-
Notifications
You must be signed in to change notification settings - Fork 27
/
cisco-sca-observables.rules
124 lines (122 loc) · 41.2 KB
/
cisco-sca-observables.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Sagan cisco-sca-observables.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Bryant Smith" <bsmith@quadrantsec.com>
# 12/20/2022
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Amazon GuardDuty DNS Request Finding Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Amazon GuardDuty DNS Request Finding|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010630; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Amazon GuardDuty Network Connection Finding Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Amazon GuardDuty Network Connection Finding|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010631; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Amazon Inspector Finding Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Amazon Inspector Finding|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010632; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Anomalous Profile Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Anomalous Profile|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010633; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Anomalous User Agent Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Anomalous User Agent|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010634; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS API Watchlist Access Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS API Watchlist Access|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010635; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Architecture Compliance Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS Architecture Compliance|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010636; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS CloudTrail Event Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS CloudTrail Event|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010637; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Config Compliance Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS Config Compliance|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010638; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Config Update Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS Config Update|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010639; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Lambda Metric Outlier Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS Lambda Metric Outlier|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010640; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Multifactor Authentication Change Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS Multifactor Authentication Change|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010641; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS New User Action Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS New User Action|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010642; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Root Account Used Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|AWS Root Account Used|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010643; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Advisor Recommendation Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure Advisor Recommendation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010644; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Exposed Services Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure Exposed Services|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010645; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Functions Metric Outlier Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure Functions Metric Outlier|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010646; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Permissive Security Group Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure Permissive Security Group|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010647; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Permissive Storage Setting Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure Permissive Storage Setting|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010648; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Security Event Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure Security Event|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010649; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Unusual Activity Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure Unusual Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010650; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure VM in Unused Location Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Azure VM in Unused Location|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010651; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Bad Protocol Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Bad Protocol|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010652; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Cluster Change Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Cluster Change|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010653; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Compliance Verdict Summary Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Compliance Verdict Summary|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010654; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Confirmed Threat Indicator Match - Domain Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Confirmed Threat Indicator Match - Domain|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010655; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Confirmed Threat Indicator Match - Hostname Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Confirmed Threat Indicator Match - Hostname|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010656; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Confirmed Threat Indicator Match - IP Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Confirmed Threat Indicator Match - IP|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010657; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Confirmed Threat Indicator Match - URL Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Confirmed Threat Indicator Match - URL|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010658; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Country Set Deviation Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Country Set Deviation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010659; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Domain Generation Algorithm Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Domain Generation Algorithm|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010660; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Domain Generation Algorithm Success Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Domain Generation Algorithm Success|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010661; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Exceptional Domain Controller Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Exceptional Domain Controller|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010662; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Excessive Connections to Network Printers Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Excessive Connections to Network Printers|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010663; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] External Mail Client Connections Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|External Mail Client Connections|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010664; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] External Port Scanner Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|External Port Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010665; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] GCP Cloud Function Metric Outlier Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|GCP Cloud Function Metric Outlier|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010666; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] GCP Watchlist Activity Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|GCP Watchlist Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010667; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Geographic Watchlist Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Geographic Watchlist|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010668; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Heartbeat Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Heartbeat|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010669; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Historical Outlier Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Historical Outlier|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010670; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Insecure Transport Protocol Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Insecure Transport Protocol|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010671; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Internal Connection Watchlist Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Internal Connection Watchlist|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010672; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Internal Port Scanner Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Internal Port Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010673; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Intrusion Detection System Notice Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Intrusion Detection System Notice|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010674; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] IP Scanner Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|IP Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010675; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] ISE Session Started Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|ISE Session Started|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010676; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Long Session Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Long Session|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010677; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Malware Event Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Malware Event|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010678; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Multiple Access Failures Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Multiple Access Failures|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010679; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Multiple File Extensions Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Multiple File Extensions|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010680; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Network Printer with Excessive Connections Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Network Printer with Excessive Connections|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010681; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Compliance Resource Failure Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New Compliance Resource Failure|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010682; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New External Connection Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New External Connection|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010683; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New External Server Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New External Server|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010684; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New File Extension Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New File Extension|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010685; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New High Throughput Connection Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New High Throughput Connection|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010686; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Internal Connection Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New Internal Connection|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010687; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Internal Device Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New Internal Device|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010688; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Large Connection (External) Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New Large Connection (External)|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010689; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Large Connection (Internal) Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New Large Connection (Internal)|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010690; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Profile Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|New Profile|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010691; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Persistent External Server Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Persistent External Server|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010692; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Population Spike Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Population Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010693; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Port Scanner Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Port Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010694; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Potential Data Forwarding Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Potential Data Forwarding|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010695; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Public Amazon Route Hosted Zone Created Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Public Amazon Route Hosted Zone Created|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010696; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Public Facing IP Watchlist Match Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Public Facing IP Watchlist Match|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010697; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Public IP Service Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Public IP Service|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010698; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Rapid Logins Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Rapid Logins|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010699; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Record Metric Outlier Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Record Metric Outlier|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010700; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Record Profile Outlier Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Record Profile Outlier|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010701; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Remote Access Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Remote Access|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010702; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Role Violation Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Role Violation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010703; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Scan Result Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Scan Result|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010704; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Session Closed Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Session Closed|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010705; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Session Opened Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Session Opened|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010706; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Static Connection Set Deviation Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Static Connection Set Deviation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010707; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Static Port Set Deviation Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Static Port Set Deviation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010708; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Sumo Logic Log Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Sumo Logic Log|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010709; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Malicious URL Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Suspected Malicious URL|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010710; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Phishing Domain Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Suspected Phishing Domain|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010711; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspicious Network Activity Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Suspicious Network Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010712; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspicious SMB Activity Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Suspicious SMB Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010713; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Traffic Amplification Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Traffic Amplification|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010714; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] TrickBot AnchorDNS Tunneling Activity Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|TrickBot AnchorDNS Tunneling Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010715; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Umbrella Sinkhole Hit Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Umbrella Sinkhole Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010716; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unused AWS Resource Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Unused AWS Resource|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010717; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unusual DNS Resolver Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Unusual DNS Resolver|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010718; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unusual EC2 Instance Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Unusual EC2 Instance|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010719; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unusual Packet Size Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Unusual Packet Size|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010720; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Watchlist Interaction Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Watchlist Interaction|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010721; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Watchlist Lookup Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Watchlist Lookup|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010722; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Worm Propagation Observation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|observation|22|"; content:"|22|observation_name|22 3a 20 22|Worm Propagation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010723; rev:1;)