# # $Id: bleeding-policy.rules $ # Bleeding Edge Threats Policy rules. # # SID's are 2000000+ to avoid conflicts # # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. # # More information available at www.bleedingthreats.net # # Please submit any custom rules or ideas to bleeding@bleedingthreats.net or the bleeding-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2007, Bleeding Edge Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #by Matt Jonkman, from qru alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY AOL Toolbar User-Agent (AOLToolbar)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+AOLToolbar/i"; classtype:policy-violation; sid:2003469; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE AOL Webmail Message Send"; flow: to_server,established; uricontent:"/compose_frame.adp"; content:"POST"; classtype: policy-violation; sid: 2000571; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE AOL Webmail Login"; flow: to_server,established; uricontent:"/login/login.psp?siteId="; content:"triedAimAuth"; classtype: policy-violation; sid: 2000572; rev:4; ) #By merphie. Please test this out, it should work on NT domains and 98. Disabled by default #alert udp $HOME_NET any -> $HOME_NET 137 (msg: "BLEEDING-EDGE POLICY Administrator Login Detected"; content:"ebeeenejeoejfdfefcebfeepfc"; nocase; classtype: policy-violation; sid: 2001806; rev:2; ) #this is not for a vuln, but for the use of an easily decrypted password in the clear # by Adam Ellison. Use this if you have a policy of not showing passwords in the clear #added negates of Anonymous and :, idea from Jon Schiedell alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006380; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; sid:2006402; rev:4;) #Submitted by Joseph Gama #Good rules, turn them on if you are interested. They are accurate. #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Executable and linking format (ELF) file download"; flow: established; content:"|7F|ELF"; content:"|00 00 00 00 00 00 00 00|"; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000418; rev:6; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE or DLL Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; flowbits:set,BE.http.binary; classtype:misc-activity; sid: 2000419; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE REG files version 4 download"; flow: established; content:"REGEDIT4"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000420; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000421; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000422; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE NE EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000423; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE LX EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"LX"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000424; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE NE EXE Windows 3.x file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program requires Microsoft Windows."; isdataat: 10,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000425; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000426; rev:6; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be "; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; flowbits:set,BE.http.binary; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex;content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; classtype: misc-activity; sid: 2000428; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000489; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000429; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE MSI (microsoft installer file) download"; flow: established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype: bad-unknown; sid: 2001115; rev:3; ) #Idea by David Glosser, sig by Matt Jonkman alert ip [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,46.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002749; rev:3;) alert ip [50.0.0.0/8,100.0.0.0/6,104.0.0.0/5,112.0.0.0/6,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:9;) alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) # #This is for reserved internal space. Do NOT run this sig on your internal net, commented out by default. #alert ip [10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved Internal IP Traffic"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002752; rev:2;) #this is a distributed search engine crawling thing. I am not aware of any spyware-like activity, but it is likely not welcome on a corporate net alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"User-Agent\: boitho.com"; nocase; classtype:trojan-activity; sid:2003653; rev:1;) #ccproxy is a legitimate program, but has been seen in use by malware to proxy remote http # it's aproduct designed for internal network use. Run this sig externally to detect it in use remotely. # This would likely be hostile activity #by Matt Jonkman from sandnet analysis alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY CCProxy in use remotely - Possibly Hostile/Malware"; flow:established,from_server; content:"HTTP/1.0 200 Connection established|0d 0a|Proxy-agent\: CCProxy "; offset:0; depth:58; classtype:trojan-activity; reference:url,www.youngzsoft.net; sid:2007576; rev:1;) #online tools alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Centralops.net Domain Dossier Utility Probe"; flow:established,to_server; content:"USER-Agent\: Domain Dossier utility (http\://CentralOps.net/)"; nocase; classtype:policy-violation; reference:url,centralops.net; sid:2003623; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Centralops.net Probe"; flow:established,to_server; content:"USER-Agent\: "; nocase; content:"CentralOps.net/)"; within:100; nocase; classtype:policy-violation; reference:url,centralops.net; sid:2003631; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET 23 -> any any (msg: "BLEEDING-EDGE Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; classtype: not-suspicious; sid: 2001239; rev:4; ) alert tcp $HOME_NET 23 -> any any (msg: "BLEEDING-EDGE Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; classtype: not-suspicious; sid: 2001240; rev:4; ) #By Cory Bys, Particle.bored. # These are going to increase load on a snort process, and are NOT FOOLPROOF. But they may help reveal issues # with informaion flow. NOTE: These will not detect classified UUEncoded docs (email attachments) etc. # # Email # # Non-US Restricted #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002410; rev:1;) # # Non-US Confidential #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002411; rev:1;) # # Non-US Top Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002412; rev:1;) # # Non-US Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002414; rev:1;) # # NATO Confidential Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002415; rev:1;) # # NATO Confidential #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002416; rev:1;) # # NATO COSMIC Top Secret Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002417; rev:1;) # # NATO Secret Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002418; rev:1;) # # NATO Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002419; rev:1;) # # US Confidential, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002420; rev:1;) # # US Top Secret, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002421; rev:1;) # # US Secret, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002422; rev:1;) # # US Confidential Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002423; rev:1;) # # US Top Secret Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002424; rev:1;) # # US Secret Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002426; rev:1;) # # US Top Secret Comint #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002427; rev:1;) # # US Secret Comint #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002429; rev:1;) # # US Confidential Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002430; rev:1;) # # US Top Secret Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002431; rev:1;) # # US Secret Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret IMCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002434; rev:1;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002436; rev:1;) # # US Secret Talent Keyhole #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002438; rev:1;) # # US For Official Use Only #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002439; rev:1;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002440; rev:1;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002441; rev:1;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002443; rev:1;) # # US Top Secret Originator Controlled #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002444; rev:1;) # # US Secret Originator Controlled #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002446; rev:1;) # # US Confidential Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002447; rev:1;) # # US Top Secret Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002448; rev:1;) # # US Secret Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002450; rev:1;) # # US Top Secret Restricted Data #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002451; rev:1;) # # US Secret Restricted Data #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002453; rev:1;) # # US Confidential Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002454; rev:1;) # # US Top Secret Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002455; rev:1;) # # US Secret Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002457; rev:1;) # # The word "private" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002458; rev:1;) # # The word "restricted" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002463; rev:1;) # # The word "sensitive" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002465; rev:1;) # # The word "protected" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002466; rev:1;) # # The phrase "law enforcement sensitive" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002467; rev:1;) # # The phrase "internal use only" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002468; rev:1;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002469; rev:1;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002470; rev:1;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002471; rev:1;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002472; rev:1;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002473; rev:1;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; classtype:policy-violation; sid:2002474; rev:3;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002475; rev:1;) # # Japan Credit Bureau Credit Card Number #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002477; rev:1;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002483; rev:1;) # # The word "appraisal" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002484; rev:1;) # # The phrase "account balance" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002485; rev:1;) # # The phrase "payment history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002486; rev:1;) # # The phrase "annual income" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002487; rev:2;) # # The phrase "credit history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002488; rev:1;) # # The phrase "transaction history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002489; rev:1;) # # The phrase "customer list" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002490; rev:1;) ########################################## # # HTTP POST # # Non-US Restricted #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002495; rev:2;) # # Non-US Confidential #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002496; rev:2;) # # Non-US Top Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002497; rev:2;) # # Non-US Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002499; rev:2;) # # NATO Confidential Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002500; rev:2;) # # NATO Confidential #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002501; rev:2;) # # NATO COSMIC Top Secret Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002502; rev:2;) # # NATO Secret Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002503; rev:2;) # # NATO Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002504; rev:2;) # # US Confidential, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002505; rev:2;) # # US Top Secret, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002506; rev:2;) # # US Secret, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002507; rev:2;) # # US Confidential Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002508; rev:2;) # # US Top Secret Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002509; rev:2;) # # US Secret Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret REL TO"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002511; rev:2;) # # US Top Secret Comint #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002512; rev:2;) # # US Secret Comint #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret COMINT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002514; rev:2;) # # US Confidential Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002515; rev:2;) # # US Top Secret Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002516; rev:2;) # # US Secret Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret COMSEC"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret IMCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002519; rev:2;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret CNWDI"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002521; rev:2;) # # US Secret Talent Keyhole #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret TK"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002523; rev:2;) # # US For Official Use Only #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002524; rev:2;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002525; rev:2;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002526; rev:2;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret NOFORN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002704; rev:1;) # # US Top Secret Originator Controlled #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002528; rev:2;) # # US Secret Originator Controlled #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret ORCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002530; rev:2;) # # US Confidential Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002531; rev:2;) # # US Top Secret Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002532; rev:2;) # # US Secret Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret PROPIN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002534; rev:2;) # # US Top Secret Restricted Data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002535; rev:2;) # # US Secret Restricted Data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret RD"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002537; rev:2;) # # US Confidential Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002538; rev:2;) # # US Top Secret Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002539; rev:2;) # # US Secret Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret SPECAT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002541; rev:2;) # # The word "private" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002542; rev:2;) # # The word "restricted" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Restricted"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Confidential"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Top Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002547; rev:2;) # # The word "sensitive" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Sensitive"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002549; rev:2;) # # The word "protected" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002550; rev:2;) # # The phrase "law enforcement sensitive" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002551; rev:2;) # # The phrase "internal use only" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002552; rev:2;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002553; rev:2;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002554; rev:2;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002555; rev:2;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002556; rev:2;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002557; rev:2;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; classtype:policy-violation; sid:2002558; rev:4;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002559; rev:2;) # # Japan Credit Bureau Credit Card Number #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002561; rev:2;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002567; rev:2;) # # The word "appraisal" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002568; rev:2;) # # The phrase "account balance" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002569; rev:2;) # # The phrase "payment history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002570; rev:2;) # # The phrase "annual income" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002571; rev:2;) # # The phrase "credit history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002572; rev:2;) # # The phrase "transaction history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002573; rev:2;) # # The phrase "customer list" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002574; rev:2;) # # ########################################## # # High Ports, possibly Passive FTP DATA # # Non-US Restricted #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002575; rev:2;) # # Non-US Confidential #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002576; rev:2;) # # Non-US Top Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002577; rev:2;) # # Non-US Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002579; rev:2;) # # NATO Confidential Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002580; rev:2;) # # NATO Confidential #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002581; rev:2;) # # NATO COSMIC Top Secret Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002582; rev:2;) # # NATO Secret Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002583; rev:2;) # # NATO Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002584; rev:2;) # # US Confidential, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002585; rev:2;) # # US Top Secret, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002586; rev:2;) # # US Secret, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002587; rev:2;) # # US Confidential Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002588; rev:2;) # # US Top Secret Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002589; rev:2;) # # US Secret Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret REL TO"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002591; rev:2;) # # US Top Secret Comint #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002592; rev:2;) # # US Secret Comint #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret COMINT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002594; rev:2;) # # US Confidential Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002595; rev:2;) # # US Top Secret Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002596; rev:2;) # # US Secret Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret COMSEC"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret IMCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002599; rev:2;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret CNWDI"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002601; rev:2;) # # US Secret Talent Keyhole #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret TK"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002603; rev:2;) # # US For Official Use Only #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002604; rev:2;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002605; rev:2;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002606; rev:2;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret NOFORN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002608; rev:2;) # # US Top Secret Originator Controlled #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002609; rev:2;) # # US Secret Originator Controlled #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret ORCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002611; rev:2;) # # US Confidential Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002612; rev:2;) # # US Top Secret Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002613; rev:2;) # # US Secret Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret PROPIN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002615; rev:2;) # # US Top Secret Restricted Data #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002616; rev:2;) # # US Secret Restricted Data #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret RD"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002618; rev:2;) # # US Confidential Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002619; rev:2;) # # US Top Secret Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002620; rev:2;) # # US Secret Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret SPECAT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002622; rev:2;) # # The word "private" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002623; rev:2;) # # The word "restricted" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Restricted"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Confidential"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Top Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002628; rev:2;) # # The word "sensitive" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Sensitive"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002630; rev:2;) # # The word "protected" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002631; rev:2;) # # The phrase "law enforcement sensitive" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002632; rev:2;) # # The phrase "internal use only" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002633; rev:2;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002634; rev:2;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002635; rev:2;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002636; rev:2;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002637; rev:2;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002638; rev:2;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; classtype:policy-violation; sid:2002639; rev:4;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002640; rev:2;) # # Japan Credit Bureau Credit Card Number #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002642; rev:2;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002648; rev:2;) # # The word "appraisal" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002649; rev:2;) # # The phrase "account balance" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002650; rev:2;) # # The phrase "payment history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002651; rev:2;) # # The phrase "annual income" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002652; rev:2;) # # The phrase "credit history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002653; rev:2;) # # The phrase "transaction history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002654; rev:2;) # # The phrase "customer list" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002655; rev:2;) # #Submitted by Matt Jonkman #Thees rules are disabled by default. They should generally be run on the outside of your network, not internally. Enable it where useful. #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001375; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001376; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001377; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001378; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001379; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001380; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001381; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001382; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001383; rev:9; ) #Submitted by Joseph Gama #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Format error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; classtype: not-suspicious; sid: 2001116; rev:2; ) #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Name Error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; classtype: not-suspicious; sid: 2001117; rev:2; ) #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Not Implemented"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; classtype: not-suspicious; sid: 2001118; rev:2; ) #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Refused"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; classtype: not-suspicious; sid: 2001119; rev:2; ) #Adapted from nextsoft.cz alert udp any 53 -> !$SMTP_SERVERS any (msg:"BLEEDING-EDGE POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; classtype:bad-unknown; sid:2003195; rev:2;) #by Myron Davis alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLEEDING-EDGE POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; classtype:bad-unknown; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; sid:2002676; rev:1;) #Submitted by Ole-Martin alert tcp any any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; classtype: successful-admin; sid: 2001294; rev:2; ) #Blake Hartstein of Demarc #Potentially noisy, Not recommended unless you disallow exe files. written for executable virii that spread through email #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BLEEDING-EDGE POLICY SMTP Executable attachment"; flow:established,to_server; content:"filename="; nocase; content:".exe"; nocase; distance:0; pcre:"/filename=\s*[^\n]+\.exe/i"; classtype:policy-violation; sid:2003325; rev:1;) #Matt Jonkman # To catch generic exe downloads via http. This does not mean it's a problem, just of interest. #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY exe download via HTTP - Informational"; flow:established,to_server; uricontent:".exe"; nocase; content:"GET "; nocase; offset:0; depth:4; classtype:policy-violation; sid:2003595; rev:2;) #to catch the common urls for storm worm downloads, etc #by Jack Pepper and Reg Quinton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Possible Ecard Trojan download"; flow:established,to_server; uricontent:".exe"; nocase; pcre:"/(card|gif|jpg|jpeg|cartao)\.exe/Ui"; classtype:trojan-activity; sid:2006434; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY exe download without User Agent"; flow:established,to_server; uricontent:".exe"; nocase; content:".exe"; depth:150; nocase; content:"GET "; nocase; depth:4; offset:0; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; classtype:policy-violation; sid:2003179; rev:3;) #From Charles Lacroix # All form elements are encoded before they are sent to the server # This makes things a bit more complicated to decode via snort at least # for me. This rule will trigger when a user is starting to place # an item for sale on the ebay site. # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Bid Placed"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll/"; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; classtype: policy-violation; sid: 2001898; rev:2; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Placing Item for sale"; flow: to_server,established; uricontent:"/ws2/eBayISAPI.dll"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001907; rev:2; ) # Look for a single item #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay View Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001908; rev:3; ) # Mark an item to watch #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Watch This Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001909; rev:3; ) #by Steven Adair at securityzone.org #Rule to catch all FTP logins that do not start with "anonymous" or "ftp" # and do not contain "pass " (pass followed by a space). -steven@securityzone alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE POLICY FTP Login Attempt (non-anonymous)"; flow:to_server,established; content:"USER"; content:!"PASS "; nocase; pcre:!"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:2003303; rev:1;) #By CunningPike alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY FTP Login Successful (non-anonymous)"; flow:from_server,established; flowbits:isset,ftp.user.login; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; pcre:!"/^230(\s+USER)?\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:2003410; rev:4;) #by Will Metcalf alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Policy FOX,ABC On-demand UA"; flow:to_server,established; content:"User-Agent\: QSP"; nocase; pcre:"/User-Agent\:[^\n]+QSP\s*\d+\:\d+\s*/i"; classtype:policy-violation; sid:2007639; rev:1;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gazzag.com Social Site Access"; flow:established,to_server; content:"Host\: www.gazzag.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; sid:2003456; rev:1;) # Submitted 2006-10-17 by Adam Nunn alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE POLICY docs.google.com Activity"; flow:established,to_server; content:"Host|3a| docs.google.com"; nocase; classtype:policy-violation; reference:url,docs.google.com; sid:2003121; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE POLICY Possible docs.google.com Activity"; flow:established,to_server; content:"WRITELY_SID"; nocase; classtype:policy-violation; reference:url,docs.google.com; sid:2003122; rev:2;) # Matt Jonkman # Google calendar in the news as most entries are public # I'm sure it's a good calendar, but folks have to realize what's public and what's not #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Google Calendar in Use"; flow:established,to_server; uricontent:"/calendar/"; content:"GET /calendar/"; rawbytes; offset:0; content:"Host\: www.google.com|0d 0a|"; nocase; threshold:type both, count 1, seconds 60, track by_src; classtype:policy-violation; reference:url,www.computerworld.com.au/index.php?id=1687889918&eid=-255; sid:2003597; rev:1;) #By Matt Jonkman. Reviving this rule as it's been dropped from the snort.org rulesets. alert tcp $HOME_NET any -> 66.151.158.177 any (msg: "BLEEDING-EDGE GotoMyPC Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2000309; rev:6; ) #This intends to be a more intelligent version of the old gotomypc rule, eventually to replace the old if it catches everything alert tcp 66.151.158.177 8200 -> $HOME_NET any (msg: "BLEEDING-EDGE GotoMyPC poll.gotomypc.com Server Response to Polling Client OK"; flow: established,from_server; content:"cnt=0"; nocase; depth: 40; content:"eventid="; nocase; depth: 40; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2002022; rev:2; ) #by Mikael Keri # Groove is a legitimate application, but may not be approved in all environments. Use these rules only if appropriate alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install/Startup Report"; flow:established,to_server; content:"User-Agent\: GrooveInstallValidator|0d 0a|"; depth:200; offset:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.bleedingthreats.net/bin/view/Main/GrooveNet; sid:2003599; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Groove.net Virtual Office Suite Install Report"; flow:established,to_server; content:"User-Agent\: Groove Install|0d 0a|"; depth:200; offset:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.bleedingthreats.net/bin/view/Main/GrooveNet; sid:2003600; rev:1;) alert tcp any 2492 -> any 2492 (msg:"BLEEDING-EDGE POLICY Groove.net Virtual Office In Use"; flow:established,to_server; content:"dpp\://"; nocase; content:"groove.net"; nocase; distance:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.bleedingthreats.net/bin/view/Main/GrooveNet; sid:2003601; rev:1;) alert udp $HOME_NET any -> 255.255.255.255 1211 (msg:"BLEEDING-EDGE POLICY Groove.net Virtual Office Local Service Discovery Broadcast"; content:"dpp\://"; nocase; content:"groove.net"; nocase; distance:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.bleedingthreats.net/bin/view/Main/GrooveNet; sid:2003602; rev:1;) # Submitted 2006-08-30 by Robert Sharp #alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Gmail gtalk"; flow:established; pcre:"/\[\[\d{1,3}\,\[\\\"\w\\\"\,\\\".+@gmail.com.+\\\"\,\\\"/i"; classtype:policy-violation; sid:2003092; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/HoTMaiL\?curmbox=/i"; classtype: policy-violation; sid: 2000035; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/getmsg\?msg=MSG/i"; classtype: policy-violation; sid: 2000036; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/compose\?/i"; classtype: policy-violation; sid: 2000037; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/premail/i"; classtype: policy-violation; sid: 2000038; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; classtype: policy-violation; sid: 2000039; rev:6; ) #Submitted by Thomas Alex alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg: "BLEEDING-EDGE MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype: attempted-admin; sid: 2001055; rev:5; ) #Submitted by Brandon Barnes #pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel"; content:"CONNECT "; nocase; content:"80"; content:" HTTP/1."; nocase; flow:to_server,established; classtype:misc-activity; sid:2000549; rev:3;) #pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel"; content:"CONNECT "; nocase; content:"443"; content:" HTTP/1."; nocase; flow:to_server,established; classtype:misc-activity; sid:2000550; rev:3;) #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel"; flow: to_server,established; content:"CONNECT "; nocase; content:!"80"; content:" HTTP/1."; nocase; classtype: misc-activity; sid: 2000547; rev:5; ) #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel"; flow: to_server,established; content:"CONNECT "; nocase; content:!"443"; content:" HTTP/1."; nocase; classtype: misc-activity; sid: 2000548; rev:5; ) #Submitted by Jason #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel Attempt"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:443"; within: 5; distance: -12; classtype: misc-activity; sid: 2000560; rev:6; ) #idea from Blake Hartstein, use these only if you like. Not a definite indication of hostile activity #add a pass rule like below for any expected ports you use that are not listed # Disabled until tested #pass tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"BLEEDING-EDGE POLICY HTTP GET on Normal Port 8080 - Passing"; flow:established,to_server; content:"GET "; nocase; depth:4; offset:0; flowbits:set,BS.HTTP.ok; flowbits:noalert; classtype:policy-violation; sid:2006407; rev:1;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"BLEEDING-EDGE POLICY HTTP GET on unusual Port -- Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; offset:0; classtype:policy-violation; sid:2006408; rev:1;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"BLEEDING-EDGE POLICY HTTP POST on unusual Port -- Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"POST "; nocase; depth:5; offset:0; classtype:policy-violation; sid:2006409; rev:1;) #by Dajackman alert tcp $HOME_NET any -> 64.34.106.33 12975 (msg:"BLEEDING-EDGE POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; threshold:type limit, track by_src, count 1, seconds 120; classtype:policy-violation; reference:url,www.hamachi.cc; sid:2002729; rev:1;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Hi5.com Social Site Access"; flow:established,to_server; content:"Host\: www.hi5.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; sid:2003455; rev:1;) #Dutch myspace style social networking site. Not a security threat, just a generally not permissable thing for the workplace # by Cees Elzinga # Both hyves.nl and hyves.net are used, so check for "hyves." alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Hyves Login Attempt"; flow:established,to_server; content:"Host\: www.hyves."; content:"login_username"; classtype:policy-violation; sid:2007627; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"/messages/inbox/"; classtype:policy-violation; sid:2007628; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Hyves Message Access"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"/messages/inbox/messages/"; classtype:policy-violation; sid:2007629; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Hyves Compose Message"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"index.php?l1=mg"; classtype:policy-violation; sid:2007630; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Hyves Message Submit"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"/messages/"; content:"POST /messages/"; content:"postman_secret"; classtype:policy-violation; sid:2007631; rev:2;) #By Merphie from the forums alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001801; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001802; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001803; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; classtype: policy-violation; sid: 2001804; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; classtype: policy-violation; sid: 2001805; rev:3; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY ICQ Install Direct download - Not normal mode of install"; flow:established,to_server; uricontent:"/pub/ICQ_Win95_98_NT4/"; nocase; classtype: policy-violation; sid:2002986; rev:1;) #by Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002327; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BLEEDING-EDGE POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002330; rev:2;) #by Brad Doctor alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms\:xml\:ns\:xmpp-s"; content:"X-GOOGLE-TOKEN\">"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002332; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic friend invited"; flow:to_server; content:"\"> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google IM traffic Jabber client sign-on"; flow:to_server; pcre:"/gmail.com/i"; pcre:"/jabber.org/i"; pcre:"/version=/"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002334; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic Windows client user sign-off"; flow:to_server; content:"|3C 2F|stream\:s"; content:"tream>"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002335; rev:4;) #Submitted by Joel Esler alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; nocase; distance: 0; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; classtype: policy-violation; sid: 2001241; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; classtype: policy-violation; sid: 2001242; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; classtype: policy-violation; sid: 2001243; rev:3; ) #Matt Jonkman, more msn alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Policy MSN IM Poll via HTTP"; flow: established,to_server; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; threshold: type limit, track by_src, count 10, seconds 3600; classtype: policy-violation; sid: 2001682; rev:5; ) #Submitted by Scott Melnick alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MSN status change"; flow:established,to_server; content:"CHG "; depth:55; classtype:policy-violation; sid:2002192; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; within:90; classtype:policy-violation; sid:2002312; rev:1;) #Submitted by Joel Esler alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001253; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001254; rev:3; ) #Commenting out, duplicated in Snort.org set #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001255; rev:4; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001256; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001257; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001258; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; depth: 55; classtype: policy-violation; sid: 2001427; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00|M"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001259; rev:4; ) #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; classtype: policy-violation; sid: 2001260; rev:4; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001261; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001262; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference request"; flow: to_server,established; content:" $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; classtype: policy-violation; sid: 2001264; rev:3; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE CHAT Yahoo IM Client Install"; flow: to_server,established; uricontent:"/ycontent/stats.php?version="; nocase; uricontent:"EVENT=InstallBegin"; nocase; classtype: policy-violation; sid: 2002659; rev:1; ) #by Chris Newton alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"BLEEDING-EDGE POLICY Yahoo Chat Signin Inside Webmail"; flow:established,to_server; content:"content-length\:"; nocase; depth:15; content:" $HOME_NET any (msg:"BLEEDING-EDGE POLICY Yahoo Chat Signin Success Inside Webmail"; flow:established,to_server; content:"content-length\:"; nocase; depth:15; content:" $HOME_NET any (msg:"BLEEDING-EDGE POLICY Yahoo Chat Activity Inside Webmail"; flow:established,to_server; content:"content-length\:"; nocase; depth:15; content:" $HOME_NET any (msg:"BLEEDING-EDGE POLICY Yahoo Chat Activity Inside Webmail (2)"; flow:established,to_server; content:" $HOME_NET any (msg: "BLEEDING-EDGE POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; sid: 2000355; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; sid: 2000356; rev:3; ) #by Matt Jonkman #alert ip any any -> any any (msg: "BLEEDING-EDGE POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; classtype:policy-violation; sid:2002658; rev:2;) #by Cam Beasley. Experimental, please report your experiences alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Image Spam Inbound (simple rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; classtype:misc-activity; sid:2003096; rev:1;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Image Spam Inbound (complex rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQOAgQABAQCBAQEBAQGBAQIBAQKBA"; content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQCCAQECAQGCAQICAQKCAQMCAQOCA"; content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCDAQEDAQGDAQIDAQKDAQMDAQODAQADgQCDg"; content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAAgEAAgGAAgIAAgKAAgMAAgOAAgAAggCAggEAggGAg"; content:"gIAggKAggMAggOAggABAgCBAgEBAgGBAgIBAgKBAgMBAgOBAgABggCBggEBggGBggIBggKBg"; content:"gMBggOBggACAgCCAgECAgGCAgICAgKCAgMCAgOCAgACggCCggECggGCggICggKCggMCggOCg"; content:"gADAgCDAgEDAgGDAgIDAgKDAgMDAgODAgADggCDggEDggGDggIDggKDggMDggODggAAAwCAA"; content:"wEAAwGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgwKAgwMAgwOAgwABAwCBAwEBAwGBA"; content:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgwOBgwACAwCCAwECAwGCAwICAwKCA"; content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAwCDAwEDAwGDAwIDAwKDAwP/78KCg"; classtype:misc-activity; sid:2003097; rev:1;) #Another from Cam Beasley alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Image Spam Inbound (3)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"R0lGODlh"; depth:575; content:"AOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBgAACAACCA";content:"AECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDAAEDAAGDAAIDA"; classtype:misc-activity; sid:2003120; rev:1;) #Moved from Malware, this is likely not spyware related alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Unusual User Agent (Client)"; flow: to_server,established; content:"User-Agent\: Client|0d 0a|"; nocase; content:!".microsoft.com|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.bleedingthreats.net/2002082; sid:2002082; rev:7;) #from Russ Mcree alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY iTunes User Agent"; flow: established,to_server; content:"User-Agent\: "; nocase; pcre:"/User-Agent\:[^\n]+iTunes/i"; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; classtype:policy-violation; threshold: type limit, count 1, seconds 360, track by_src; sid:2002878; rev:2;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY KitCo Kcast Ticker (agtray)"; flow: to_server,established; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; sid: 2000569; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY KitCo Kcast Ticker (autray)"; flow: to_server,established; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; sid: 2000570; rev:4; ) #by William Bell alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; distance: 0; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; classtype:policy-violation; sid: 2002722; rev:1; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; distance: 0; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; classtype:policy-violation; sid: 2002723; rev:1; ) #by Jeff Kell # Microsoft teredo tunnel alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"BLEEDING-EDGE POLICY Microsoft TEREDO IPv6 tunneling"; content:"|FE 80 00 00 00 00 00 00 80 00|TEREDO"; offset:21; depth:16; classtype:misc-activity; sid:2003155; rev:2;) #by Stephen Nesman at Monster.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Majestic-12 Spider Bot User-Agent (MJ12bot)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+MJ12bot/i"; reference:url,www.majestic12.co.uk/; classtype:trojan-activity; sid:2003409; rev:1;) #Matt Jonkman #This will let you know when McAffee is updating sigs. Not a security threat, but could be of interest to folks using mcafee to track updates #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY McAfee Update User Agent -NOT HOSTILE- (McAfee AutoUpdate)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+McAfee AutoUpdate/i"; classtype:not-suspicious; sid:2003381; rev:2;) #by Will Metcalf #Rapidshare is a video sharing service, uses VERY ppor auth, and can be used for non-work appropriate material. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Metacafe.com family filter off"; flow:established,to_server; content:"POST"; depth:4; content:"Host\: www.metacafe.com"; content:"submit=Continue+-+I%27m+over+18"; classtype:policy-violation; sid:2006367; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Rapidshare download unauthd image post"; flow:to_server,established; content:"POST"; depth: 4; uricontent:"/files/"; nocase; content:"Host\:"; nocase; content:"rapidshare.com"; nocase; within: 40; content:"&accesscode="; nocase; content:"&actionstring=Download"; nocase; within:50; reference:url,en.wikipedia.org/wiki/RapidShare; classtype:policy-violation; sid:2006368; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Rapidshare auth cookie download"; flow:to_server,established; content:"GET"; depth: 3; uricontent:"/files/"; content:"Host\:"; nocase; content:"rapidshare.com"; nocase; within:40; content:"Cookie\: user="; nocase; reference:url,en.wikipedia.org/wiki/RapidShare; classtype:policy-violation; sid:2006369; rev:1;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Metacafe.com Social Site Access"; flow:established,to_server; content:"Host\: www.metacafe.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; sid:2003457; rev:1;) #Submitted by Joseph Gama #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Policy Mozilla XPI install files download"; flow: from_server,established; content:"content-type\: application/x-xpinstall"; nocase; classtype: bad-unknown; sid: 2001114; rev:3; ) #by dajackman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Myspace Login Attempt"; flow:established,to_server; content:"login.myspace.com"; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; sid:2002872; rev:2;) #by Matt Jonkman #These sigs aren't signs of hostile activity, just something of interest in some places alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Nagios HTTP Monitoring Connection"; flow:established,to_server; content:"User-Agent\: check_http/"; nocase; content:"(nagios-plugins "; nocase; within:30; classtype:not-suspicious; sid:2006779; rev:1;) #by Will Metcalf, Netflix on demand UA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Netflix On-demand User-Agent"; flow:to_server,established; content:"User-Agent\: WmpHostInternetConnection"; nocase; classtype:policy-violation; sid:2007638; rev:1;) #Submitted by Lance Boon alert udp any any -> any any (msg: "BLEEDING-EDGE Policy Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; classtype: policy-violation; sid: 2001597; rev:3; ) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Netvacy.com Anonymizing Proxy Access"; flow:established,to_server; content:"Host\: www.netvacy.com"; classtype:policy-violation; sid:2003453; rev:1;) #New way to do ssh. First to detect legit ssh sessions on normal ports. Enable these ONLY if you need to know about # normal ssh sessions #Written by Erik Fichtner, adapted some #alert tcp any $SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; sid: 2001973; rev:5; ) #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_client_banner; classtype:misc-activity; sid: 2001974; rev:5; ) #alert tcp any $SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; classtype:misc-activity; sid: 2001975; rev:5; ) #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5;flowbits: set,is_ssh_client_kex; classtype:misc-activity; sid: 2001976; rev:6; ) #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5;flowbits: set,is_proto_ssh; classtype:misc-activity; sid: 2001977; rev:6; ) #alert tcp any any <> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH session in progress on Expected Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001978; rev:4; ) #And now to detect Non-standard port usage alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; sid: 2001979; rev:5; ) alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH Client Banner Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; classtype:misc-activity; sid: 2001980; rev:6; ) alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5;flowbits: set,is_ssh_server_kex; classtype:misc-activity; sid: 2001981; rev:5; ) alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; classtype:misc-activity; sid: 2001982; rev:6; ) alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; classtype:misc-activity; sid: 2001983; rev:6; ) alert tcp any any <> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH session in progress on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001984; rev:4; ) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Orkut.com Social Site Access"; flow:established,to_server; content:"Host\: www.orkut.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; sid:2003458; rev:1;) #Submitted by Scott Melnick alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg: "BLEEDING-EDGE POLICY PCMesh Anonymous Proxy client connect"; flow: from_client,established; content:"http|3a|//www.pcmesh.com|3a|80/ip-check.cgi"; depth:37; offset:4; classtype: policy-violation; sid:2003040; rev:2; ) #Only enable if you do not use and internal Proxy server with your #clients or change your HTTP_PORTS to match your Proxy server port #alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Anonymous Proxy Traffic from Inside"; flow: from_client,established; flags: *AP,12; content:"GET http|3a|//"; depth:11; offset:0; content:"HTTP/1.0"; within:50; offset:11; classtype: policy-violation; sid:2003069; rev:1;) #by Will Metcalf. These will detect a php proxy/anonymizer/content control evasion site in use alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY PHP Anonymizing/Evasion Proxy In Use"; flow: to_server,established; content:"GET "; depth: 4; uricontent:"/index.php?q="; nocase; pcre:"/index\.php\?q=(uggc|jjj|http|www|aHR0c|d3d3)/Ui"; reference:url,sourceforge.net/projects/php-proxy/; classtype:policy-violation; sid:2006410; rev:2;) #by Jonathan Scheidell #Pingdom.com is an otherwise legitimate org that does free distributed ping monitoring # This sig will let you know if you're being monitored. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Pingdom.com Monitoring detected"; flow: to_server,established; content: "User-Agent\: Pingdom GIGRIB"; nocase; classtype:attempted-recon; reference:url,royal.pingdom.com/?p=46; sid:2003214; rev:2;) #This will tell you if a local host is signed up as a pingdom monitoring node alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Pingdom.com Monitoring Node Active"; flow: to_server,established; content: "User-Agent\: Pingdom GIGRIB"; nocase; classtype:attempted-recon; reference:url,royal.pingdom.com/?p=46; sid:2003215; rev:2;) #by Matt Jonkman # A large number of trojans report an infection by sending a blank email to a gmail or other free provider # They're pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique # This sig should catch them outbound alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority\: 3|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007612; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a|MAC......."; nocase; within:20; classtype:trojan-activity; sid:2007613; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority\: 3|0d 0a|X-Library\: Indy "; content:"|0d 0a|MAC......."; nocase; within:20; classtype:trojan-activity; sid:2007614; rev:2;) # Added by Frank Knobbe alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY Prospero Chat Session in Progress"; flow: established,to_server; content:"PCHAT2 "; offset: 0; depth: 7; content:"v='"; nocase; offset: 8; depth: 400; content:"jv='"; nocase; offset: 8; depth: 400; content:"u='"; nocase; offset: 8; depth: 400; reference:url,www.prospero.com/technology.htm; classtype: policy-violation; sid: 2001989; rev:3; ) #Seeing some bots and proxy evasion apps use these proxy judges to find their way out #by Scotty Melnick alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; uricontent:"/prxjdg.cgi"; nocase; classtype:policy-violation; sid:2003047; rev:1;) alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; uricontent:"/proxyjudge.cgi"; nocase; classtype:policy-violation; sid:2003048; rev:1;) #By Sam Pabon alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY RAR File Outbound"; flow: established; content:"|52 61 72 21|"; offset: 0; depth: 4; tag: session; classtype: not-suspicious; sid: 2001950; rev:2; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY RAR File Inbound"; flow: established; content:"|52 61 72 21|"; offset: 0; depth: 4; tag: session; classtype: not-suspicious; sid: 2001951; rev:2; ) #Submitted by James Ashton alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001329; rev:6;) alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001330; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001331; rev:6;) #By Scott Melnick #Users can connect to remote machines by port forwarding 3389 through personal routers. alert tcp $HOME_NET any -> $EXTERNAL_NET !3389 (msg: "BLEEDING-EDGE POLICY Remote Desktop Connection via non RDP Port"; flow:established,to_server; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; content:"Cookie\:"; offset: 11; depth: 7; classtype: policy-violation; sid:2007571; rev:2;) #Matt Jonkman alert tcp any any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,BE.Radmin.Challenge; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003479; rev:1;) alert tcp $HOME_NET 1024:65535 -> any any (msg:"BLEEDING-EDGE POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003480; rev:1;) alert tcp any any -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003481; rev:1;) alert tcp $HOME_NET 1024:65535 -> any any (msg:"BLEEDING-EDGE POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; sid:2003482; rev:1;) #Matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Real.com Game Arcade Install (User agent)"; flow: established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+ARCADE_BUNDLE_DOWNLOADER/i"; classtype: policy-violation; sid: 2003045; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Real.com Game Arcade Install"; flow: established,to_server; content:"/gameconsole/bundlescripts/"; classtype: policy-violation; sid:2003046; rev:1;) #Matt Jonkman # This is a commercial product, but we see it very often used in malware. Send this email on install alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"

You will receive a log report every "; nocase; content:"Document sent by SC-KeyLog"; nocase; classtype:trojan-activity; reference:url,www.soft-central.net/keylog.php; sid:2002979; rev:1;) #By Chris Norton #alert tcp any any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Policy SSH Successful user connection"; dsize: 52; flags: AP; threshol