-
Notifications
You must be signed in to change notification settings - Fork 35
/
fingerprint.rules
135 lines (129 loc) · 45.9 KB
/
fingerprint.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"airportd service detected"; program: airportd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100000; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"com.apple.xpc.launchd service detected"; program: com.apple.xpc.launchd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100001; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"powerd service detected"; program: powerd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100002; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"syspolicyd service detected"; program: syspolicyd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100003; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"usernoted service detected"; program: usernoted; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100004; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"hidd service detected"; program: hidd; metadata: fingerprint_source logs, fingerprint_os osx, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100005; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"acpid service running"; program: acpid; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100006; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"eSMTP or lSMTP detected"; program: amavis|amavis-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100007; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"anacron service detected"; program: anacron; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100008; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Apache web server running"; program: apache|apache2|httpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100009; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"auditd service running"; program: auditd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100010; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"bash shell in use"; program: bash|-bash; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100011; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"certbot execution for TLS/SSL cert updates"; program: certbot; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100012; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"clamd anti-virus detected"; program: clamd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100013; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"ksh shell in use"; program: ksh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100014; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"tcsh shell in use"; program: tcsh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100015; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"csh shell in use"; program: csh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100016; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Generic /bin/sh shell in use"; program: sh|-sh; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100017; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"HP Hardware services detected"; program: hpasrd|hpasmlited|cmaeventd|cmaidad|cmanicd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100018; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Generic crond detected"; program: cron|CRON|CROND; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100019; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Cuckoo malware analysis detected"; program: cuckoo; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100020; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Daemonlogger full packet capture engine"; program: daemonlogger; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100021; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"dbus service detected"; program: dbus; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100022; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"dhclient service detected"; program: dhclient; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100023; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"dhcpd - DHCP server detected"; program: dhcpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100024; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"exim4 SMTP service detected"; program: exim4; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100025; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Firefox web browser detected"; program: firefox; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100026; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"SysV init service detected"; program: init; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100029; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Unix 'kernel' messages detected"; program: kernel; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100030; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"knockd service detected"; program: knockd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100031; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"mattermost"; program: mattermost; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type client, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100032; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"MySQL services detected"; program: mysql|mysqld|MySQL; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100033; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"nginx web server running"; program: nginx; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100034; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Linux name service cache daemon detected"; program: nscd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100035; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Network Time Protocol Server detected"; program: ntpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100036; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"opendkim for SMTP services detected"; program: opendkim; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100037; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"OpenVPN services detected"; program: openvpn|ovpn-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100038; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Postfix SMTP services detected"; program: postfix|postfix/*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100039; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"procmail"; program: procmail; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100040; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"rsync client execution"; program: rsync; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100041; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"rsyncd service detected"; program: rsyncd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100042; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"RSyslog detected"; program: rsyslogd|rsyslogd-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100043; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Sagan detected!!"; program: sagan; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100044; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"SASL authentication daemon detected"; program: saslauthd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100045; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Synology Command Execution Management Daemon"; program: scemd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100046; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Sendmail detected"; program: sendmail|sm-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100047; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"slapd ldap daemon"; program: slapd ldap daemon; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100048; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"snmpd service running"; program: snmpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100050; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"snmptrapd service running"; program: snmptrapd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100051; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Snort IDS engine"; program: snort; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100052; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"sshd detected"; program: sshd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100053; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"sSMTP service detected"; program: sSMTP; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100054; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"stunnel service detected"; program: stunnel; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100055; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Suricata IDS engine is running"; program: suricata; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100056; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Generic syslog service detected"; program: syslog|syslogd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100057; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"syslog-ng service detected"; program: syslog-ng; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100059; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"systemd detected"; program: systemd|systemd-*; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100060; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"unattended-upgrade (Debian/Ubuntu) detected"; program: unattended-upgrade; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100062; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"yk_chkpwd - Yubikey usage"; program: yk_chkpwd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100063; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Zimbra services running"; program: zimbra|zimbra*|zmconfigd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; threshold: type limit, track by_src, seconds 3600, count 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5100003; sid: 5100064; rev:1;)
# -----
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Proftp detected"; program: proftpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100065; sid:5100065; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "APC-EMU logs detected"; program: EMU; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100066; sid:5100066; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Arpalert or Arpwatch logs detected"; program: arpalert|arpwatch; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100067; sid:5100067; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Asterisk Phone system detected detected"; program: asterisk; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100068; sid:5100068; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " Bind/DNS server detected"; program: named; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100069; sid:5100069; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Bit9 detected"; program: bit9; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100070; sid:5100070; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Bro/Zeek detected"; program: bro|zeek; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100071; sid:5100071; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " Cisco ASA detected"; program: %ASA*|%FWSM*; metadata: fingerprint_source logs, fingerprint_os ios, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100072; sid:5100072; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Courier/IMAP detected"; program: imapd|imapd-sslcourierlogger; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100073; sid:5100073; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "DigitalPersona detected"; program: DigitalPersona*; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100074; sid:5100074; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Dovecot detected"; program: dovecot; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100075; sid:5100075; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "FIPAYPIN detected"; program: *PIPAYPIN*; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100076; sid:5100076; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Gerneric FTPD detected"; program: ftpd|ftp|FTP|FTPD; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100077; sid:5100077; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Grsec detected"; program: grsec; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100078; sid:5100078; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Honeyd detected"; program: honeyd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100079; sid:5100079; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Hostapd detected"; program: hostapd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100080; sid:5100080; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "IMAPD detected"; program: imapd|imapd-ssl; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100081; sid:5100081; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "IPOP3D detected"; program: ipop3d; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100082; sid:5100082; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Juniper detected"; program: Juniper; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100083; sid:5100083; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Kismet_Server detected"; program: kismet_server; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100084; sid:5100084; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "SMTP milter detected"; program: mimedefang|smf-sav; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100085; sid:5100085; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "MongoDB server detected"; program: mongodb; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100086; sid:5100086; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "NeXpose detected"; program: NeXpose; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100087; sid:5100087; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " Nfcapd detected"; program: nfcapd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100088; sid:5100088; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Postgres detected"; program: postgres; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100089; sid:5100089; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "pptpd detected"; program: pptpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100090; sid:5100090; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " PureFTP server detected"; program: pure-ftpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100091; sid:5100091; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Racoon detected"; program: racoon; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100092; sid:5100092; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Riverbed detected"; program: webasd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100093; sid:5100093; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Samba server detected"; program: smbd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100094; sid:5100094; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Squid server detected"; program: squid; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100095; sid:5100095; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "SSH-Tectia-Server detected"; program: SSH_Tectia_Server; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100096; sid:5100096; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "su/sudo detected"; program: -su|su|sudo; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100097; sid:5100097; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Symantec EMS detected"; program: pgp/client; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100098; sid:5100098; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Telnet service detected"; program: telnetd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100099; sid:5100099; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Trendmicro Antivirus Service detected"; program: TMCM; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100100; sid:5100100; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Tripwire detected"; program: tripwire; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100101; sid:5100101; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Vmpop3d service detected"; program: vm-pop3d; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100102; sid:5100102; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VMWare ESXi detected"; program: vmware-hostd|vmware-authd|Hostd|vmkernel; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100103; sid:5100103; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VPopmail detected"; program: vpopmail; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100104; sid:5100104; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VSFTPD server detected"; program: vsftpd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100105; sid:5100105; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Microsoft MSSQL server detected"; program: MSSQL*; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100106; sid:5100106; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Windows Sysmon detected"; program: Sysmon; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100107; sid:5100107; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Wordpress detected"; program: WPsyslog; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100116; sid:5100116; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "xinetd detected"; program: xinetd; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100108; sid:5100108; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Zeus detected"; program: zeus; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100109; sid:5100109; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Cisco ISE detected"; program: CISE_Passed_Authentications|CISE_Failed_Attempts|CSCOacs_Failed_Attempts; metadata: fingerprint_source logs, fingerprint_os ios, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100110; sid:5100119; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: " AS400 Server detected"; metadata: fingerprint_source logs, fingerprint_os as400, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; meta_content: " %sagan% ",MPW1600,MPW1800,MVP1600,MPW2100,MAF1100,MPW1700,MAF0100,MAD2100;classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100111; sid:5100111; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "AS400 Server detect - 2"; metadata: fingerprint_source logs, fingerprint_os as400, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: CSYS; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100112; sid:5100112; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Office365 detect"; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; meta_content: "%sagan%",ALERT_ANUBIS_DETECTION_VELOCITY,ALERT_CABINET_EVENT_MATCH_AUDIT,ALERT_ANUBIS_DETECTION_NEW_COUNTRY,ALERT_DISCOVERY_ANOMALY_DETECTION,ALERT_CABINET_EVENT_MATCH_FILE,ALERT_CABINET_INLINE_EVENT_MATCH,ALERT_CABINET_EVENT_MATCH_OBJECT,ALERT_CABINET_DISCOVERY_NEW_SERVICE,ALERT_PERSONAL_USER_SAGE,ALERT_GEOLOCATION_NEW_COUNTRY,ALERT_ADMIN_USER,ALERT_ZOMBIE_USER,ALERT_NEW_ADMIN_LOCATION,ALERT_COMPROMISED_ACCOUNT,EVENT_CATEGORY_LOGOUT,EVENT_CATEGORY_LOGIN,EVENT_CATEGORY_CREATE_USER,EVENT_CATEGORY_DELETE_USER,ALERT_ANUBIS_DETECTION_REPEATED_ACTIVIY,ALERT_ANUBIS_DETECTION_REPEATED_ACTIVITY_ADMIN_ACTIVITY,ALERT_MANAGEMENT_DISCOVERY_BREACHED_APP; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100113; sid:5100113; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Watchguard detect"; metadata: fingerprint_source logs, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: WatchGuard*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100114; sid:5100114; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Oracle server detect"; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; content: "RETURNCODE|3a|["; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100115; sid:5100115; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Zscaler detect"; metadata: fingerprint_source logs, fingerprint_os linux, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; content: "requestClientApplication|3d|"; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100117; sid:5100117; rev:1;)
# ---
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Microsoft Windows detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: *Microsoft*|*Security*|*Application*|Ntfs|USER32|Service*|*System*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100118; sid:5100118; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "NXLog detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: nxlog; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100132; sid:5100132; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "DHCP-Server detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: nxlog; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100120; sid:5100120; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "MS-SQL service detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: MSSQL*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100121; sid:5100121; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Terminal Services detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: TermService; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100122; sid:5100122; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Sysmon detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: Sysmon; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100123; sid:5100123; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Symantec detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: *Symantec*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100124; sid:5100124; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Applocker detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: AppLocker; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100125; sid:5100125; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "VNC detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; program: *VNC*; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100126; sid:5100126; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Apple Bonjour service detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: Bonjour; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100127; sid:5100127; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "SNMP service detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_type server, fingerprint_expire 86400; threshold: type limit, track by_src, seconds 3600, count 1; event_id: 1001; program: SNMP; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100128; sid:5100128; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Google updater detected"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; content: "Google update service is active"; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100129; sid:5100129; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Tenable security tool detected [1]"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; program: Tenable; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100130; sid:5100130; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "Tenable security tool detected [2]"; metadata: fingerprint_source logs, fingerprint_os windows, fingerprint_expire 7200; threshold: type limit, track by_src, seconds 3600, count 1; content: "Tenable Nessus"; classtype: fingerprint; reference: url,wiki.quadrantsec.com/bin/view/Main/5100131; sid:5100131; rev:1;)