-
Notifications
You must be signed in to change notification settings - Fork 35
/
cisco-amp.rules
129 lines (122 loc) · 29.2 KB
/
cisco-amp.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Sagan cisco-amp.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Brian Echeverry" <[email protected]>
# 2018/05/25
# These rules apply to Cisco AMP for endpoint events acquired via API
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Policy Update"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648130"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003874; sid:5003874; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Scan Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696714"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003875; sid:5003875; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Scan Completed, No Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696715"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003876; sid:5003876; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Scan Completed With Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1091567628"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003877; sid:5003877; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Scan Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2165309453"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003878; sid:5003878; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519054"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003879; sid:5003879; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Threat Quarantined"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648143"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003880; sid:5003880; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Quarantine Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260880"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003881; sid:5003881; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Threat Detected in Exclusion"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648145"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003882; sid:5003882; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Quarantine Restore Requested"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425394"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003883; sid:5003883; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Quarantined Item Restored"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648149"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003884; sid:5003884; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Quarantine Restore Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260884"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003885; sid:5003885; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Quarantine Request Failed to be Delivered"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2181038130"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003886; sid:5003886; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Quarantined Item Deleted"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648152"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003887; sid:5003887; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Failed to Delete From Quarantine"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260889"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003888; sid:5003888; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Attempting Quarantine Delete"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648151"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003889; sid:5003889; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Cloud Recall Restore from Quarantine"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648154"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003890; sid:5003890; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Cloud Recall Quarantine Successful"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648155"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003891; sid:5003891; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Cloud Recall Restore from Quarantine Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260892"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003892; sid:5003892; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Cloud Recall Quarantine Attempt Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260893"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003893; sid:5003893; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Install Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648158"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003894; sid:5003894; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Install Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260895"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003895; sid:5003895; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Uninstall"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648166"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003896; sid:5003896; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Uninstall Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260903"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/50038907; sid:5003897; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Email Confirmation"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1003"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003898; sid:5003898; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Forgotten Password Reset"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1004"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003899; sid:5003899; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Password Has Been Reset"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1005"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003900; sid:5003900; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Policy Update Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260866"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003901; sid:5003901; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Cloud Recall Restore of False Positive"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648146"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003902; sid:5003902; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Cloud Recall Quarantine of False Negative"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648147"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003903; sid:5003903; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Execution Blocked"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648168"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003904; sid:5003904; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Quarantine Restore Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648150"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003905; sid:5003905; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Application Registered"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425396"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003906; sid:5003906; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Application Deregistered"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425397"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003907; sid:5003907; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Application Authorized"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425398"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003908; sid:5003908; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Application Deauthorized"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425399"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003914; sid:5003914; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] APK Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090524040"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003909; sid:5003909; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] APK Custom Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090524041"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003910; sid:5003910; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] DFC Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519084"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003911; sid:5003911; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Multiple Infected Files"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296257"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003912; sid:5003912; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Potential Dropper Infection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296258"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003913; sid:5003913; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Java compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296260"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003821; sid: 5003821; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Adobe Reader compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296261"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003822; sid: 5003822; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft Word compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296262"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003823; sid: 5003823; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft Excel compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296263"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003824; sid: 5003824; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft PowerPoint compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296264"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003825; sid: 5003825; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Java launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296265"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003826; sid: 5003826; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Adobe Reader launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296266"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003827; sid: 5003827; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft Word launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296267"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003828; sid: 5003828; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft Excel launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296268"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003829; sid: 5003829; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft PowerPoint launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296269"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003830; sid: 5003830; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Apple QuickTime compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296270"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003831; sid: 5003831; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Apple QuickTime launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296271"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003832; sid: 5003832; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Executed malware"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296272"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003833; sid: 5003833; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Suspected botnet connection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296273"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003834; sid: 5003834; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Reboot Pending"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648170"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003834; sid: 5003835; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Reboot Completed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648171"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003836; sid: 5003836; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Generic IOC"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296274"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003837; sid: 5003837; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft Calculator compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296275"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003838; sid: 5003838; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft Notepad compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296276"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003839; sid: 5003839; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] File Fetch Completed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648173"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003840; sid: 5003840; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] File Fetch Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260910"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003841; sid: 5003841; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Scan Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696756"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003842; sid: 5003842; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Scan Completed, No Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696757"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003843; sid: 5003843; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Scan Completed With Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1091567670"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003844; sid: 5003844; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Scan Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2165309495"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003845; sid: 5003845; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Definition Update Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260914"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003846; sid: 5003846; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Definition Update Success"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648179"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003847; sid: 5003847; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Configuration Update Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260911"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003848; sid: 5003848; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Configuration Update Success"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648176"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003849; sid: 5003849; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Endpoint IOC Scan Detection Summary"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519089"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003850; sid: 5003850; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Connection to suspicious domain"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296277"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003851; sid: 5003851; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Threat Detected in Low Prevalence Executable"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296278"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003852; sid: 5003852; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Vulnerable Application Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296279"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003853; sid: 5003853; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Suspicious Download"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296280"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003854; sid: 5003854; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Microsoft CHM Compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296281"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003855; sid: 5003855; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Suspicious Cscript Launch"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296282"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003856; sid: 5003856; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Update: Reboot Required"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519096"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003857; sid: 5003857; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Update: Reboot Advised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519097"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003858; sid: 5003858; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Update: Unexpected Reboot Required"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260922"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003859; sid: 5003859; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Product Update Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648137"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003860; sid: 5003860; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Product Update Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648135"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003861; sid: 5003861; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Product Update Completed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648136"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003862; sid: 5003862; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Potential Ransomware"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296284"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003863; sid: 5003863; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Possible Webshell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296283"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003864; sid: 5003864; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Exploit Prevention"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519103"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003865; sid: 5003865; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Critical Fault Raised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260931"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003866; sid: 5003866; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Major Fault Raised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519107"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003867; sid: 5003867; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Minor Fault Raised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648195"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5003868; sid: 5003868; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Fault Cleared"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648196"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003869; sid: 5003869; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] All Faults Cleared"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648197"; parse_src_ip: 1; parse_dst_ip: 1; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5003870; sid: 5003870; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] Rootkit Detection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519081"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003871; sid: 5003871; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-AMP] iOS Network Detection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519102"; parse_src_ip: 1; parse_dst_ip: 1; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5003872; sid: 5003872; rev:1;)