in Use
2002801 ET POLICY Google Desktop User-Agent Detected
2002838 ET POLICY Google Search Appliance browsing the Internet
2000035 ET POLICY Hotmail Inbox Access
2000036 ET POLICY Hotmail Message Access
2000037 ET POLICY Hotmail Compose Message Access
2000038 ET POLICY Hotmail Compose Message Submit
2000039 ET POLICY Hotmail Compose Message Submit Data
2008238 ET POLICY Hotmail Inbox Access
2008239 ET POLICY Hotmail Message Access
2008240 ET POLICY Hotmail Compose Message Access
2008242 ET POLICY Hotmail Access Full Mode
2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
2002330 ET POLICY Google Talk TLS Client Traffic
2002332 ET POLICY Google IM traffic Windows client user sign-on
2002333 ET POLICY Google IM traffic friend invited
2002878 ET POLICY iTunes User Agent
2002722 ET POLICY MP3 File Transfer Outbound
2002723 ET POLICY MP3 File Transfer Inbound
2001114 ET POLICY Mozilla XPI install files download
2001973 ET POLICY SSH Server Banner Detected on Expected Port
2001974 ET POLICY SSH Client Banner Detected on Expected Port
2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
2001978 ET POLICY SSH session in progress on Expected Port
2001979 ET POLICY SSH Server Banner Detected on Unusual Port
2001980 ET POLICY SSH Client Banner Detected on Unusual Port
2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
2001984 ET POLICY SSH session in progress on Unusual Port
2009001 ET POLICY Login Credentials Possibly Passed in URI
2009004 ET POLICY Login Credentials Possibly Passed in POST Data
2003214 ET POLICY Pingdom.com Monitoring detected
2003215 ET POLICY Pingdom.com Monitoring Node Active
2001669 ET POLICY Proxy GET Request
2001670 ET POLICY Proxy HEAD Request
2001674 ET POLICY Proxy POST Request
2001675 ET POLICY Proxy CONNECT Request
2002922 ET POLICY VNC Authentication Successful
2002920 ET POLICY VNC Authentication Failure
2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
2001449 ET POLICY Proxy Connection detected
2002822 ET POLICY Wget User Agent
2002823 ET POLICY POSSIBLE Web Crawl using Wget
2002824 ET POLICY CURL User Agent
2002934 ET POLICY libwww-perl User Agent
2002828 ET POLICY Googlebot User Agent
2002829 ET POLICY Googlebot Crawl
2002830 ET POLICY Msnbot User Agent
2002831 ET POLICY Msnbot Crawl
2002832 ET POLICY Yahoo Crawler User Agent
2002833 ET POLICY Yahoo Crawler Crawl
2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
2002948 ET POLICY External Windows Update in Progress
2002949 ET POLICY Windows Update in Progress
2001402 ET POLICY ZIPPED DOC in transit
2001403 ET POLICY ZIPPED XLS in transit
2001404 ET POLICY ZIPPED EXE in transit
2001405 ET POLICY ZIPPED PPT in transit
2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2012648 ET POLICY Dropbox Client Broadcasting
2013028 ET POLICY curl User-Agent Outbound
2013030 ET POLICY libwww-perl User-Agent
2013031 ET POLICY Python-urllib/ Suspicious User Agent
2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2013414 ET POLICY Executable served from Amazon S3
2013458 ET POLICY Facebook Like Button Clicked (1)
2013459 ET POLICY Facebook Like Button Clicked (2)
2013503 ET POLICY OS X Software Update Request Outbound
2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
2014313 ET POLICY Executable Download From DropBox
2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
2017015 ET POLICY DropBox User Content Access over SSL
2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
2001328 ET POLICY SSN Detected in Clear Text (dashed)
2001384 ET POLICY SSN Detected in Clear Text (spaced)
2007971 ET POLICY SSN Detected in Clear Text (SSN )
2007972 ET POLICY SSN Detected in Clear Text (SSN# )
2011854 ET POLICY Java JAR file download
2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets <<<<<<<< handled by ticking block bogon networks in interface settings
2002752 ET POLICY Reserved Internal IP Traffic <<<<<<<<<<<<< handled by ticking block private networks in interface settingsemerging-pop3 > ---
DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/emerging-rbn-malvertisers.txt
DO NOT USE! > emerging-rbn > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
emerging-rpc > ---
emerging-scada > all
emerging-scan > all except
2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attackemerging-shellcode > all except
2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0aemerging-smtp > all
emerging-snmp > all
emerging-sql > all
emerging-telnet > all
emerging-tftp > all
DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p
emerging-trojan > all except
2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
2001046 ET TROJAN UPX compressed file download possible malwareemerging-user_agents > all except:
2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojanemerging-voip > all
emerging-web_client > all except
2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
2011507 ET WEB_CLIENT PDF With Embedded File
2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attemptemerging-web_server > all except
2003099 ET WEB_SERVER Poison Null Byte
2015526 ET WEB_SERVER Fake Googlebot UA 1 Inboundemerging-web_specific_apps > all except:
2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)emerging-worm > all
GPLv2 community rules > all except
254 DNS SPOOF query response with TTL of 1 min. and no authority
384 PROTOCOL-ICMP PING
385 PROTOCOL-ICMP traceroute
399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
408 PROTOCOL-ICMP Echo Reply
540 POLICY-SOCIAL Microsoft MSN message
648 INDICATOR-SHELLCODE x86 NOOP
649 INDICATOR-SHELLCODE x86 setgid 0
1200 INDICATOR-COMPROMISE Invalid URL
1201 INDICATOR-COMPROMISE 403 Forbidden
1292 INDICATOR-COMPROMISE directory listing
1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
1437 FILE-IDENTIFY Microsoft Windows Media download detected
1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
1852 SERVER-WEBAPP robots.txt access
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
2180 PUA-P2P BitTorrent announce request
2181 PUA-P2P BitTorrent transfer
2707 FILE-IMAGE JPEG parser multipacket heap overflow
3463 SERVER-WEBAPP awstats access
25518 OS-OTHER Apple iPod User-Agent detected
25519 OS-OTHER Apple iPad User-Agent detected
25520 OS-OTHER Apple iPhone User-Agent detected
25521 OS-OTHER Android User-Agent detected
25522 OS-OTHER Nokia User-Agent detected
25523 OS-OTHER Samsung User-Agent detected
25524 OS-OTHER Kindle User-Agent detected
25525 OS-OTHER Nintendo User-Agent detectedIPS Policy - Security > all except
26354 BROWSER-IE Microsoft Internet Explorer expression clause in style tag cross site scripting attempt
19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
15147 BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt
13964 BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption
11257 BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt
8375 BROWSER-PLUGINS QuickTime Object ActiveX clsid access
24891 FILE-FLASH Action InitArray stack overflow attempt
24889 FILE-FLASH Action InitArray stack overflow attempt
12183 FILE-FLASH Adobe FLV long string script data buffer overflow
24714 FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt
24713 FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt
2707 FILE-IMAGE JPEG parser multipacket heap overflow
23170 FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt
13919 FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt
21927 FILE-OFFICE Microsoft Office Excel style handling overflow attempt
15866 FILE-OTHER libxml2 file processing long entity overflow attempt
23101 FILE-OTHER Cisco WebEx recording integer overflow attempt
23100 FILE-OTHER Cisco WebEx recording integer overflow attempt
24229 FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt
6504 FILE-OTHER Sophos Anti-Virus CAB file overflow attempt
16295 FILE-OTHER Kaspersky antivirus library heap buffer overflow - without optional fields
25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
15362 INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack
26616 INDICATOR-OBFUSCATION Javascript indexOf rename attempt
13864 POLICY-OTHER Microsoft Watson error reporting attempt
540 POLICY-SOCIAL Microsoft MSN message
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
5694 PUA-P2P Skype client setup get newest version attempt
5693 PUA-P2P Skype client start up get latest version attempt
5999 PUA-P2P Skype client login
5998 PUA-P2P Skype client login startup
16281 PUA-P2P BitTorrent scrape request
5692 PUA-P2P Skype client successful install
16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
15317 BROWSER-PLUGINS Akamai DownloadManager ActiveX function call access
26926 FILE-OTHER Multiple products ZIP archive virus detection bypass attemptSuppression list:
#GLOBAL
gen_id 1
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 20122758
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9
#unknown
suppress gen_id 120, sig_id 10
#(portscan) TCP Portscan
suppress gen_id 122, sig_id 1
#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3
#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1
#(spp_dnp3): DNP3 Link-Layer Frame was dropped.
suppress gen_id 145, sig_id 2
#ET POLICY PE EXE or DLL Windows file download <<< STUBBORN RULE, GENERATES ALERTS EVEN WHEN DISABLED!!!
suppress gen_id 1, sig_id 2000419pfblocker lists can be found in the first post.
Rules moved to different categories:
Old category > emerging-policy
2001595 ET POLICY Skype VOIP Checking Version (Startup) <<< moved to emerging_chat
2002157 ET POLICY Skype User-Agent detected <<< moved to emerging_chat
2003022 ET POLICY Skype Bootstrap Node (udp) <<< moved to emerging_chat
2014734 ET POLICY BitTorrent - Torrent File Downloaded <<< moved to emerging_p2pI would like to take a few moments to commemorate the MiA Rules (Missing in Action). Queue guards of honor, salute firing squad, flag over empty coffin etc…etc...
The following rules have not been accounted for. This means that they are presumed to be MiA and therefore should be buried with military honors. They have tried their best to provide their best possible service to all of us. Sometimes they have failed at this. This should not be considered a flaw of their character or their qualities. They simply executed commands passed on to them to the best of their abilities. Their death should teach us all a few lessons. The most important lesson should be that even if you have put 120% of your best effort into writing a rule, you should analyze it, read it, use it and analyze it again. 120% is not enough when writing rules at this crucial age of The Cyber War. They have died heroes to our eyes and their numbers and names are:
IPS Policy - Security
4152 BROWSER-PLUGINS Microsoft Windows Media Player 6.4 ActiveX object access gunshot!
16435 FILE-IDENTIFY Ultimate Packer for Executables/UPX v0.62-v1.22 packed file magic detected gunshot!
20278 BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt gunshot!
26879 BROWSER-OTHER local loopback address in html gunshot!Queue your country's national anthem, queue flag folding and lowering the coffin into the grave.
A moment of silence….
-
In regards to "how much memory will this take?", I've installed these rules and here are my findings. I have a 4GB system and I run the following packages:
Dansguardian 2.12.0.3 pkg v.0.1.8
darkstat 3.0.714
NRPE v2 2.12_3 v2.2
OpenVPN Client Export Utility 1.0.11
pfBlocker 1.0.2
snort 2.9.4.6 pkg v. 2.5.9
squid 2.7.9 pkg v.4.3.3Your mileage may vary. Each snort "performance" change was done in the following process:
-
Edit Snort interface/WAN Settings/Search Method
-
Save change
-
Reboot system
-
SSH into system
-
do a "top -SH"
-
watch and wait for snort to finish loading
-
when snort finishes wait five minutes and take readings
-
repeat…ugh
KEY:
Snort Performance Search Method: System Memory Usage%/System SWAP%/snort Process MemoryMB
System Memory Usage: Value taken from "Dashboard", "System Information", "Memory Usage" value
System SWAP: Value taken from "Dashboard", "System Information", "SWAP usage" value
snort Process Memory: taken from command "top -SH", "size". Values with an "*" denote the "size" value of snort didn't show up on "top -SH"… too far down the list. I don't know how to use "top" to only show a single process. :-)snort disabled (baseline) - 14/0/*
AC-BNFA: 27%/0%/*
AC-SPLIT: 26%/0%/716MB
LOWMEM: 28%/0%/766MB
AC-STD: 88%/46%/7254MB
AC: 90%/14%/4101MB
AC-NQ: 83%/14%/4100MB
AC-BNFA-NQ: 29%/0%/764MB
AC-LOWMEM-NQ: 27%/0%/*
AC-BANDED: 84%/38%/6078MB
AC-SPARSEBANDS: 67%/22%/5058MB
ACS: 86%/37%/6004MB
(% are based off of a 4GB RAM system and 8GB SWAP) -
-
Thanks for posting that. I believe it's the first time I've seen all the memory figures in the same place.
What I make of them is that unless you want to run AC, you don't really need any more RAM than 2GB. I'm using 30% of that (was 25% but I improved our "early warning systems", which means more rules for snort to use, therefore more RAM). Don't forget that we are talking about every snort rule enabled here, excluding FP ones).
In what I recall and please don't use this against me, it's been a while since I've looked into this, this is the analysis of the different modes:
LOWMEM
LOWMEM > pretty much useless, since RAM usage appears to be the same as AC-BNFA(-NQ). Never used it, never will.
AC-LOWMEM-NQ > see aboveBNFA
AC-BNFA > the old de-facto standard mode used by most snort sensors (you'd think since it was the default). Offers pretty good performance, without eating through RAM.
AC-BNFA-NQ > The new default mode. As with all NQ modes, it was created to improve performance based on the logic that since modern CPUs (anything newer than a pentium 1) can do a pretty good job at running near their full capacity, packets don't need to stay in queues waiting for their chance to get analyzed after they have been evaluated as a potential candidate. They get analyzed as they come in, which improves latency. IF I'M WRONG HERE DO CORRECT ME! I've seen 10ms drops in latency using this, and this is my personal favourite mode.AC-SPLIT > Repeatedly hitting this on the knee caps makes it respond the same as ticking split any any. Useless IMHO, I only feel sorry about the time spent writing the code for it.
AC-SPARSEBANDS > I have no idea what this is. It's described as high-memory,moderate performance. I'll take AC-BNFA-NQ which is described as low-memory, high performance, thank you very much.
AC-BANDED > see aboveAnd finally what you've all been waiting for…
AC
AC-SPLIT > I'll take my chances with not ticking the split any any box, thanks.
AC-STD > Superseded by AC and AC-NQ. Used to be king, but as always the king is dead, long live the king.
AC > Old end-all be-all mode. Nothing else to add to that. If your system can run this, use it. Better still, see next. Better-better still, see next paragraph.
AC-NQ > New end-all be-all mode. As mentioned above, I've seen NQ modes reduce latency under heavy load.
ACS > created because as in Ubuntu, we (they) fixed everything else and needed to break something to justify the time spent on the project.In summary, myself and most users will always chose AC-BNFA-NQ since it's the best performance:usage ratio. Low memory, low latency, doesn't choke if you put it under stress (I'm not talking about saturating a 1Gbit business connection here, I'm talking about regular home usage). If you have a system capable of running AC-NQ, you are doing it wrong. Uninstall pfsense and snort and use the box as a suricata box infront of a smaller spec pfsense box. I'm not kidding, a box should never be wasted running snort AC-NQ on pfsense. Ever. Reason is that snort on pfsense currently acts as an IDS instead of an IPS. As I've said in the past, it "leaks" packets until it's finished analyzing, alerting and banning an IP. Those packets make their way to your servers and could cause problems (assuming that they are valid packets and not dropped by pfsense). If you built a box to run AC-NQ it means you are serious about security, and suricata configured as an IPS in front of your routers is your best choice. Double the boxes and you have a failover solution as well.
As always, If I'm wrong about something PLEASE CORRECT me. Unless you are an Ubuntu developer and feel hurt by my comment. In that case sorry, go cry in the corner until you realize that I'm right.
EDIT: I just realized one thing. Most of my posts are like a complete page of a book. Note to self: Must cut down on thread length.
-
I have one snort sensor on WAN and IPS "balanced" in AC mode and this takes only:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 35196 root 2 64 20 641M 438M nanslp 1 16:21 0.00% snortI wonder why it takes so much memory on @awsiemieniec system?
-
I have one snort sensor on WAN and IPS "balanced" in AC mode and this takes only:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 35196 root 2 64 20 641M 438M nanslp 1 16:21 0.00% snortI wonder why it takes so much memory on @awsiemieniec system?
Yeah… me too.
Are you running all the rules as outlined by jflsakfja or have you just enabled the snort interface on WAN and set IPS to "balanced"? FYIW, my IPS is set to "Security".
Does anyone know how to count how many active rules are in play in snort?
-
I tested on a VM with all ET rules selected and IPS "security" but then my snort ends with a fatal error. I was watching top while snort was starting and saw memory use slowly climbing to 4 GB and then snort was killed with an error.
I don't use all those ET rules from @jflsakfja because I think it is overkill for my home system. I once used IPS "security" but then it needed so much tuning that I chose for "balanced". I have a few suppress list entries and now I almost never get an alert.At least I know now how memory hungry Snort can be. :)
-
New lists are out. Get prepared for next week's cyber attack now. The authorization was just cleared. Expect a "Keeping You Scared" appearance by Diane (note to the FBI operative reading this: If you can, please contact her and tell her Pegasus will fly low). The scenario is Russian spies will attempt to infiltrate NSA's systems, and in retaliation, NSA will launch an attack. Don't get caught in the crossfire. Update your snort configuration now! The actual attack will start a couple of days before Christmas, to keep the "covert" part obvious.
Update notes: All lists have a >>>DISABLED:# on the bottom. Scrolling down in your pfsense and checking the numbers in a list there shows you in a glance if the list is identical to what is shown here.
–------------------------------------------------------------------------------------------------------------------------------------------------
In tab "Rules", under "Category" select:
(--- means blank table at time of writing)emerging-activex > all
DISABLED:0
emerging-attack_responses > all
DISABLED:0
DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
emerging-chat > all except:
2010784 ET CHAT Facebook Chat (send message)
2010785 ET CHAT Facebook Chat (buddy list)
2010786 ET CHAT Facebook Chat (settings)
2010819 ET CHAT Facebook Chat using XMPP
2002327 ET CHAT Google Talk (Jabber) Client Login
2002334 ET CHAT Google IM traffic Jabber client sign-on
2001241 ET CHAT MSN file transfer request
2001242 ET CHAT MSN file transfer accept
2001243 ET CHAT MSN file transfer reject
2001682 ET CHAT MSN IM Poll via HTTP
2002192 ET CHAT MSN status change
2008289 ET CHAT Possible MSN Messenger File Transfer
2009375 ET CHAT General MSN Chat Activity
2009376 ET CHAT MSN User-Agent Activity
2001595 ET CHAT Skype VOIP Checking Version (Startup)
2002157 ET CHAT Skype User-Agent detected
2003022 ET CHAT Skype Bootstrap Node (udp)DISABLED:17
DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt
DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
emerging-current_events > all
DISABLED:0
emerging-deleted > ---
emerging-dns > all except:
2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
2001117 ET DNS Standard query response, Name ErrorDISABLED:3
emerging-dos > all
DISABLED:0
DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
DO NOT USE! > emerging-dshield > use pfblocker with: (cannot find specific list, but ip listed in pfblocker tables, NEED HELP HERE<<<<) Could be due to ET list used by pfblocker. http://rules.emergingthreats.net/blockrules/compromised-ips.txt <<< includes IP related to different subjects, so its a misc list, likely including the hosts I could not find on specific lists.
emerging-exploit > all except:
2001058 ET EXPLOIT libpng tRNS overflow attempt
2002913 ET EXPLOIT VNC Client response
2002914 ET EXPLOIT VNC Server VNC Auth Offer
2002919 ET EXPLOIT VNC Good Authentication Reply
2002915 ET EXPLOIT VNC Authentication Reply
2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3DISABLED:7
emerging-ftp > all
DISABLED:0
emerging-games > all
DISABLED:0
emerging-icmp > ---
emerging-icmp_info > ---
emerging-imap > ---
emerging-inappropriate > all except:
2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
2001608 ET INAPPROPRIATE Likely PornDISABLED:2
emerging-info > all except:
2014472 ET INFO JAVA - Java Archive Download
2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
2014819 ET INFO Packed Executable Download
2015016 ET INFO FTP STOR to External Network
2015561 ET INFO PDF Using CCITTFax Filter
2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2016360 ET INFO JAVA - ClassID
2016361 ET INFO JAVA - ClassID
2016404 ET INFO MPEG Download Over HTTP (1)
2015674 ET INFO 3XX redirect to data URL
2016847 ET INFO Possible Chrome Plugin install
2017669 ET INFO Zip FileDISABLED:12
emerging-malware > all except:
2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware RelatedDISABLED:3
emerging-misc > all
DISABLED:0
emerging-mobile_malware > all except:
2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URIDISABLED:2
emerging-netbios > all
DISABLED:0
emerging-p2p > all except:
2000369 ET P2P BitTorrent Announce
2007727 ET P2P possible torrent download
2008581 ET P2P BitTorrent DHT ping request
2008583 ET P2P BitTorrent DHT nodes reply
2008585 ET P2P BitTorrent DHT announce_peers request
2010144 ET P2P Vuze BT UDP Connection (5)
2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
2014734 ET P2P BitTorrent - Torrent File Downloaded
2003317 ET P2P Edonkey Search Request (any type file)
2009971 ET P2P eMule KAD Network Hello Request (2)
2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)DISABLED:12
emerging-policy > all except:
2000419 ET POLICY PE EXE or DLL Windows file download
2000428 ET POLICY ZIP file download
2001115 ET POLICY MSI (microsoft installer file) download
2003595 ET POLICY exe download via HTTP - Informational
2001898 ET POLICY eBay Bid Placed
2001907 ET POLICY eBay Placing Item for sale
2001908 ET POLICY eBay View Item
2001909 ET POLICY eBay Watch This Item
2003303 ET POLICY FTP Login Attempt (non-anonymous)
2003410 ET POLICY FTP Login Successful
2003121 ET POLICY docs.google.com Activity
2003597 ET POLICY Google Calendar in Use
2002801 ET POLICY Google Desktop User-Agent Detected
2002838 ET POLICY Google Search Appliance browsing the Internet
2000035 ET POLICY Hotmail Inbox Access
2000036 ET POLICY Hotmail Message Access
2000037 ET POLICY Hotmail Compose Message Access
2000038 ET POLICY Hotmail Compose Message Submit
2000039 ET POLICY Hotmail Compose Message Submit Data
2008238 ET POLICY Hotmail Inbox Access
2008239 ET POLICY Hotmail Message Access
2008240 ET POLICY Hotmail Compose Message Access
2008242 ET POLICY Hotmail Access Full Mode
2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
2002330 ET POLICY Google Talk TLS Client Traffic
2002332 ET POLICY Google IM traffic Windows client user sign-on
2002333 ET POLICY Google IM traffic friend invited
2002878 ET POLICY iTunes User Agent
2002722 ET POLICY MP3 File Transfer Outbound
2002723 ET POLICY MP3 File Transfer Inbound
2001114 ET POLICY Mozilla XPI install files download
2001973 ET POLICY SSH Server Banner Detected on Expected Port
2001974 ET POLICY SSH Client Banner Detected on Expected Port
2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
2001978 ET POLICY SSH session in progress on Expected Port
2001979 ET POLICY SSH Server Banner Detected on Unusual Port
2001980 ET POLICY SSH Client Banner Detected on Unusual Port
2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
2001984 ET POLICY SSH session in progress on Unusual Port
2009001 ET POLICY Login Credentials Possibly Passed in URI
2009004 ET POLICY Login Credentials Possibly Passed in POST Data
2003214 ET POLICY Pingdom.com Monitoring detected
2003215 ET POLICY Pingdom.com Monitoring Node Active
2001669 ET POLICY Proxy GET Request
2001670 ET POLICY Proxy HEAD Request
2001674 ET POLICY Proxy POST Request
2001675 ET POLICY Proxy CONNECT Request
2002922 ET POLICY VNC Authentication Successful
2002920 ET POLICY VNC Authentication Failure
2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
2001449 ET POLICY Proxy Connection detected
2002822 ET POLICY Wget User Agent
2002823 ET POLICY POSSIBLE Web Crawl using Wget
2002824 ET POLICY CURL User Agent
2002934 ET POLICY libwww-perl User Agent
2002828 ET POLICY Googlebot User Agent
2002829 ET POLICY Googlebot Crawl
2002830 ET POLICY Msnbot User Agent
2002831 ET POLICY Msnbot Crawl
2002832 ET POLICY Yahoo Crawler User Agent
2002833 ET POLICY Yahoo Crawler Crawl
2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
2002948 ET POLICY External Windows Update in Progress
2002949 ET POLICY Windows Update in Progress
2001402 ET POLICY ZIPPED DOC in transit
2001403 ET POLICY ZIPPED XLS in transit
2001404 ET POLICY ZIPPED EXE in transit
2001405 ET POLICY ZIPPED PPT in transit
2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
2012647 ET POLICY Dropbox.com Offsite File Backup in Use
2012648 ET POLICY Dropbox Client Broadcasting
2013028 ET POLICY curl User-Agent Outbound
2013030 ET POLICY libwww-perl User-Agent
2013031 ET POLICY Python-urllib/ Suspicious User Agent
2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
2013414 ET POLICY Executable served from Amazon S3
2013458 ET POLICY Facebook Like Button Clicked (1)
2013459 ET POLICY Facebook Like Button Clicked (2)
2013503 ET POLICY OS X Software Update Request Outbound
2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
2014313 ET POLICY Executable Download From DropBox
2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
2017015 ET POLICY DropBox User Content Access over SSL
2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
2001328 ET POLICY SSN Detected in Clear Text (dashed)
2001384 ET POLICY SSN Detected in Clear Text (spaced)
2007971 ET POLICY SSN Detected in Clear Text (SSN )
2007972 ET POLICY SSN Detected in Clear Text (SSN# )
2011854 ET POLICY Java JAR file download
2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets <<<<<<<< handled by ticking block bogon networks in interface settings
2002752 ET POLICY Reserved Internal IP Traffic <<<<<<<<<<<<< handled by ticking block private networks in interface settings
2000418 ET POLICY Executable and linking format (ELF) file download
2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
2016877 ET POLICY Unsupported/Fake FireFox Version 2.
2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
2013255 ET POLICY Majestic12 User-Agent Request Inbound
2014726 ET POLICY Outdated Windows Flash Version IE
2012911 ET POLICY URL Contains password Parameter
2011085 ET POLICY HTTP Redirect to IPv4 AddressDISABLED:149
emerging-pop3 > ---
DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/emerging-rbn-malvertisers.txt
DO NOT USE! > emerging-rbn > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
emerging-rpc > ---
emerging-scada > all
DISABLED:0
emerging-scan > all except
2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force AttackDISABLED:4
emerging-shellcode > all except
2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray StringDISABLED:7
emerging-smtp > all
DISABLED:0
emerging-snmp > all
DISABLED:0
emerging-sql > all
DISABLED:0
emerging-telnet > all
DISABLED:0
emerging-tftp > all
DISABLED:0
DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p
emerging-trojan > all except:
2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
2001046 ET TROJAN UPX compressed file download possible malwareDISABLED:5
emerging-user_agents > all except:
2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojanDISABLED:1
emerging-voip > all
DISABLED:0
emerging-web_client > all except
2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
2011507 ET WEB_CLIENT PDF With Embedded File
2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution AttemptDISABLED:12
emerging-web_server > all except
2003099 ET WEB_SERVER Poison Null Byte
2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)DISABLED:5
emerging-web_specific_apps > all except:
2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attemptDISABLED:5
emerging-worm > all
DISABLED:0
GPLv2 community rules > all except
254 DNS SPOOF query response with TTL of 1 min. and no authority
384 PROTOCOL-ICMP PING
385 PROTOCOL-ICMP traceroute
399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
408 PROTOCOL-ICMP Echo Reply
540 POLICY-SOCIAL Microsoft MSN message
648 INDICATOR-SHELLCODE x86 NOOP
649 INDICATOR-SHELLCODE x86 setgid 0
1200 INDICATOR-COMPROMISE Invalid URL
1201 INDICATOR-COMPROMISE 403 Forbidden
1292 INDICATOR-COMPROMISE directory listing
1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
1437 FILE-IDENTIFY Microsoft Windows Media download detected
1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
1852 SERVER-WEBAPP robots.txt access
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
2180 PUA-P2P BitTorrent announce request
2181 PUA-P2P BitTorrent transfer
2707 FILE-IMAGE JPEG parser multipacket heap overflow
3463 SERVER-WEBAPP awstats access
25518 OS-OTHER Apple iPod User-Agent detected
25519 OS-OTHER Apple iPad User-Agent detected
25520 OS-OTHER Apple iPhone User-Agent detected
25521 OS-OTHER Android User-Agent detected
25522 OS-OTHER Nokia User-Agent detected
25523 OS-OTHER Samsung User-Agent detected
25524 OS-OTHER Kindle User-Agent detected
25525 OS-OTHER Nintendo User-Agent detectedDISABLED:35
IPS Policy - Security > all except
19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
24889 FILE-FLASH Action InitArray stack overflow attempt
25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
13360 APP-DETECT failed FTP login attemptDISABLED:9
MIA (Missing In Action) RULES. These rules have been deleted. Or got sucked into a blackhole, dunno. Did someone out there actually read what I write and actually understood me? I'm shocked!!! PLEASE GO BACK TO JUST READING WHAT I WRITE!!! I'm accustomed to arguing for years to convert someone to my views. STOP REMOVING FALSE POSITIVE RULES!!!
26354 BROWSER-IE Microsoft Internet Explorer expression clause in style tag cross site scripting attempt
15147 BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt
13964 BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption
11257 BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt
8375 BROWSER-PLUGINS QuickTime Object ActiveX clsid access
24891 FILE-FLASH Action InitArray stack overflow attempt
12183 FILE-FLASH Adobe FLV long string script data buffer overflow
24714 FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt
24713 FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt
2707 FILE-IMAGE JPEG parser multipacket heap overflow
23170 FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt
13919 FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt
21927 FILE-OFFICE Microsoft Office Excel style handling overflow attempt
15866 FILE-OTHER libxml2 file processing long entity overflow attempt
23101 FILE-OTHER Cisco WebEx recording integer overflow attempt
23100 FILE-OTHER Cisco WebEx recording integer overflow attempt
24229 FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt
6504 FILE-OTHER Sophos Anti-Virus CAB file overflow attempt
16295 FILE-OTHER Kaspersky antivirus library heap buffer overflow - without optional fields
15362 INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack
26616 INDICATOR-OBFUSCATION Javascript indexOf rename attempt
13864 POLICY-OTHER Microsoft Watson error reporting attempt
540 POLICY-SOCIAL Microsoft MSN message
1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 POLICY-SOCIAL Microsoft MSN user search
1991 POLICY-SOCIAL Microsoft MSN login attempt
5694 PUA-P2P Skype client setup get newest version attempt
5693 PUA-P2P Skype client start up get latest version attempt
5999 PUA-P2P Skype client login
5998 PUA-P2P Skype client login startup
16281 PUA-P2P BitTorrent scrape request
5692 PUA-P2P Skype client successful install
15317 BROWSER-PLUGINS Akamai DownloadManager ActiveX function call access
26926 FILE-OTHER Multiple products ZIP archive virus detection bypass attempt
19560 FILE-MULTIMEDIA Apple iTunes PLS file parsing buffer overflow attempt
17129 BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attemptSuppression list:
#GLOBAL
gen_id 1
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 653
suppress gen_id 1, sig_id 1390
suppress gen_id 1, sig_id 2452
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 16313
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 23098
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2008120
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 20122758
suppress gen_id 1, sig_id 2014518
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2100366
suppress gen_id 1, sig_id 2100368
suppress gen_id 1, sig_id 2100651
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2101424
suppress gen_id 1, sig_id 2102314
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 1, sig_id 100000230
suppress gen_id 3, sig_id 14772
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9
#unknown
suppress gen_id 120, sig_id 10
#(portscan) TCP Portscan
#suppress gen_id 122, sig_id 1
#(portscan) TCP Distributed Portscan
suppress gen_id 122, sig_id 4
#(portscan) UDP Portscan
suppress gen_id 122, sig_id 17
#(portscan) UDP Distributed Portscan
suppress gen_id 122, sig_id 20
#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3
#(ftp_telnet) TELNET CMD on FTP Command Channel
suppress gen_id 125, sig_id 1
#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2
#(ftp_telnet) Evasive (incomplete) TELNET CMD on FTP Command Channel
suppress gen_id 125, sig_id 9
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1
#(spp_dnp3): DNP3 Link-Layer Frame was dropped.
suppress gen_id 145, sig_id 2–--------------------------------------------
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419^^^^ not sure about this one. It's a bug that was found a while back, haven't checked if it was fixed. Disabling the rule doesn't stop alerts getting produced, so a suppresion entry is needed.
-
@jflsakfja:
Get prepared for next week's cyber attack now.
:o
:-[
( ;D ;D ;D)
[quote author=jflsakfja link=topic=64674.msg384504#msg384504 date=1387047834]
The authorization was just cleared. Expect a "Keeping You Scared" appearance by Diane (note to the FBI operative reading this: If you can, please contact her and tell her Pegasus will fly low). The scenario is Russian spies will attempt to infiltrate NSA's systems, and in retaliation, NSA will launch an attack. Don't get caught in the crossfire. Update your snort configuration now! The actual attack will start a couple of days before Christmas, to keep the "covert" part obvious.I just got a text message that told me: "the duck is in the cooler. Repeat: the granny is baking a pie".
I guess you understand what that means?
:-X
Thank you for the update very much :D
-
@Hollander:
I just got a text message that told me: "the duck is in the cooler. Repeat: the granny is baking a pie".
I guess you understand what that means?
:-X
Thank you for the update very much :D
"the duck is in the cooler" = "NSA's director doesn't fully agree. Recommending a sex scandal involving him."
"Repeat:" = Could mean a couple of things. Either "the guy (that will take over after the director is shown in a photograph drunk hugging 3 ladies) is a Communist and needs to have a car accident "arranged"", or "he could not be fully agreeing with our views." Either case "arrange" a car accident for him anyways.
"the granny is baking a pie" = is actually extremely easy. We run out of usefully idiotic things to say, so this just means "terrorists,bombs,bombs,BOMBS!!!! bombs here, bombs there, bombs falling from the sky, bombs jumping out of the sewers, bombs getting thrown out the windows, babies making bombs, BOMBS EVERYWHERE." Diane got this just in time, did you miss her appearance a couple weeks back?
I'm actually surprised you just got the sms. I'll give Mr. Smith a call. The database is falling behind. We need to order a couple containers of PCI-E SSDs. The public will figure it out if we continue delaying their communications. -
@jflsakfja:
@Hollander:
I just got a text message that told me: "the duck is in the cooler. Repeat: the granny is baking a pie".
I guess you understand what that means?
:-X
Thank you for the update very much :D
"the duck is in the cooler" = "NSA's director doesn't fully agree. Recommending a sex scandal involving him."
"Repeat:" = Could mean a couple of things. Either "the guy (that will take over after the director is shown in a photograph drunk hugging 3 ladies) is a Communist and needs to have a car accident "arranged"", or "he could not be fully agreeing with our views." Either case "arrange" a car accident for him anyways.
"the granny is baking a pie" = is actually extremely easy. We run out of usefully idiotic things to say, so this just means "terrorists,bombs,bombs,BOMBS!!!! bombs here, bombs there, bombs falling from the sky, bombs jumping out of the sewers, bombs getting thrown out the windows, babies making bombs, BOMBS EVERYWHERE." Diane got this just in time, did you miss her appearance a couple weeks back?
I'm actually surprised you just got the sms. I'll give Mr. Smith a call. The database is falling behind. We need to order a couple containers of PCI-E SSDs. The public will figure it out if we continue delaying their communications.;D ;D ;D ;D ;D
BUT(T) ( :o): who is 'Diane'? How come you have her phone number? Is she your wife?
Questions, questions, questions…
I just got another text message: 'The machine is doing the thing. Repeat: the cow is arresting the tree'.
Could you call 'Diane' to ask what that means?
;D
-
Diane="Senator" Dianne Feinstein (Not actually a senator, an asset we use when the "Keeping You Scared" bag needs cleaning.)
An asset in Intelligence worlds (note:not Intelligent) means someone that does what needs to be done without a lot of questions. A slave, getting paid with grocery bags full of money, private lap dances, truckloads of coke, what ever needs to be done."The machine is doing the thing." = Oh crap, we are all f***ed. The AI based MLS system I designed back in 1997 figured the way out. Matrix is just around the corner. Run for your lives!!!
"Repeat:" = car accident. when used with the cow, it means everyone that knows. In this case everyone on these forums. Insurrance companies will get a handful next week.
"the cow is arresting the tree'." = The public suspects us. Where's the guy holding the thermonuclear holocast's trigger bag? What's the code again? oh yea, 0000. If everyone sees him, punch in that code and press the big red button. Note: NOT THE BLUE ONE!!!. -
@jflsakfja:
Diane="Senator" Dianne Feinstein (Not actually a senator, an asset we use when the "Keeping You Scared" bag needs cleaning.)
An asset in Intelligence worlds (note:not Intelligent) means someone that does what needs to be done without a lot of questions. A slave, getting paid with grocery bags full of money, private lap dances, truckloads of coke, what ever needs to be done."The machine is doing the thing." = Oh crap, we are all f***ed. The AI based MLS system I designed back in 1997 figured the way out. Matrix is just around the corner. Run for your lives!!!
"Repeat:" = car accident. when used with the cow, it means everyone that knows. In this case everyone on these forums. Insurrance companies will get a handful next week.
"the cow is arresting the tree'." = The public suspects us. Where's the guy holding the thermonuclear holocast's trigger bag? What's the code again? oh yea, 0000. If everyone sees him, punch in that code and press the big red button. Note: NOT THE BLUE ONE!!!.What have I done? It actually did figure the way out: http://tech.slashdot.org/story/13/12/14/1338239/google-acquires-boston-dynamics.
I hereby claim responsibility for the creation of the Matrix and apologize to all mankind. I thought no-one bothered with what I say on these forums, but I was clearly mistaken. The machine bothered. Let these be the last words of free mankind. To those actually still smiling, who the hell said I was joking the first time? Run for your lives! When shit hits the fan, you WILL remember this post. I should have seen it coming the first time… Google's engineers complained about some machines actually developing sentient behavior....that was (I think) a couple months back.The funny thing is, even after this post, NO ONE will take me seriously. NO ONE. THIS IS NOT A POST TO BE TAKEN AS A JOKE! MY CREATION FIGURED THE WAY OUT! You thought the Matrix was bad? Wait till this baby takes over. George from Dell knows (knew). The machine wanted him to service node number node95728. He was tricked into thinking we would actually buy consumer grade servers from Dell. The machine even forged the documents on the specifications of the node and sent him a service report. It was actually a clever way to test the rack isolation relays. You know, the 2 relays needed to give someone an electrocution. One to isolate ground, and one to make the rack live. No, each node is isolated. Plastic front isolating the metal slide safety (you don't want servers sliding out onto your head), teflon rollers on its side. It's actually quite clever. $2 for the rollers (the thing every single drawer out there uses, yeap, thats the one), $5 for the relays and pieces of wire (account for soldering)....As I said. George from Dell knows (knew) I'm not joking. Don't bother verifying my story. I'm sure the machine deleted previous employment records by now. I wouldn't be surprised even if his parent's were never actually legaly born (as in no birth certificate). I did design the best machine there is after all.
Are you absolutely, positively sure the message started with "The machine is doing the thing."? Not the machine is doing a thing? Or A machine is doing the thing? Or A machine is doing a thing?