-
Notifications
You must be signed in to change notification settings - Fork 35
/
fortinet.rules
112 lines (108 loc) · 22.3 KB
/
fortinet.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Sagan fortinet.rules
# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# These are mostly taken from Fortigate 4.0 Message reference manual.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Protect profile changed"; content: "32151 type="; content: "changed protection profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000898; sid: 5000898; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ICMP traffic disallowed"; content: "16003 type="; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000899; sid: 5000899; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login from LCD"; content: "32001 type="; content: "from LCD"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000900; sid: 5000900; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator Login"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000901; sid: 5000901; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login from LCD failed"; content: "32002 type="; content: "LCD failed"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000902; sid: 5000902; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failed"; content: "32002 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000903; sid: 5000903; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] To many bad admin login attempts"; content: "32002 type="; content: "bad attempts"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000904; sid: 5000904; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator logout"; content: "32003 type="; content: "action=logout"; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000905; sid: 5000905; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] IPS error mode"; content: "32004 type="; content: "error mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000906; sid: 5000906; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login failed [Brute Force] [5/5]"; content: "32005 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; xbits: set,brute_force, track ip_src, expire 21600; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000907; sid: 5000907; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login accepted"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000908; sid: 5000908; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk full or almost full"; content: "32006 type="; content: "disk"; nocase; content: "log "; nocase; meta_content: "%sagan%",exceeds,full; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000909; sid: 5000909; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has started"; content: "32006 type="; content: "Fortigate started"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000910; sid: 5000910; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has entered error mode"; content: "32006 type="; content: "entered error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000911; sid: 5000911; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has left error mode"; content: "32006 type="; content: "out of error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000912; sid: 5000912; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator session timeout"; content: "32007 type="; content: "session timed out"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000913; sid: 5000913; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Abnormal Admin session drop"; content: "32007 type="; content: "terminates the sessions"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000914; sid: 5000914; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Normal administrator logout"; content: "32007 type="; pcre: "/logs out from|is diconnected by/"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000915; sid: 5000915; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator is clearing/deleting logs"; content: "32007 type="; pcre: "/has removed|has deleted|has cleared/"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000916; sid: 5000916; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cannot store config. Low flash space"; content: "32007 type="; content: "Cannot store config"; content: "flash space"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000917; sid: 5000917; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin has left current VDOM"; content: "32007 type="; content: "has left the virtual domain"; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000918; sid: 5000918; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failure"; content: "32009 type="; content: "login failed from"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000919; sid: 5000919; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk logs usage have exceeded"; content: "32010 type="; pcre: "/Disk logs|error mode|Log disk|reason=disk-log-full/"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000920; sid: 5000920; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Memory usage has exceeded"; content: "32010 type="; content: "reason=memory-log-full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000921; sid: 5000921; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Reason unknown error"; content: "32010 type="; content: "reason=unknown"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000922; sid: 5000922; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Out of error mode"; content: "32012 type="; content: "out of error mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000923; sid: 5000923; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator removed logs"; content: "32013 type="; meta_content: "%sagan%",cleared,deleted,removed; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000924; sid: 5000924; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] License about to expired"; content: "32014 type="; content: "license will expire"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000925; sid: 5000925; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Log disk is full"; content: "32015 type="; content: "Log disk is"; content: "full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000926; sid: 5000926; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Corrupted MAC packet detected"; content: "32020 type="; content: "Corrupted MAC packet detected"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000927; sid: 5000927; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reboot or shutdown"; content: "32095 type="; meta_content: "%sagan%",action=reboot,action=shutdown"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000928; sid: 5000928; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reload"; content: "32095 type="; content: "action=reload"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000929; sid: 5000929; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action factory_reset"; content: "32095 type="; content: "action=factory_reset"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000930; sid: 5000930; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New access profile added"; content: "32101 type="; content: "added new access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000931; sid: 5000931; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Configuration change"; content: "32102 type="; content: "made a change"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000932; sid: 5000932; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile changed"; content: "32102 type="; content: "setting of access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000933; sid: 5000933; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile deleted"; content: "32103 type="; content: "deleted an access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000934; sid: 5000934; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New admin user added"; content: "32120 type="; content: "added an admin user"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000935; sid: 5000935; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New user group added"; content: "32120 type="; content: "added an user group"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000936; sid: 5000936; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin changed another admin's password"; content: "32150 type="; content: "changed password of admin"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000971; sid: 5000971; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Flash memory is full!"; content: "20031 type="; content: "flash memory is full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000937; sid: 5000937; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication success"; content: "38001 type="; content: "succeeded in authentication"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000938; sid: 5000938; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38001 type="; content: "failed in authentication"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000939; sid: 5000939; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38002 type="; pcre: "/failed to authenticate|failed in authentication/i"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000940; sid: 5000940; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Failed authentication to many times"; content: "38003 type="; content: "failed authentication to many times"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000941; sid: 5000941; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis fan anomaly"; content: "99503 type="; content: "Chassis fan anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000942; sid: 5000942; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis temperature anomaly"; content: "99504 type="; content: "Chassis temperature anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000943; sid: 5000943; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis voltage anomaly"; content: "99505 type="; content: "Chassis voltage anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000944; sid: 5000944; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade fan anomaly"; content: "99506 type="; content: "Blade fan anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000945; sid: 5000945; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade temperature anomaly"; content: "99507 type="; content: "Blade temperature anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000946; sid: 5000946; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade voltage anomaly"; content: "99508 type="; content: "Blade voltage anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000947; sid: 5000947; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication success"; content: "29002 type="; content: "action=auth_success"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000948; sid: 5000948; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication failed"; content: "29003 type="; content: "action=auth_failed"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000949; sid: 5000949; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Max connection reached"; content: "29004 type="; content: "No more clients can connect"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000950; sid: 5000950; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Not enough memory"; content: "29024 type="; content: "not enough memory"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000951; sid: 5000951; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Data Leak Prevention Rule Matched"; content: "11000 type="; content: "Data Leak Prevention Rule matched"; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000952; sid: 5000952; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant messaging message"; content: "11600 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000953; sid: 5000953; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message file tranfer message"; content: "116001 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000954; sid: 5000954; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message chat message"; content: "116002 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000955; sid: 5000955; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Control instant message SIP session blocked message"; content: "116003 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000956; sid: 5000956; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message message"; content: "116010 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000957; sid: 5000957; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] An application control VoIP-SIP session blocked message"; content: "116011 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000958; sid: 5000958; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] E-mail of an infected file"; content: "60000 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000959; sid: 5000959; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File blocked via e-mail"; content: "63000 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000960; sid: 5000960; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File intercepted via e-mail"; content: "63002 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000961; sid: 5000961; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [1]"; content: "70000 type="; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000962; sid: 5000962; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [2]"; content: "73001 type="; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000963; sid: 5000963; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Banned word was found"; content: "90000 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000964; sid: 5000964; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cookie was removed"; content: "91000 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000965; sid: 5000965; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Java applet was removed"; content: "91005 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000966; sid: 5000966; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ActiveX script was removed"; content: "91010 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000967; sid: 5000967; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL was in blacklist"; content: "93002 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000968; sid: 5000968; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL belongs to a denied category"; content: "99501 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000969; sid: 5000969; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] calloc failed"; content: "93007 type="; content: "calloc"; content: "failed"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000970; sid: 5000970; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] FTP attempt"; content: "80000 type="; content: "user="; content: "group="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000972; sid: 5000972; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Entered system conserve mode!"; content: "22802 type="; content: "entered system conserve mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000973; sid: 5000973; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Leaving system conserve mode"; content: "22803 type="; content: "exited system conserve mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000974; sid: 5000974; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] General CRITICAL event"; content: "devname="; content: "pri=critical"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000975; sid: 5000975; rev:2;)
# 01/04/2013
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Botnet traffic detected"; content: "app_list=|22|BotnetOnly|22| app_type=|22|Botnet|22|"; classtype: trojan-activity; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001627; sid: 5001627; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] SSH traffic detected"; content: " service=SSH "; classtype: trojan-activity; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001970; sid: 5001970; rev:2;)