ptresearch / attackdetection Goto Github PK
View Code? Open in Web Editor NEWAttack Detection
License: Other
Attack Detection
License: Other
The rule:
https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-0232/cve-2019-0232.rules
The Error:
9/7/2019 -- 19:24:31 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to parse "reference" keyword argument - "wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232". Invalid argument.
9/7/2019 -- 19:24:31 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)"; flow: established, to_server; content: "?&"; http_raw_uri; pcre: "/.(?:bat|cmd)?&/I"; reference: cve, 2019-0232; reference: wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004953; rev: 1;)" from file /var/lib/suricata/rules/suricata.rules at line 2738
Topic:
18/9/2018 -- 16:13:31 - <Notice> - This is Suricata version 3.2.1 RELEASE
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - Unknown Classtype: "malicious-redirect". Invalidating the Signature
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ATTACK [PTsecurity] GNU Wget http request"; content: "wget"; http_user_agent; nocase; depth: 4; flowbits: set, 10000062; flowbits: noalert; reference: cve, 2016-4971; classtype:malicious-redirect; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, github.com/ptre" from file /etc/suricata/rules/pt-rules.rules at line 35eset; sid: 10000062; rev: 2; )
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - Unknown Classtype: "malicious-redirect". Invalidating the Signature
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution"; flowbits: isset, 10000062; content: "30"; http_stat_code; depth: 2; content: "Location: ftp://"; nocase; http_header; reference: cve, 2016-4971; classtype:malicious-redirect; reference: url, legalhackers.com/advisories/Wget-Arbitrar" from file /etc/suricata/rules/pt-rules.rules at line 37github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10000063; rev: 2; )
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec failed: ret -1, optstr ";sid: 10001759; rev: 2;"
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Trickbot/Dyre/Dridex #2";flow: established, to_client;content: "|17 03 01 00 F0|";depth:5;content: "|17 03 01 00 20|";distance:240;within:5;content: "|17 03 01|";distance:32;within:3;stream_size: server, <,30000;stream_size: client, <,30000;flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; flowbits: noalert ; classtype: trojan-activity;metadata: autosign, id_320221, created_at 2017_8_11 reference: url, github.com/ptresearch/At" from file /etc/suricata/rules/pt-rules.rules at line 143 10001759; rev: 2;)
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec failed: ret -1, optstr ";sid: 10001760; rev: 1;"
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Trickbot/Dyre/Dridex #3";flow: established, to_client;content: "|17 03 01 01 00|"; depth:5; content: "|17 03 01 00 20|"; distance:256; within:5; content: "|17 03 01|";distance:32;within:3;stream_size: server, <,30000;stream_size: client, <,30000;flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; classtype: trojan-activity;metadata: autosign, id_320221, created_at 2017_8_11 reference: url, github.com/ptresearch/AttackDetection; " from file /etc/suricata/rules/pt-rules.rules at line 145 1;)
Добрый день. Как и куда вставлять эти правила: apt31.rules?
I Downloaded and pcap file?
How to launch pcap file.
Can you tell me what is the default password?
It is probably a simple enhancement to add data size check to match the DNS registry edit that was suggested. BTW, I know the packet overhead is not accounted for in this DNS check
dsize:>65280
This update will avoid SIG rules that are normal responses and are not attempting the heap overflow.
Vijay
В разделе License написано "under under"
hi team,
found when attempting to enable/update through suricata-update
1/12/2020 -- 18:49:42 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'created_at 2017_7_19'.
11/12/2020 -- 18:49:42 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "POLICY [PTsecurity] Telegram Messenger v1 pkt checker #1"; flow: established, to_server; dsize: 89; stream_size: client, <,1500; flowbits: noalert; flowbits: isset, FB_Telegram_0; flowbits: unset, FB_Telegram_0; flowbits: set, FB_Telegram_1; classtype: trojan-activity; created_at 2017_7_19; reference: url, github.com/ptresearch/AttackDetection; sid: 11001579; rev: 1;)" from file /var/lib/suricata/rules/suricata.rules at line 27988
i'm learning CVE-2016-6304
http://cmpload.cmcm.com/download/taptapdash/large/1502424501260_92/anttd0815kpbg_en.png triggers rule 10000082.
Ran into an issue when using these in conjunction with EmergingThreats and Scirius.
pt-rules.rules
./git-sources/3/rules/pt-rules.rules:alert tls $EXTERNAL_NET any -> $HOME_NET any ( msg: "MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow: established, to_client;content: "|3082|";depth:300; content: "|3082|";distance:2;within:2; content: "|a00302010202|";distance:2;within:6; flowbits: set, FB332502_; flowbits: noalert; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 2024751; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)
trojan.rules:
./git-sources/31/rules/trojan.rules:#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|308204|"; depth:300; content:"|308203|"; distance:1; within:3; content:"|a0030201020204|"; distance:1; within:7; content:"|300d06092a864886f70d01010b05003081|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_21;)
The conflict is preventing the rules from compiling correctly for Scirius.
If you go to the following site phoronix.com and browse the site your get this in my suricata logs
ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert
The only thing I can tell is its due to the cloudflare SSL cert with loads of domains in the alt san field of the cert
Hi, Today i found this rule was matched with wrong packet (in response):
So i think this is better to add "to_server" term to "flow" part.
Hi,
You can find an attempt to match exploitation of the vmware vmdir CVE-2020-3952 by checking for ldap modify operation on Administrators built-in group here https://github.com/gelim/CVE-2020-3952/blob/master/vmware.rules
That may require some more tuning. So I write here that FYI without specific PR.
Cheers,
-- Mathieu
Hi.
some rules have strange metadata
eg
"metadata: id_140409,created_at 2017_6_2, url, https://blog.fortinet.com/2016/07/27/bayrob-an-ancient-evil-awakens-ii"
(metadata "url" comma separated from value ("..blog.frtinet.."); metadata (id_140409) without value)
is it error in metadata format?
I guess the metadata should look like
"metadata: param value, param2 value2 "
I noticed the SID range mentioned in your README.md file doesn't match with the rules in the repository.
SID range
We use SID 10000000-10999999 for our rules.
There are some rules in the repository going beyond that range. Would it be possible to put your true SID range in the README.md file, or to fix the rules having an SID in the 11 millions, 20 millions and 21 millions range?
Thank you!
Lovely work!
# Note1: Please, set $DC_SERVERS address group in suricata.yaml config, so Active Directory rules could work properly.
How can I install this on suricata 6.0.3? I don't know how to configure?
Hi, what is the default password of the zip archives ? I can't find it.
From http://doc.emergingthreats.net/bin/view/Main/SidAllocation, it seems the range of SID used is reserved for local use. So it may be better to use another one. I don't know how allocation is working for this but it would be nice if you had your own range.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.