-
Notifications
You must be signed in to change notification settings - Fork 27
/
azureEventHub_windows-blacklist.rules
96 lines (91 loc) · 37.8 KB
/
azureEventHub_windows-blacklist.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Sagan windows-blacklist.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh
# Windows blacklist rules.
# Eventlog to syslog service. This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4624,528,540; content: "Logon Type|3a| 10 "; blacklist: by_src; program: *Security*; parse_src_ip: 1; normalize; default_proto: tcp; classtype: successful-user; sid:5008572; metadata: created_on 2022_11_22, old_sid 5002215; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5]"; program: *Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 529; classtype: unsuccessful-user; blacklist: by_username; threshold: type suppress, track by_username, count 5, seconds 300; normalize; parse_src_ip: 1; parse_port; sid:5008573; metadata: created_on 2022_11_22, old_sid 5002216; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 530; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; blacklist: by_username; threshold: type suppress, track by_username, count 5, seconds 300; normalize; sid:5008574; metadata: created_on 2022_11_22, old_sid 5002217; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 531; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; blacklist: by_username; normalize; parse_src_ip: 1; threshold: type suppress, track by_username, count 5, seconds 300; sid:5008575; metadata: created_on 2022_11_22, old_sid 5002218; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 532; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; sid:5008576; metadata: created_on 2022_11_22, old_sid 5002219; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 533; classtype: successful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; sid:5008577; metadata: created_on 2022_11_22, old_sid 5002220; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 539; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; blacklist: by_username; threshold: type suppress, track by_username, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; program: *Security*; sid:5008578; metadata: created_on 2022_11_22, old_sid 5002222; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:675,676,681; classtype: unsuccessful-user; program: *Security*; blacklist: by_src; normalize; parse_src_ip: 1; sid:5008579; metadata: created_on 2022_11_22, old_sid 5002223; rev:6;)
# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; content:!"$ Source"; content:!"$ Account Domain|3a| "; classtype: brute-force; program: *Security*; parse_src_ip: 1; blacklist: by_username; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; sid:5008580; metadata: created_on 2022_11_22, old_sid 5002509; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; content:!"$ Account Domain|3a| "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008581; metadata: created_on 2022_11_22, old_sid 5002510; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008582; metadata: created_on 2022_11_22, old_sid 5002511; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008583; metadata: created_on 2022_11_22, old_sid 5002512; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008584; metadata: created_on 2022_11_22, old_sid 5002513; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008585; metadata: created_on 2022_11_22, old_sid 5002514; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008586; metadata: created_on 2022_11_22, old_sid 5002515; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008587; metadata: created_on 2022_11_22, old_sid 5002516; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008588; metadata: created_on 2022_11_22, old_sid 5002517; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008589; metadata: created_on 2022_11_22, old_sid 5002518; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x4 Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008590; metadata: created_on 2022_11_22, old_sid 5002519; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x5 Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008591; metadata: created_on 2022_11_22, old_sid 5002520; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x6 Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008592; metadata: created_on 2022_11_22, old_sid 5002521; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x7 Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008593; metadata: created_on 2022_11_22, old_sid 5002522; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x8 Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008594; metadata: created_on 2022_11_22, old_sid 5002523; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x9 Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008595; metadata: created_on 2022_11_22, old_sid 5002524; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0xA Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008596; metadata: created_on 2022_11_22, old_sid 5002525; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0xB Client "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008597; metadata: created_on 2022_11_22, old_sid 5002526; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0xC "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008598; metadata: created_on 2022_11_22, old_sid 5002527; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; event_id; 4771,4768,675,676,681; content: " 0xD "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008599; metadata: created_on 2022_11_22, old_sid 5002528; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0xE "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008600; metadata: created_on 2022_11_22, old_sid 5002529; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0xF "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008601; metadata: created_on 2022_11_22, old_sid 5002530; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x10 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008602; metadata: created_on 2022_11_22, old_sid 5002531; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:4771,4768,675,676,681; content: " 0x11 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008603; metadata: created_on 2022_11_22, old_sid 5002532; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x12 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008604; metadata: created_on 2022_11_22, old_sid 5002533; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x13 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008605; metadata: created_on 2022_11_22, old_sid 5002534; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x14 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008606; metadata: created_on 2022_11_22, old_sid 5002535; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x15 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008607; metadata: created_on 2022_11_22, old_sid 5002536; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x16 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008608; metadata: created_on 2022_11_22, old_sid 5002537; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x17 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008609; metadata: created_on 2022_11_22, old_sid 5002538; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x18 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008610; metadata: created_on 2022_11_22, old_sid 5002539; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x19 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008611; metadata: created_on 2022_11_22, old_sid 5002540; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x1F "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008612; metadata: created_on 2022_11_22, old_sid 5002541; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x20 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008613; metadata: created_on 2022_11_22, old_sid 5002542; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x21 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008614; metadata: created_on 2022_11_22, old_sid 5002543; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x22 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008615; metadata: created_on 2022_11_22, old_sid 5002544; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x23 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008616; metadata: created_on 2022_11_22, old_sid 5002545; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x24 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008617; metadata: created_on 2022_11_22, old_sid 5002546; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x25 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008618; metadata: created_on 2022_11_22, old_sid 5002547; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x26 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008619; metadata: created_on 2022_11_22, old_sid 5002548; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x27 "; classtype: brute-force; program: *Security; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008620; metadata: created_on 2022_11_22, old_sid 5002549; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x28 "; classtype: brute-force; program: *Security; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008621; metadata: created_on 2022_11_22, old_sid 5002550; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x29 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008622; metadata: created_on 2022_11_22, old_sid 5002551; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x2A "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008623; metadata: created_on 2022_11_22, old_sid 5002552; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x2C "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008624; metadata: created_on 2022_11_22, old_sid 5002553; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x2D "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008625; metadata: created_on 2022_11_22, old_sid 5002554; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x2E "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008626; metadata: created_on 2022_11_22, old_sid 5002555; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x2F "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008627; metadata: created_on 2022_11_22, old_sid 5002556; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:,4771,4768,675,676,681; content: " 0x30 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008628; metadata: created_on 2022_11_22, old_sid 5002557; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x31 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008629; metadata: created_on 2022_11_22, old_sid 5002558; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x32 "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008630; metadata: created_on 2022_11_22, old_sid 5002559; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x3C "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008631; metadata: created_on 2022_11_22, old_sid 5002560; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; content: " 0x3D "; classtype: brute-force; program: *Security*; after: track by_username, count 25, seconds 300; threshold: type suppress, track by_username, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_username; sid:5008632; metadata: created_on 2022_11_22, old_sid 5002561; rev:7;)