alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Suspicious WMIC call computersystem get model`; content: ` 1: `; content: `wmic`; nocase;...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Suspicious WMIC call csproduct Get Name`; content: ` 1: `; content: `wmic`; nocase; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Suspicious WMIC call bios Get SerialNumber`; content: ` 1: `; content: `wmic`; nocase; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Suspicious WMIC call bios Get Version`; content: ` 1: `; content: `wmic`; nocase; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Suspicious WMIC call bios Get SerialNumber`; content: ` 1: `; content: `wmic`; nocase; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Suspicious WMIC call csproduct GET UUID`; content: ` 1: `; content: `wmic`; nocase; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Suspicious WMIC call shadowcopy delete`; content: ` 1: `; content: `wmic`; nocase; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS MALWARE Teslacrypt ransomware note type 2 detected.`; pcre: `/ 4663: 567: 5145: /`; pcre: `/\ xxx...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS MALWARE TeslaCrypt ransomware note detected.`; pcre: `/ 4663: 567: 5145: /`; pcre: `/HELP TO DECRYPT...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS MALWARE CryptInfinite/DecryptorMax ransomware note detected.`; pcre: `/ 4663: 567: 5145: /`; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS MALWARE Cryptowall ransomware note detected.`; pcre: `/ 4663: 567: 5145: /`; content: `HELP DECRYPT...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS MALWARE Locky ransomware note detected.`; pcre: `/ 4663: 567: 5145: /`; content: ` Locky recover...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON vssadmin.exe execution. Possible ransomware`; content: ` 1: `; content: `vssadmin.exe`; nocase...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON Locky ransomware instructions detected!`; content: ` 1: `; content: `notepad.exe`; nocase; content...
alert syslog $HOME NET any $EXTERNAL NET any (msg: ` WINDOWS MALWARE Locky or AutoLocky ransomware extension detected.`; pcre: `/ 4663: 567: 5145: /`; content...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` WINDOWS SYSMON PSExec execution detected`; content: ` 1: `; meta content: `MD5 ,`,$PSEXEC MD5; classtype: suspicious...
alert syslog $EXTERNAL NET any $HOME NET any (msg: ` BRO RFC1918 address scanning the network`; content: `Scan 3a 3a Port Scan`; pcre:`/((192)\.(168)\.(\d )\....
alert syslog $EXTERNAL NET any $HOME NET any (msg: ` Trendmicro Virus Found Unable to Quarantine`; content: `SLF INCIDENT EVT VIRUS FOUND PASS THRU`; content:...
alert syslog $EXTERNAL NET any $HOME NET any (msg: ` Barracuda System Password Changed`; content: `system password`; content: `CHANGE`; program: web; parse src...
alert tcp $EXTERNAL NET any $HOME NET $HTTPS PORT (msg: ` F5 BIG IP GEOIP Unsuccessful Configuration Utility Login from outside HOME COUNTRY`; content: `failed...
alert tcp $EXTERNAL NET any $HOME NET $HTTPS PORT (msg: ` F5 BIG IP GEOIP Successful Configuration Utility Login from outside HOME COUNTRY`; content: `mod auth...
alert tcp $EXTERNAL NET any $HOME NET $HTTPS PORT (msg: ` F5 BIG IP GEOIP Unsuccessful Command line Login from outside HOME COUNTRY`; content: `Authentication...
alert tcp $EXTERNAL NET any $HOME NET $HTTPS PORT (msg: ` F5 BIG IP GEOIP Unsuccessful Command line Login from outside HOME COUNTRY`; content: `failed to login...
alert tcp $EXTERNAL NET any $HOME NET $HTTPS PORT (msg: ` F5 BIG IP GEOIP Command line Logout from outside HOME COUNTRY`; content: `start `; content: `end `; content...
alert tcp $EXTERNAL NET any $HOME NET $HTTPS PORT (msg: ` F5 BIG IP GEOIP Command line Login from outside HOME COUNTRY`; content: `start `; content: !`end `; content...
alert tcp $HOME NET any $EXTERNAL NET $SSH PORT (msg: ` ScreenOS GEOIP Juniper ScreenOS Admin Login from Outside of Home Country`; content: `Admin user`; content...
alert tcp $HOME NET any $EXTERNAL NET $SSH PORT (msg:` ScreenOS Juniper ScreenOS Login for Suspicious Admin user username`; content `Admin user`; content:`username...
alert tcp $HOME NET any $EXTERNAL NET $SSH PORT (msg:` ScreenOS Juniper ScreenOS Login for Suspicious Admin user system`; content: `Admin user system has logged...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` FIPAYPIN Replace macro from outside RFC1918`; content: `S 300000`; content: `RTS1 IP`; meta content:!`value...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` FIPAYPIN Failed to open pinpad 0/2 `; content: `S 300000`; content: `Failed to open pinpad`; classtype: misc...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` FIPAYPIN Blocked the response to POS`; content: `S 300000`; content: `Blocked the response to POS`; classtype...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` FIPAYPIN Bad/No Pin Block and KSN returned`; content: `S 300000`; content: `Bad/No Pin Block and KSN returned...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` FIPAYPIN Invalid credit card detected`; content: `S 300000`; content: `Swpe: Response`; meta content:!`track...
alert syslog $EXTERNAL NET any $HOME NET any (msg:` FIPAYPIN Slow send!`; content: `S 302046`; classtype: misc activity; program: FIPEMV ; after: track by src...
alert tcp $EXTERNAL NET any $HOME NET any (msg:` FIPAYPIN Connection failed to Fipay 5/2 `; content: `C 400008`; classtype: misc activity; program: FIPAYPIN...
alert tcp $EXTERNAL NET any $HOME NET any (msg: ` PALO ALTO Suspicious DNS Request`; content:`THREAT,spyware,`; content:`,Suspicious DNS Query`; normalize; parse...
alert tcp $EXTERNAL NET any $HOME NET any (msg: ` PALO ALTO Medium Severity Exploit Outbound`; content:`THREAT,vulnerability`;pcre: `/vsys\d{1,2},Trust, vsys\d...
alert tcp $EXTERNAL NET any $HOME NET any (msg: ` PALO ALTO Medium Severity Exploit Inbound`; content:`THREAT,vulnerability`; pcre: `/vsys\d{1,2},Untrust, vsys...
alert tcp $EXTERNAL NET any $HOME NET any (msg: ` PALO ALTO High Severity Exploit Outbound`; content:`THREAT,vulnerability`; pcre: `/vsys\d{1,2},Trust, vsys\d...
alert tcp $EXTERNAL NET any $HOME NET any (msg: ` PALO ALTO High Severity Exploit Inbound`; content:`THREAT,vulnerability`; pcre: `/vsys\d{1,2},Untrust, vsys\d...
alert tcp $EXTERNAL NET any $HOME NET any (msg: ` PALO ALTO Critical Severity Exploit Outbound`; content:`THREAT,vulnerability`; pcre: `/vsys\d{1,2},Trust, vsys...
alert tcp $EXTERNAL NET any $HOME NET any (msg: ` PALO ALTO Critical Severity Exploit Inbound`; content:`THREAT,vulnerability`; pcre: `/vsys\d{1,2},Untrust, vsys...
alert tcp $HOME NET any $EXTERNAL NET any (msg: ` PALO ALTO Foreign URL of unknown category`; content:`THREAT,url`; content:`,unknown,`; normalize; parse port...
alert tcp $HOME NET any $EXTERNAL NET any (msg: ` PALO ALTO Url Blocked by policy or category`; content:`,THREAT,url,`; content:`,block url,`; content:!`,online...
alert tcp $HOME NET any $EXTERNAL NET any (msg: ` PALO ALTO Spyware or Adware URL Blocked`; content:`,THREAT,url,`; content:`,block url,`; content:!`,online personal...
alert tcp $HOME NET any $EXTERNAL NET any (msg: ` PALO ALTO Phishing URL Blocked`; content:`,THREAT,url,`; content:`,block url,`; content:!`,online personal storage...
alert tcp $HOME NET any $EXTERNAL NET any (msg: ` PALO ALTO Malware URL Blocked`; content:`,THREAT,url,`; content:`,block url,`; content:!`,online personal storage...
alert tcp $EXTERNAL NET any $HOME NET $HTTP PORT (msg: ` WEB ATTACKS Attempt to Access IISamples Page`; content:`/iisamples` classtype: web application attack...
alert tcp $EXTERNAL NET any $HOME NET $HTTP PORT (msg: ` WEB ATTACKS Attempt to Access default DeVL`s ClanPortal Page`; content:`/inc/mysql.php` classtype: web...