IDS Signatures for Auditing


IDSes can be used for more than intrusions. These Snort-compatible rules will show you some ways to use your IDSes for things like auditing. Always test rules to ensure they are doing exactly what you expect.

Incoming anything on any port from the US Government Amazon Cloud.
alert ip 96.127.0.0/17 any -> any any (msg:"Uncle Sam's a-Knockin'"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 10; sid:15764001;)

Incoming email spoofed from your own domain. Captures the entire message.
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INCIDENT - Successfully Spoofed Email"; flow:from_client,established; content:"LO "; pcre:"/(HELO\s|EHLO\s).*(MAIL\sFROM\:\s[a-zA-Z0-9\.\-\<\;]+\@yourdomain\.com[a-zA-Z0-9\.\-\>\;]+\r\n).*\r\n\.\r\n/ism"; sid:15764002)

Incoming Shellshock exploit on any port. Reverse the direction if you think you have been pwned.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Shellshock Attempt"; flow:to_server,established; content:"() {"; threshold:type limit, track by_src, count 1, seconds 60; sid:15764003;)

Outbound email to a specific domain but can be used for a specific account. Captures the entire message.
alert tcp $SMTP_SERVERS any -> any 25 (msg:"AUDITING - Email to a Specific Domain"; flow:established; content:"LO "; pcre:"/(HELO\s|EHLO\s).*(RCPT\sTO\:).*(\@specific\.com).*(?=DATA\r\n).*\r\n\.\r\n/ism"; sid:15764004)

Outbound email containing US Top Secret COMINT. Captures the entire message. Email me if you need signatures for all of the other US Government data classifications.
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret COMINT"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}(COMINT|SI).{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation; sid:15764005)

Outbound email containing Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes. Captures the entire message.
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP DSM-IV Code"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wdsm\W.{0,20}([2-9][0-9]{2}|v[167][0-9]\.[0-9]{1,2})\W.*\r\n\.\r\n/ism"; classtype:policy-violation; sid:15764006)

US Top Secret Single Integrated Operations Plan sent over HTTP.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret STOP"; flow:to_server,established; content:"Host\:"; content:"STOP"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}STOP.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation; sid:15764007)

Outbound web browsing to a list of different domains. Good for monitoring third party tracking and the like. Can't see SSL/TLS of course.
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Browsing to Evil Domains"; flow:established; content:"Host\:"; pcre:"/(Host\:)(\s[a-zA-Z0-9.-]+\.|\s)(domain1\.com|domain2\.com|domain3\.com|domain4\.com)\r\n/"; sid:15764008)

Variations of the word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" being sent on high ports (catches passive FTP).
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Password"; flow:to_server,established; content:"p"; nocase; pcre:"/\W[p][a4@]{0,1}[sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:15764009)