-
Notifications
You must be signed in to change notification settings - Fork 27
/
azureEventHub_windows-zeekintel.rules
95 lines (91 loc) · 37.6 KB
/
azureEventHub_windows-zeekintel.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Sagan windows-zeek-intel.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rule_issues.txt rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rule_issues.txt rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rule_issues.txt rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rule_issues.txt rules test.rules to_azureEventHub.sh
# Windows zeek-intel rules.
# Eventlog to syslog service. This is what we primarily use.
# http://code.google.com/p/eventlog-to-syslog/
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-ZEEK-INTEL] RDP / Logon type 10 from a Bro Intel listed IP"; program: *Security*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4624,540,528; content: "Logon Type|3a| 10 "; zeek-intel: by_src; program: *Security*; parse_src_ip: 1; normalize; default_proto: tcp; classtype: successful-user; sid:5010226; metadata: created_on 2022_11_22, old_sid 5002224; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP [0/5]"; program: *Security*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 529; classtype: unsuccessful-user; zeek-intel: by_src; threshold: type suppress, track by_src, count 5, seconds 300; normalize; parse_src_ip: 1; parse_port; sid:5010227; metadata: created_on 2022_11_22, old_sid 5002225; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP [Time restriction] [0/5]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 530; classtype: unsuccessful-user; program: *Security*; parse_src_ip: 1; zeek-intel: by_src; threshold: type suppress, track by_src, count 5, seconds 300; normalize; sid:5010228; metadata: created_on 2022_11_22, old_sid 5002226; rev:9;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - Account currently disabled [0/5]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 531; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: *Security*; zeek-intel: by_src; normalize; parse_src_ip: 1; threshold: type suppress, track by_src, count 5, seconds 300; sid:5010229; metadata: created_on 2022_11_22, old_sid 5002227; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - Specified account expired"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 532; classtype: unsuccessful-user; program: *Security*; zeek-intel: by_src; normalize; parse_src_ip: 1; sid:5010230; metadata: created_on 2022_11_22, old_sid 5002228; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - User not allowed to login at this computer"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 533; classtype: unsuccessful-user; program: *Security*; zeek-intel: by_src; normalize; parse_src_ip: 1; sid:5010231; metadata: created_on 2022_11_22, old_sid 5002229; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure - Account locked from a Bro Intel listed IP [0/5]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 539; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; zeek-intel: by_src; threshold: type suppress, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize; program: *Security*; sid:5010232; metadata: created_on 2022_11_22, old_sid 5002230; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Logon Failure from a Bro Intel listed IP"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4771,4768,675,676,681; classtype: unsuccessful-user; program: *Security*; zeek-intel: by_src; normalize; parse_src_ip: 1; sid:5010233; metadata: created_on 2022_11_22, old_sid 5002231; rev:6;)
# Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; content:!"$ Source"; content:!"$ Account Domain|3a| "; classtype: brute-force; program: *Security*; parse_src_ip: 1; zeek-intel: by_src; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; sid:5010234; metadata: created_on 2022_11_22, old_sid 5002563; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; content:!"$ Account Domain|3a| "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010235; metadata: created_on 2022_11_22, old_sid 5002562; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010236; metadata: created_on 2022_11_22, old_sid 5002404; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010237; metadata: created_on 2022_11_22, old_sid 5002405; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010238; metadata: created_on 2022_11_22, old_sid 5002406; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010239; metadata: created_on 2022_11_22, old_sid 5002407; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Login failure from a Bro Intel listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4625,4776; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010240; metadata: created_on 2022_11_22, old_sid 5002408; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010241; metadata: created_on 2022_11_22, old_sid 5002409; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010242; metadata: created_on 2022_11_22, old_sid 5002410; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010243; metadata: created_on 2022_11_22, old_sid 5002411; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x4 Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010244; metadata: created_on 2022_11_22, old_sid 5002412; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x5 Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010245; metadata: created_on 2022_11_22, old_sid 5002413; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x6 Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010246; metadata: created_on 2022_11_22, old_sid 5002414; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x7 Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010247; metadata: created_on 2022_11_22, old_sid 5002415; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x8 Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010248; metadata: created_on 2022_11_22, old_sid 5002416; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x9 Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010249; metadata: created_on 2022_11_22, old_sid 5002417; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xA Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010250; metadata: created_on 2022_11_22, old_sid 5002418; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xB Client "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010251; metadata: created_on 2022_11_22, old_sid 5002419; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xC "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010252; metadata: created_on 2022_11_22, old_sid 5002420; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xD "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010253; metadata: created_on 2022_11_22, old_sid 5002421; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xE "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010254; metadata: created_on 2022_11_22, old_sid 5002422; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0xF "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010255; metadata: created_on 2022_11_22, old_sid 5002423; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x10 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010256; metadata: created_on 2022_11_22, old_sid 5002424; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x11 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010257; metadata: created_on 2022_11_22, old_sid 5002425; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x12 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010258; metadata: created_on 2022_11_22, old_sid 5002426; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x13 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010259; metadata: created_on 2022_11_22, old_sid 5002427; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x14 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010260; metadata: created_on 2022_11_22, old_sid 5002428; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x15 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010261; metadata: created_on 2022_11_22, old_sid 5002429; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x16 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010262; metadata: created_on 2022_11_22, old_sid 5002430; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x17 - Password has expired [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x17 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010263; metadata: created_on 2022_11_22, old_sid 5002431; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x18 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010264; metadata: created_on 2022_11_22, old_sid 5002432; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x19 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010265; metadata: created_on 2022_11_22, old_sid 5002433; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x1F "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010266; metadata: created_on 2022_11_22, old_sid 5002434; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x20 - Ticket expired [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x20 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010267; metadata: created_on 2022_11_22, old_sid 5002435; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x21 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010268; metadata: created_on 2022_11_22, old_sid 5002436; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x22 - Request is a replay [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x22 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010269; metadata: created_on 2022_11_22, old_sid 5002437; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x23 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010270; metadata: created_on 2022_11_22, old_sid 5002438; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x24 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010271; metadata: created_on 2022_11_22, old_sid 5002439; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x25 - Clock skew too great [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x25 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010272; metadata: created_on 2022_11_22, old_sid 5002440; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x26 - Incorrect net address [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x26 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010273; metadata: created_on 2022_11_22, old_sid 5002441; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x27 "; classtype: brute-force; program: *Security; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010274; metadata: created_on 2022_11_22, old_sid 5002442; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x28 - Invalid msg type [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x28 "; classtype: brute-force; program: *Security; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010275; metadata: created_on 2022_11_22, old_sid 5002443; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x29 - Message stream modified [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x29 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010276; metadata: created_on 2022_11_22, old_sid 5002444; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2A - Message out of order [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2A "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010277; metadata: created_on 2022_11_22, old_sid 5002445; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2C "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010278; metadata: created_on 2022_11_22, old_sid 5002446; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2D - Service key not available [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2D "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010279; metadata: created_on 2022_11_22, old_sid 5002447; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id:,4768,4771,681,676,675; content: " 0x2E "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010280; metadata: created_on 2022_11_22, old_sid 5002448; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x2F "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010281; metadata: created_on 2022_11_22, old_sid 5002449; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x30 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010282; metadata: created_on 2022_11_22, old_sid 5002450; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x31 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010283; metadata: created_on 2022_11_22, old_sid 5002451; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x32 "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010284; metadata: created_on 2022_11_22, old_sid 5002452; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3C - Generic error [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x3C "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010285; metadata: created_on 2022_11_22, old_sid 5002453; rev:6;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-ZEEK-INTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 4768,4771,681,676,675; content: " 0x3D "; classtype: brute-force; program: *Security*; after: track by_src, count 25, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; zeek-intel: by_src; sid:5010286; metadata: created_on 2022_11_22, old_sid 5002454; rev:6;)