s/2011/2012. Added "after" to some rules.

apache.rules

@@ -1,5 +1,5 @@
 # Sagan apache.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

apc-emu.rules

@@ -1,5 +1,5 @@
 # Sagan apc-emu.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

arp-normalize.rulebase

@@ -1,5 +1,5 @@
 # Sagan arp-normalize.rulebase
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # This file is used in conjunction with liblognorm.

arp.rules

@@ -1,5 +1,5 @@
 # Sagan arp.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

asterisk.rules

@@ -1,5 +1,5 @@
 # Sagan asterisk.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

attack.rules

@@ -1,5 +1,5 @@
 # Sagan attack.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

bash.rules

@@ -1,5 +1,5 @@
 # Sagan bash.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

bind.rules

@@ -1,5 +1,5 @@
 # Sagan bind.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

bonding.rules

@@ -1,5 +1,5 @@
 # Sagan bonding.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

bro-ids.rules

@@ -1,5 +1,5 @@
 # Sagan bro-ids.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

cacti-thold.rules

@@ -1,5 +1,5 @@
 # Sagan cacti-thold.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

cisco-ios.rules

@@ -1,5 +1,5 @@
 # Sagan cisco-ios.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

cisco-normalize.rulebase

@@ -1,5 +1,5 @@
 # Sagan cisco-normalize.rulebase
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # This file is used in conjunction with liblognorm.

cisco-pixasa.rules

@@ -1,5 +1,5 @@
 # Sagan cisco-pixasa.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

classification.config

@@ -1,5 +1,5 @@
 # Sagan classification.config
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

courier.rules

@@ -1,5 +1,5 @@
 # Sagan courier.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

dns-normalize.rulebase

@@ -1,5 +1,5 @@
 # Sagan dns-normalize.rulebase
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # This file is used in conjunction with liblognorm.

dovecot.rules

@@ -1,5 +1,5 @@
 # Sagan dovecot.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

fortinet.rules

@@ -1,5 +1,5 @@
 # Sagan fortinet.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

ftpd.rules

@@ -1,5 +1,5 @@
 # Sagan ftpd.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

grsec.rules

@@ -1,5 +1,5 @@
 # Sagan grsec.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

hordeimp.rules

@@ -1,5 +1,5 @@
 # Sagan hordeimp.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

hostapd.rules

@@ -1,5 +1,5 @@
 # Sagan hostapd.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

imap-normalize.rulebase

@@ -1,5 +1,5 @@
 # Sagan imap-normalize.rulebase
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # This file is used in conjunction with liblognorm.

imapd.rules

@@ -1,5 +1,5 @@
 # Sagan imapd.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

ipop3d.rules

@@ -1,5 +1,5 @@
 # Sagan ipop3d.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

juniper.rules

@@ -1,5 +1,5 @@
 # Sagan juniper.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

kismet.rules

@@ -1,5 +1,5 @@
 # Sagan kismet.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

knockd.rules

@@ -1,5 +1,5 @@
 # Sagan knockd.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

linux-kernel-normalize.rulebase

@@ -1,5 +1,5 @@
 # Sagan linux-kernel-normalize.rulebase
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # This file is used in conjunction with liblognorm.

linux-kernel.rules

@@ -1,5 +1,5 @@
 # linux-kernel.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

milter.rules

@@ -1,5 +1,5 @@
 # Sagan milter.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

mysql.rules

@@ -1,5 +1,5 @@
 # Sagan mysql.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

nginx.rules

@@ -1,5 +1,5 @@
 # Sagan nginx.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

ntp.rules

@@ -1,5 +1,5 @@
 # Sagan ntp.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

openssh-normalize.rulebase

@@ -1,5 +1,5 @@
 # Sagan openssh-normalize.rulebase
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # This file is used in conjunction with liblognorm.

openssh.rules

@@ -1,5 +1,5 @@
 # Sagan openssh.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
@@ -30,9 +30,10 @@
 # need to set that to "No" so Sagan can "find" the source IP addresses and
 # port information.
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize: openssh; program: sshd; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000015; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; threshold:type limit, track by_src, count 5, seconds 300; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; classtype: unsuccessful-admin;program: sshd; threshold:type limit, track by_src, count 5, seconds 300; parse_ip; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize: openssh; program: sshd; after: track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000015; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; classtype: unsuccessful-admin;program: sshd; after: track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:3;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; classtype: unsuccessful-user; program: sshd; threshold: type limit, track by_src, count 5, seconds 300; parse_ip; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000018; sid: 5000018; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Not executable shell - login attempt"; content: "is not executable"; classtype: unsuccessful-user; program: sshd; parse_ip; reference: url,wiki.quadrantsec.com/bin/view/Main/5000020; sid: 5000020; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Message send write error"; content: "ssh_msg_send";classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000021; sid:5000021; rev:1;)
@@ -86,4 +87,3 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Session closed"; con
 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"[OPENSSH] Received disconnect"; content: "Received disconnect from"; classtype: not-suspicious; program: sshd; parse_ip; reference: url,wiki.quadrantsec.com/bin/view/Main/5000408; sid:5000408; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "[OPENSSH] User logged into a disabled account"; pcre: "/accepted|authenticated/i"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; parse_ip; parse_port; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000411; program: sshd; sid: 5000411; rev:2;)
 
-

ossec-mi.rules

@@ -2,7 +2,7 @@
 ## OSSEC SAGAN RULES (autogenerated)
 ##
 ## Sagan is:
-## Copyright (c) 2009-2011, Quadrant Information Security
+## Copyright (c) 2009-2012, Quadrant Information Security
 ## All rights reserved.
 ##
 ## Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

ossec.rules

@@ -1,5 +1,5 @@
 # Sagan ossec.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

php.rules

@@ -1,5 +1,5 @@
 # Sagan php.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

postfix.rules

@@ -1,5 +1,5 @@
 # Sagan postfix.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

postgresql.rules

@@ -1,5 +1,5 @@
 # Sagan postgresql.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

pptp.rules

@@ -1,5 +1,5 @@
 # Sagan pptp.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

proftpd.rules

@@ -1,5 +1,5 @@
 # Sagan proftpd.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

pure-ftpd.rules

@@ -1,5 +1,5 @@
 # Sagan pure-ftpd.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

racoon.rules

@@ -1,5 +1,5 @@
 # Sagan racoon.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

reference.config

@@ -1,5 +1,5 @@
 # Sagan apache.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

roundcube.rules

@@ -1,5 +1,5 @@
 # Sagan roundcube.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

rsync.rules

@@ -1,5 +1,5 @@
 # Sagan rsync.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list

samba.rules

@@ -1,5 +1,5 @@
 # Sagan samba.rules
-# Copyright (c) 2009-2011, Quadrant Information Security <www.quadrantsec.com>
+# Copyright (c) 2009-2012, Quadrant Information Security <www.quadrantsec.com>
 # All rights reserved.
 #
 # Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list