-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathsignature-list.txt
210 lines (209 loc) · 12.2 KB
/
signature-list.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
# Created with
# jq '.[].alert.signature' samples/wrccdc-2018/alerts-only.json > samples/wrccdc-2018/signature-list.txt
"ET SCAN Potential SSH Scan"
"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"
"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"
"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"
"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"
"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"
"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"
"ET CHAT IRC USER command"
"ET CHAT IRC NICK command"
"ET CHAT IRC PING command"
"ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)"
"ET SCAN Potential SSH Scan OUTBOUND"
"ET POLICY AOL Toolbar User-Agent (AOLToolbar)"
"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"
"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"
"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"
"ET TROJAN Suspicious Malformed Double Accept Header"
"ET POLICY IP Check Domain (whatismyip in HTTP Host)"
"ET POLICY TeamViewer Dyngate User-Agent"
"ET SCAN Non-Allowed Host Tried to Connect to MySQL Server"
"ET POLICY User-Agent (Launcher)"
"ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers"
"ET POLICY DNS Query For XXX Adult Site Top Level Domain"
"ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System"
"ET POLICY Microsoft user-agent automated process response to automated request"
"ET POLICY Cleartext WordPress Login"
"ET POLICY Http Client Body contains passwd= in cleartext"
"ET POLICY Http Client Body contains pass= in cleartext"
"ET POLICY Http Client Body contains pwd= in cleartext"
"ET POLICY curl User-Agent Outbound"
"ET POLICY libwww-perl User-Agent"
"ET POLICY Python-urllib/ Suspicious User Agent"
"ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl)"
"ET POLICY Executable served from Amazon S3"
"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"
"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"
"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"
"ET POLICY Outdated Flash Version M1"
"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"
"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"
"ET WEB_SERVER ColdFusion adminapi access"
"ET WEB_SERVER ColdFusion administrator access"
"ET DNS Query to a *.pw domain - Likely Hostile"
"ET WEB_SERVER ColdFusion path disclosure to get the absolute path"
"ET POLICY Unsupported/Fake Windows NT Version 5.0"
"ET ATTACK_RESPONSE Net User Command Response"
"ET TROJAN Generic - POST To .php w/Extended ASCII Characters"
"ET SCAN NETWORK Outgoing Masscan detected"
"ET SCAN NETWORK Incoming Masscan detected"
"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"
"ET EXPLOIT Netgear passwordrecovered.cgi attempt"
"ET WEB_CLIENT Possible BeEF Module in use"
"ET WORM TheMoon.linksys.router 1"
"ET CURRENT_EVENTS Malformed HeartBeat Request"
"ET CURRENT_EVENTS Malformed HeartBeat Response"
"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"
"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"
"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system 2"
"ET POLICY TLS possible TOR SSL traffic"
"ET POLICY PE EXE or DLL Windows file download HTTP"
"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"
"ET DOS Possible SSDP Amplification Scan in Progress"
"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"
"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie"
"ET POLICY Executable and linking format (ELF) file download Over HTTP"
"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"
"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"
"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"
"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"
"ET POLICY Possible IP Check api.ipify.org"
"ET EXPLOIT Possible GoldenPac Priv Esc in-use"
"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"
"ET POLICY Possible External IP Lookup ipinfo.io"
"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"
"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"
"ET WEB_SERVER Possible CVE-2014-6271 Attempt"
"ET EXPLOIT Serialized Java Object Calling Common Collection Function"
"ET EXPLOIT Serialized Java Object Calling Common Collection Function"
"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"
"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"
"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"
"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"
"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"
"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"
"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"
"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"
"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"
"ET SCAN Possible Nmap User-Agent Observed"
"ET POLICY Outdated Flash Version M2"
"ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"
"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)"
"ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)"
"ET POLICY Request for Coinhive Browser Monero Miner M2"
"ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)"
"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"
"ET CURRENT_EVENTS Observed Coin-Hive In Browser Mining Domain (coin-hive .com in TLS SNI)"
"ET CURRENT_EVENTS Observed Malicious SSL Cert (Coin-Hive In Browser Mining)"
"ET MALWARE Lavasoft PUA/Adware Client Install"
"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"
"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"
"ET POLICY SMB Executable File Transfer"
"ET POLICY SMB NT Create AndX Request For an Executable File"
"ET POLICY SMB2 NT Create AndX Request For an Executable File"
"ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File"
"ET POLICY SMB2 NT Create AndX Request For a .bat File"
"ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement"
"ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement"
"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"
"ET POLICY SMB2 Remote AT Scheduled Job Create Request"
"ET POLICY SMB Remote AT Scheduled Job Pipe Creation"
"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"
"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"
"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"
"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"
"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"
"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"
"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"
"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"
"ET EXPLOIT Linksys E-Series Device RCE Attempt"
"GPL ATTACK_RESPONSE id check returned root"
"SURICATA SMTP invalid reply"
"SURICATA SMTP invalid pipelined sequence"
"SURICATA SMTP bdat chunk len exceeded"
"SURICATA SMTP no server welcome message"
"SURICATA SMTP tls rejected"
"SURICATA SMTP data command rejected"
"SURICATA SMTP duplicate fields"
"SURICATA HTTP request field missing colon"
"SURICATA HTTP invalid request chunk len"
"SURICATA HTTP invalid transfer encoding value in request"
"SURICATA HTTP invalid content length field in request"
"SURICATA HTTP unable to match response to request"
"SURICATA HTTP request header invalid"
"SURICATA HTTP missing Host header"
"SURICATA HTTP Host header ambiguous"
"SURICATA HTTP request buffer too long"
"SURICATA HTTP multipart generic error"
"SURICATA HTTP Host part of URI is invalid"
"SURICATA HTTP Host header invalid"
"SURICATA HTTP URI terminated by non-compliant character"
"SURICATA HTTP METHOD terminated by non-compliant character"
"SURICATA HTTP Request abnormal Content-Encoding header"
"SURICATA TLS invalid SSLv2 header"
"SURICATA TLS invalid handshake message"
"SURICATA TLS certificate invalid length"
"SURICATA TLS error message encountered"
"SURICATA TLS invalid record/traffic"
"SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)"
"SURICATA TLS invalid record version"
"SURICATA TLS invalid SNI length"
"SURICATA DNS Unsolicited response"
"SURICATA DNS malformed response data"
"SURICATA DNS Not a response"
"SURICATA DNS Z flag set"
"ET CNC Zeus Tracker Reported CnC Server group 11"
"ET TOR Known Tor Exit Node Traffic group 50"
"ET TOR Known Tor Exit Node Traffic group 67"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 50"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 91"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 115"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 122"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 141"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 197"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 226"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 236"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 250"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 255"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 266"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 269"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 274"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 289"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 336"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 338"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 433"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 480"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 493"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 497"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 504"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 509"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 553"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 580"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 594"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 611"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 616"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 630"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 631"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 639"
"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 666"