fix: update classification for nmap

nextindex · Apr 24, 2024 · c7a84ed · c7a84ed
1 parent ae09c2b
commit c7a84ed
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/PAW-PATRULES_VULN.rules b/PAW-PATRULES_VULN.rules
@@ -184,9 +184,9 @@ alert ssh any any -> any any (msg:"🐾 - 🚨 Putty 👨‍💻 unstable 🚧 a
 alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Putty / Plink SSH connection to Internet 🌐 - 👀 used including by Play & Lockbit ransomware group 👿"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.software; content:"putty_"; fast_pattern; nocase; reference:url,https://www.chiark.greenend.org.uk/~sgtatham/putty/; reference:url,https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/; reference:url,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a; metadata:created_at 2022_12_21, updated_at 2023_07_09; sid:3300124; rev:2; classtype:policy-violation;)
 alert ssh any any -> any any (msg:"🐾 - 🚨 WinSCP 📂 potentially vulnerable if stable version < 6.3.3"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"WinSCP_release_"; fast_pattern; nocase; content:!"6.3.3"; reference:url,https://winscp.net/eng/docs/history; metadata:created_at 2021_04_29, updated_at 2024_04_19; sid:3300125; rev:23; classtype:policy-violation;)
 alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious WinSCP 📂 SSH/SFTP connection to Internet 🌐 - 👀 used including by Lockbit ransomware group 👿"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.software; content:"WinSCP_"; fast_pattern; nocase; reference:url,https://winscp.net/; reference:url,https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a; metadata:created_at 2023_07_09, updated_at 2023_07_09; sid:3300126; rev:1; classtype:policy-violation;)
-alert ssh any any -> any any (msg:"🐾 - 🚨 SSH Service Scan 🕵‍♂️"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"check_ssh"; nocase; metadata:created_at 2021_08_05, updated_at 2022_06_10; sid:3300127; rev:4; classtype:policy-violation;)
-alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Rclone SSH connection to Internet 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; ssh.software; content:"rclone/"; nocase; reference:url,https://rclone.org/; metadata:created_at 2021_08_05, updated_at 2022_06_10; sid:3300128; rev:5; classtype:policy-violation;)
-alert ssh any any -> any any (msg:"🐾 - 🚨 NMAP 🎩 SSH Scan 🕵‍♂️"; flow:to_server, stateless; ssh.software; content:"Nmap"; nocase; reference:url,https://nmap.org/; metadata:created_at 2021_11_22, updated_at 2022_06_10; sid:3300129; rev:4; classtype:policy-violation;)
+alert ssh any any -> any any (msg:"🐾 - 🚨 SSH Service Scan 🕵‍♂️"; flow:to_server, stateless; threshold: type limit, track by_src,count 1, seconds 86400; ssh.software; content:"check_ssh"; nocase; metadata:created_at 2021_08_05, updated_at 2022_06_10; sid:3300127; rev:4; classtype:network-scan;)
+alert ssh any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious Rclone SSH connection to Internet 🌐 - Possible file exfiltration 🗃"; flow:to_server, stateless; ssh.software; content:"rclone/"; nocase; reference:url,https://rclone.org/; metadata:created_at 2021_08_05, updated_at 2022_06_10; sid:3300128; rev:5; classtype:network-scan;)
+alert ssh any any -> any any (msg:"🐾 - 🚨 NMAP 🎩 SSH Scan 🕵‍♂️"; flow:to_server, stateless; ssh.software; content:"Nmap"; nocase; reference:url,https://nmap.org/; metadata:created_at 2021_11_22, updated_at 2022_06_10; sid:3300129; rev:4; classtype:network-scan;)
 alert ssh any any -> any any (msg:"🐾 - 🚨 SSH connection to possible VMware ESXi Server 🖥️ version 6.7 or 7.0"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.hassh.server; content:"8b5f8d3ec0ecb097f9e954493f95a1ff"; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_15, updated_at 2022_09_15; sid:3300130; rev:1; classtype:policy-violation;)
 alert ssh any any -> any any (msg:"🐾 - 🚨 SSH connection to possible VMware ESXi Server 🖥️ version 6.0 or 6.5"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.hassh.server; content:"6f7b0a0f2e83fd47b6e916beb9cd6fa0"; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_15, updated_at 2022_09_15; sid:3300131; rev:1; classtype:policy-violation;)
 alert ssh any any -> any any (msg:"🐾 - 🚨 SSH connection to possible VMware ESXi Server 🖥️ version 5.0 or 5.5"; flow:to_client, stateless; threshold: type limit, track by_src,count 1, seconds 3600; ssh.hassh.server; content:"cdf1719c7d2bf7eb69b5b87d98640d41"; reference:url,https://www.vmware.com/content/vmware/vmware-published-sites/us/products/esxi-and-esx.html.html; metadata:created_at 2022_09_15, updated_at 2022_09_15; sid:3300132; rev:1; classtype:policy-violation;)