unified2 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/.document ADDED
@@ -0,0 +1,3 @@
1
+ -
2
+ ChangeLog.*
3
+ LICENSE.txt
data/.rspec ADDED
@@ -0,0 +1 @@
1
+ --colour --format documentation
data/.yardopts ADDED
@@ -0,0 +1 @@
1
+ --markup rdoc --title "unified2 Documentation" --protected
data/ChangeLog.rdoc ADDED
@@ -0,0 +1,9 @@
1
+ === 0.1.1 / 2011-03-09
2
+
3
+ * minor documentation fixes
4
+ * added proper example files
5
+
6
+ === 0.1.0 / 2011-03-08
7
+
8
+ * Initial release:
9
+
data/LICENSE.txt ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2011 mephux
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.rdoc ADDED
@@ -0,0 +1,61 @@
1
+ = unified2
2
+
3
+ * {Homepage}[https://github.com/mephux/unified2]
4
+ * {Documentation}[https://github.com/mephux/unified2]
5
+
6
+ == Description
7
+
8
+ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
9
+
10
+ == Features
11
+
12
+ * Monitor unified2 logs and manipulate the data.
13
+ * Modular adaptor support (monogdb, mysql, postgresql, sguil etc..)
14
+ * Parse unified2 log files
15
+ * Numerous connivence methods for statistical analysis
16
+
17
+ == Examples
18
+
19
+ require 'unified2'
20
+
21
+ # load rules into memory
22
+ Unified2.configuration do
23
+ # Sensor Configurations
24
+ sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'
25
+
26
+ # Load signatures, generators & classifications into memory
27
+ load :signatures, 'sid-msg.map'
28
+ load :generators, 'gen-msg.map'
29
+ load :classifications, 'classification.config'
30
+ end
31
+
32
+ # Unified2#watch
33
+ # Watch a unified2 file for changes and process the results.
34
+ Unified2.watch('/var/log/snort/merged.log', :last) do |event|
35
+ next if event.signature.name.blank?
36
+
37
+ puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
38
+ puts event.payload.dump(:width => 30)
39
+ puts event.classification.name
40
+ end
41
+
42
+ # Unified2#read
43
+ # Parse a unified2 file and process the results.
44
+ Unified2.read('/var/log/snort/merged.log') do |event|
45
+ puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
46
+ end
47
+
48
+ == Requirements
49
+
50
+ * bindata ~> 1.3.1
51
+ * hexdump: ~> 0.1.0
52
+
53
+ == Install
54
+
55
+ $ gem install unified2
56
+
57
+ == Copyright
58
+
59
+ Copyright (c) 2011 Dustin Willis Webber
60
+
61
+ See LICENSE.txt for details.
data/Rakefile ADDED
@@ -0,0 +1,39 @@
1
+ require 'rubygems'
2
+ require 'rake'
3
+
4
+ begin
5
+ gem 'ore-tasks', '~> 0.5.0'
6
+ require 'ore/tasks'
7
+
8
+ Ore::Tasks.new
9
+ rescue LoadError => e
10
+ STDERR.puts e.message
11
+ STDERR.puts "Run `gem install ore-tasks` to install 'ore/tasks'."
12
+ end
13
+
14
+ begin
15
+ gem 'rspec', '~> 2.4'
16
+ require 'rspec/core/rake_task'
17
+
18
+ RSpec::Core::RakeTask.new
19
+ rescue LoadError => e
20
+ task :spec do
21
+ abort "Please run `gem install rspec` to install RSpec."
22
+ end
23
+ end
24
+
25
+ task :test => :spec
26
+ task :default => :spec
27
+
28
+ begin
29
+ gem 'yard', '~> 0.6.0'
30
+ require 'yard'
31
+
32
+ YARD::Rake::YardocTask.new
33
+ rescue LoadError => e
34
+ task :yard do
35
+ abort "Please run `gem install yard` to install YARD."
36
+ end
37
+ end
38
+
39
+ task :doc => :yard
@@ -0,0 +1,67 @@
1
+ # $Id: classification.config,v 1.4 2010/04/15 19:53:02 mwatchinski Exp $
2
+ # The following includes information for prioritizing rules
3
+ #
4
+ # Each classification includes a shortname, a description, and a default
5
+ # priority for that classification.
6
+ #
7
+ # This allows alerts to be classified and prioritized. You can specify
8
+ # what priority each classification has. Any rule can override the default
9
+ # priority for that rule.
10
+ #
11
+ # Here are a few example rules:
12
+ #
13
+ # alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
14
+ # dsize: > 128; classtype:attempted-admin; priority:10;
15
+ #
16
+ # alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
17
+ # content:"expn root"; nocase; classtype:attempted-recon;)
18
+ #
19
+ # The first rule will set its type to "attempted-admin" and override
20
+ # the default priority for that type to 10.
21
+ #
22
+ # The second rule set its type to "attempted-recon" and set its
23
+ # priority to the default for that type.
24
+ #
25
+
26
+ #
27
+ # config classification:shortname,short description,priority
28
+ #
29
+
30
+ config classification: not-suspicious,Not Suspicious Traffic,3
31
+ config classification: unknown,Unknown Traffic,3
32
+ config classification: bad-unknown,Potentially Bad Traffic, 2
33
+ config classification: attempted-recon,Attempted Information Leak,2
34
+ config classification: successful-recon-limited,Information Leak,2
35
+ config classification: successful-recon-largescale,Large Scale Information Leak,2
36
+ config classification: attempted-dos,Attempted Denial of Service,2
37
+ config classification: successful-dos,Denial of Service,2
38
+ config classification: attempted-user,Attempted User Privilege Gain,1
39
+ config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
40
+ config classification: successful-user,Successful User Privilege Gain,1
41
+ config classification: attempted-admin,Attempted Administrator Privilege Gain,1
42
+ config classification: successful-admin,Successful Administrator Privilege Gain,1
43
+
44
+
45
+ # NEW CLASSIFICATIONS
46
+ config classification: rpc-portmap-decode,Decode of an RPC Query,2
47
+ config classification: shellcode-detect,Executable Code was Detected,1
48
+ config classification: string-detect,A Suspicious String was Detected,3
49
+ config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
50
+ config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
51
+ config classification: system-call-detect,A System Call was Detected,2
52
+ config classification: tcp-connection,A TCP Connection was Detected,4
53
+ config classification: trojan-activity,A Network Trojan was Detected, 1
54
+ config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
55
+ config classification: network-scan,Detection of a Network Scan,3
56
+ config classification: denial-of-service,Detection of a Denial of Service Attack,2
57
+ config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
58
+ config classification: protocol-command-decode,Generic Protocol Command Decode,3
59
+ config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
60
+ config classification: web-application-attack,Web Application Attack,1
61
+ config classification: misc-activity,Misc activity,3
62
+ config classification: misc-attack,Misc Attack,2
63
+ config classification: icmp-event,Generic ICMP event,3
64
+ config classification: inappropriate-content,Inappropriate Content was Detected,1
65
+ config classification: policy-violation,Potential Corporate Privacy Violation,1
66
+ config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
67
+ config classification: sdf,Sensitive Data was Transmitted Across the Network,2
@@ -0,0 +1,43 @@
1
+ $:.unshift File.join(File.dirname(__FILE__), "..", "lib")
2
+ require 'unified2'
3
+ require 'pp'
4
+
5
+ # Unified2 Configuration
6
+ Unified2.configuration do
7
+ # Sensor Configurations
8
+ sensor :id => 200, :name => 'Hello Sensor', :interface => 'en1'
9
+
10
+ # Load signatures, generators & classifications into memory
11
+ load :signatures, 'sid-msg.map'
12
+ load :generators, 'gen-msg.map'
13
+ load :classifications, 'classification.config'
14
+ end
15
+
16
+ # Unified2#watch will continuously monitor
17
+ # the unified output for modifications and
18
+ # process the data accordingly.
19
+
20
+ Unified2.watch('unified2', 1) do |event|
21
+ next if event.signature.blank?
22
+
23
+ puts event.signature.name
24
+
25
+ # puts "#{event.sensor.name} #{event.timestamp} || #{event.source_port} #{event.destination_port} | #{event.protocol}"
26
+
27
+ # #{event.source_port} #{event.destination_port}
28
+ # puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
29
+ # {event.generator_id} || #{event.signature.id}
30
+ end
31
+
32
+ # Unified2#read will parse the supplied
33
+ # unified2 output and return records untill EOF.
34
+
35
+ # @signatures = []
36
+ # Unified2.watch('unified2', 101) do |event|
37
+ # next if event.signature.name.blank?
38
+ # next if @signatures.include?(event.signature.id)
39
+ #
40
+ # @signatures.push event.signature.id
41
+ #
42
+ # puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
43
+ # end
@@ -0,0 +1,391 @@
1
+ # $Id: gen-msg.map,v 1.10 2010/07/07 15:51:00 nhoughton Exp $
2
+ # GENERATORS -> msg map
3
+ # Format: generatorid || alertid || MSG
4
+
5
+ 1 || 1 || snort general alert
6
+ 2 || 1 || tag: Tagged Packet
7
+ 3 || 1 || snort dynamic alert
8
+ 100 || 1 || spp_portscan: Portscan Detected
9
+ 100 || 2 || spp_portscan: Portscan Status
10
+ 100 || 3 || spp_portscan: Portscan Ended
11
+ 101 || 1 || spp_minfrag: minfrag alert
12
+ 102 || 1 || http_decode: Unicode Attack
13
+ 102 || 2 || http_decode: CGI NULL Byte Attack
14
+ 102 || 3 || http_decode: large method attempted
15
+ 102 || 4 || http_decode: missing uri
16
+ 102 || 5 || http_decode: double encoding detected
17
+ 102 || 6 || http_decode: illegal hex values detected
18
+ 102 || 7 || http_decode: overlong character detected
19
+ 103 || 1 || spp_defrag: Fragmentation Overflow Detected
20
+ 103 || 2 || spp_defrag: Stale Fragments Discarded
21
+ 104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
22
+ 104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
23
+ 105 || 1 || spp_bo: Back Orifice Traffic Detected
24
+ 105 || 2 || spp_bo: Back Orifice Client Traffic Detected
25
+ 105 || 3 || spp_bo: Back Orifice Server Traffic Detected
26
+ 105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
27
+ 106 || 1 || spp_rpc_decode: Fragmented RPC Records
28
+ 106 || 2 || spp_rpc_decode: Multiple Records in one packet
29
+ 106 || 3 || spp_rpc_decode: Large RPC Record Fragment
30
+ 106 || 4 || spp_rpc_decode: Incomplete RPC segment
31
+ 106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
32
+ 110 || 1 || spp_unidecode: CGI NULL Attack
33
+ 110 || 2 || spp_unidecode: Directory Traversal
34
+ 110 || 3 || spp_unidecode: Unknown Mapping
35
+ 110 || 4 || spp_unidecode: Invalid Mapping
36
+ 111 || 1 || spp_stream4: Stealth Activity Detected
37
+ 111 || 2 || spp_stream4: Evasive Reset Packet
38
+ 111 || 3 || spp_stream4: Retransmission
39
+ 111 || 4 || spp_stream4: Window Violation
40
+ 111 || 5 || spp_stream4: Data on SYN Packet
41
+ 111 || 6 || spp_stream4: Full XMAS Stealth Scan
42
+ 111 || 7 || spp_stream4: SAPU Stealth Scan
43
+ 111 || 8 || spp_stream4: FIN Stealth Scan
44
+ 111 || 9 || spp_stream4: NULL Stealth Scan
45
+ 111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
46
+ 111 || 11 || spp_stream4: VECNA Stealth Scan
47
+ 111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
48
+ 111 || 13 || spp_stream4: SYN FIN Stealth Scan
49
+ 111 || 14 || spp_stream4: TCP forward overlap detected
50
+ 111 || 15 || spp_stream4: TTL Evasion attempt
51
+ 111 || 16 || spp_stream4: Evasive retransmitted data attempt
52
+ 111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
53
+ 111 || 18 || spp_stream4: Multiple acked
54
+ 111 || 19 || spp_stream4: Shifting to Emergency Session Mode
55
+ 111 || 20 || spp_stream4: Shifting to Suspend Mode
56
+ 111 || 21 || spp_stream4: TCP Timestamp option has value of zero
57
+ 111 || 22 || spp_stream4: Too many overlapping TCP packets
58
+ 111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
59
+ 111 || 24 || spp_stream4: Evasive FIN Packet
60
+ 111 || 25 || spp_stream4: SYN on established
61
+ 112 || 1 || spp_arpspoof: Directed ARP Request
62
+ 112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
63
+ 112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
64
+ 112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
65
+ 113 || 1 || spp_frag2: Oversized Frag
66
+ 113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
67
+ 113 || 3 || spp_frag2: TTL evasion detected
68
+ 113 || 4 || spp_frag2: overlap detected
69
+ 113 || 5 || spp_frag2: Duplicate first fragments
70
+ 113 || 6 || spp_frag2: memcap exceeded
71
+ 113 || 7 || spp_frag2: Out of order fragments
72
+ 113 || 8 || spp_frag2: IP Options on Fragmented Packet
73
+ 113 || 9 || spp_frag2: Shifting to Emegency Session Mode
74
+ 113 || 10 || spp_frag2: Shifting to Suspend Mode
75
+ 114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
76
+ 114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
77
+ 114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
78
+ 114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
79
+ 115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
80
+ 115 || 2 || spp_asn1: Invalid ASN.1 length encoding
81
+ 115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
82
+ 115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
83
+ 115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
84
+ 116 || 1 || snort_decoder: WARNING: Not IPv4 datagram!
85
+ 116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
86
+ 116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len!
87
+ 116 || 4 || snort_decoder: WARNING: Bad IPv4 Options
88
+ 116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options
89
+ 116 || 6 || snort_decoder: WARNING: IP dgm len > captured len!
90
+ 116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes!
91
+ 116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5!
92
+ 116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload!
93
+ 116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths
94
+ 116 || 55 || snort_decoder: WARNING: Truncated Tcp Options
95
+ 116 || 56 || snort_decoder: WARNING: T/TCP Detected
96
+ 116 || 57 || snort_decoder: WARNING: Obsolete TCP options
97
+ 116 || 58 || snort_decoder: WARNING: Experimental TCP options
98
+ 116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14)
99
+ 116 || 95 || snort_decoder: WARNING: Truncated UDP Header!
100
+ 116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8
101
+ 116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length
102
+ 116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length
103
+ 116 || 105 || snort_decoder: WARNING: ICMP Header Truncated!
104
+ 116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated!
105
+ 116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated!
106
+ 116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem!
107
+ 116 || 109 || snort_decoder: WARNING: Truncated ARP Packet!
108
+ 116 || 110 || snort_decoder: WARNING: Truncated EAP Header!
109
+ 116 || 111 || snort_decoder: WARNING: EAP Key Truncated!
110
+ 116 || 112 || snort_decoder: WARNING: EAP Header Truncated!
111
+ 116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
112
+ 116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
113
+ 116 || 131 || snort_decoder: WARNING: Bad LLC header!
114
+ 116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
115
+ 116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
116
+ 116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
117
+ 116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
118
+ 116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
119
+ 116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
120
+ 116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
121
+ 116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP!
122
+ 116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP!
123
+ 116 || 160 || snort_decoder: WARNING: GRE header length > payload length
124
+ 116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
125
+ 116 || 162 || snort_decoder: WARNING: Invalid GRE version
126
+ 116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
127
+ 116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
128
+ 116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
129
+ 116 || 170 || snort_decoder: WARNING: Bad MPLS Frame
130
+ 116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header
131
+ 116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header
132
+ 116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header
133
+ 116 || 174 || snort_decoder: WARNING: Bad use of label 3
134
+ 116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header
135
+ 116 || 176 || snort_decoder: WARNING: Too Many MPLS headers
136
+ 116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated!
137
+ 116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4!
138
+ 116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length!
139
+ 116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits!
140
+ 116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes!
141
+ 116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0!
142
+ 116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
143
+ 116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
144
+ 116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
145
+ 116 || 273 || snort_decoder: WARNING: IPV6 truncated header
146
+ 116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len!
147
+ 116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len!
148
+ 116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0
149
+ 116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address
150
+ 116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address
151
+ 116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type
152
+ 116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value
153
+ 116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field
154
+ 116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header
155
+ 116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers
156
+ 116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280
157
+ 116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with invalid code field
158
+ 116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0
159
+ 116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0
160
+ 116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0
161
+ 116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour
162
+ 116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
163
+ 116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header
164
+ 116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present
165
+ 116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header
166
+ 116 || 400 || snort_decoder: WARNING: XMAS Attack Detected!
167
+ 116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected!
168
+ 116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected!
169
+ 116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address
170
+ 116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
171
+ 116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
172
+ 116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero
173
+ 116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum
174
+ 116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address
175
+ 116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address
176
+ 116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address
177
+ 116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address
178
+ 116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address
179
+ 116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address
180
+ 116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address
181
+ 116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address
182
+ 116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address
183
+ 116 || 417 || snort_decoder: WARNING: ICMP4 source quence
184
+ 116 || 418 || snort_decoder: WARNING: ICMP4 type other
185
+ 116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload
186
+ 116 || 420 || snort_decoder: WARNING: TCP SYN with FIN
187
+ 116 || 421 || snort_decoder: WARNING: TCP SYN with RST
188
+ 116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session
189
+ 116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST
190
+ 116 || 424 || snort_decoder: WARNING: truncated eth header
191
+ 116 || 425 || snort_decoder: WARNING: truncated IP4 header
192
+ 116 || 426 || snort_decoder: WARNING: truncated ICMP4 header
193
+ 116 || 427 || snort_decoder: WARNING: truncated ICMP6 header
194
+ 116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit
195
+ 116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit
196
+ 116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set
197
+ 116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded
198
+ 116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address
199
+ 116 || 433 || snort_decoder: WARNING: DDOS shaft synflood
200
+ 116 || 434 || snort_decoder: WARNING: ICMP PING NMAP
201
+ 116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1
202
+ 116 || 436 || snort_decoder: WARNING: ICMP redirect host
203
+ 116 || 437 || snort_decoder: WARNING: ICMP redirect net
204
+ 116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts
205
+ 116 || 439 || snort_decoder: WARNING: ICMP Source Quench
206
+ 116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner
207
+ 116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited
208
+ 116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
209
+ 116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
210
+ 116 || 444 || snort_decoder: WARNING: MISC IP option set
211
+ 116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet
212
+ 116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic
213
+ 116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic
214
+ 116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set
215
+ 116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol
216
+ 116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol
217
+ 116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt
218
+ 117 || 1 || spp_portscan2: Portscan detected!
219
+ 118 || 1 || spp_conversation: Bad IP protocol!
220
+ 119 || 1 || http_inspect: ASCII ENCODING
221
+ 119 || 2 || http_inspect: DOUBLE DECODING ATTACK
222
+ 119 || 3 || http_inspect: U ENCODING
223
+ 119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
224
+ 119 || 5 || http_inspect: BASE36 ENCODING
225
+ 119 || 6 || http_inspect: UTF-8 ENCODING
226
+ 119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
227
+ 119 || 8 || http_inspect: MULTI_SLASH ENCODING
228
+ 119 || 9 || http_inspect: IIS BACKSLASH EVASION
229
+ 119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
230
+ 119 || 11 || http_inspect: DIRECTORY TRAVERSAL
231
+ 119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
232
+ 119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
233
+ 119 || 14 || http_inspect: NON-RFC DEFINED CHAR
234
+ 119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
235
+ 119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
236
+ 119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
237
+ 119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
238
+ 119 || 19 || http_inspect: LONG HEADER
239
+ 119 || 20 || http_inspect: MAX HEADERS
240
+ 119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
241
+ 119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
242
+ 119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER
243
+ 120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
244
+ 120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
245
+ 121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
246
+ 121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
247
+ 121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
248
+ 121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
249
+ 122 || 1 || portscan: TCP Portscan
250
+ 122 || 2 || portscan: TCP Decoy Portscan
251
+ 122 || 3 || portscan: TCP Portsweep
252
+ 122 || 4 || portscan: TCP Distributed Portscan
253
+ 122 || 5 || portscan: TCP Filtered Portscan
254
+ 122 || 6 || portscan: TCP Filtered Decoy Portscan
255
+ 122 || 7 || portscan: TCP Filtered Portsweep
256
+ 122 || 8 || portscan: TCP Filtered Distributed Portscan
257
+ 122 || 9 || portscan: IP Protocol Scan
258
+ 122 || 10 || portscan: IP Decoy Protocol Scan
259
+ 122 || 11 || portscan: IP Protocol Sweep
260
+ 122 || 12 || portscan: IP Distributed Protocol Scan
261
+ 122 || 13 || portscan: IP Filtered Protocol Scan
262
+ 122 || 14 || portscan: IP Filtered Decoy Protocol Scan
263
+ 122 || 15 || portscan: IP Filtered Protocol Sweep
264
+ 122 || 16 || portscan: IP Filtered Distributed Protocol Scan
265
+ 122 || 17 || portscan: UDP Portscan
266
+ 122 || 18 || portscan: UDP Decoy Portscan
267
+ 122 || 19 || portscan: UDP Portsweep
268
+ 122 || 20 || portscan: UDP Distributed Portscan
269
+ 122 || 21 || portscan: UDP Filtered Portscan
270
+ 122 || 22 || portscan: UDP Filtered Decoy Portscan
271
+ 122 || 23 || portscan: UDP Filtered Portsweep
272
+ 122 || 24 || portscan: UDP Filtered Distributed Portscan
273
+ 122 || 25 || portscan: ICMP Sweep
274
+ 122 || 26 || portscan: ICMP Filtered Sweep
275
+ 122 || 27 || portscan: Open Port
276
+ 123 || 1 || frag3: IP Options on fragmented packet
277
+ 123 || 2 || frag3: Teardrop attack
278
+ 123 || 3 || frag3: Short fragment, possible DoS attempt
279
+ 123 || 4 || frag3: Fragment packet ends after defragmented packet
280
+ 123 || 5 || frag3: Zero-byte fragment
281
+ 123 || 6 || frag3: Bad fragment size, packet size is negative
282
+ 123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
283
+ 123 || 8 || frag3: Fragmentation overlap
284
+ 123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
285
+ 123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
286
+ 123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
287
+ 123 || 12 || frag3: Number of overlapping fragments exceed configured limit
288
+ 123 || 13 || frag3: Fragments smaller than configured min_fragment_length
289
+ 124 || 1 || smtp: Attempted command buffer overflow
290
+ 124 || 2 || smtp: Attempted data header buffer overflow
291
+ 124 || 3 || smtp: Attempted response buffer overflow
292
+ 124 || 4 || smtp: Attempted specific command buffer overflow
293
+ 124 || 5 || smtp: Unknown command
294
+ 124 || 6 || smtp: Illegal command
295
+ 124 || 7 || smtp: Attempted header name buffer overflow
296
+ 124 || 8 || smtp: Attempted X-Link2State command buffer overflow
297
+ 125 || 1 || ftp_pp: Telnet command on FTP command channel
298
+ 125 || 2 || ftp_pp: Invalid FTP command
299
+ 125 || 3 || ftp_pp: FTP parameter length overflow
300
+ 125 || 4 || ftp_pp: FTP malformed parameter
301
+ 125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
302
+ 125 || 6 || ftp_pp: FTP response length overflow
303
+ 125 || 7 || ftp_pp: FTP command channel encrypted
304
+ 125 || 8 || ftp_pp: FTP bounce attack
305
+ 125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
306
+ 126 || 1 || telnet_pp: Telnet consecutive AYT overflow
307
+ 126 || 2 || telnet_pp: Telnet data encrypted
308
+ 126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
309
+ 128 || 1 || ssh: Gobbles exploit
310
+ 128 || 2 || ssh: SSH1 CRC32 exploit
311
+ 128 || 3 || ssh: Server version string overflow
312
+ 128 || 4 || ssh: Protocol mismatch
313
+ 128 || 5 || ssh: Bad message direction
314
+ 128 || 6 || ssh: Payload size incorrect for the given payload
315
+ 128 || 7 || ssh: Failed to detect SSH version string
316
+ 129 || 1 || stream5: SYN on established session
317
+ 129 || 2 || stream5: Data on SYN packet
318
+ 129 || 3 || stream5: Data sent on stream not accepting data
319
+ 129 || 4 || stream5: TCP Timestamp is outside of PAWS window
320
+ 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
321
+ 129 || 6 || stream5: Window size (after scaling) larger than policy allows
322
+ 129 || 7 || stream5: Limit on number of overlapping TCP packets reached
323
+ 129 || 8 || stream5: Data sent on stream after TCP Reset
324
+ 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
325
+ 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
326
+ 129 || 11 || stream5: TCP Data with no TCP Flags set
327
+ 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
328
+ 129 || 13 || stream5: TCP 4-way handshake detected
329
+ 129 || 14 || stream5: TCP Timestamp is missing
330
+ 130 || 1 || dcerpc: Maximum memory usage reached
331
+ 131 || 1 || dns: Obsolete DNS RData Type
332
+ 131 || 2 || dns: Experimental DNS RData Type
333
+ 131 || 3 || dns: Client RData TXT Overflow
334
+ 133 || 1 || dcerpc2: Memory cap exceeded
335
+ 133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
336
+ 133 || 3 || dcerpc2: SMB - Bad SMB message type
337
+ 133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2)
338
+ 133 || 5 || dcerpc2: SMB - Bad word count or structure size for command
339
+ 133 || 6 || dcerpc2: SMB - Bad byte count for command
340
+ 133 || 7 || dcerpc2: SMB - Bad format type for command
341
+ 133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
342
+ 133 || 9 || dcerpc2: SMB - Zero total data count in command
343
+ 133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
344
+ 133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
345
+ 133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
346
+ 133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
347
+ 133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
348
+ 133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
349
+ 133 || 16 || dcerpc2: SMB - Byte count less than command data size
350
+ 133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
351
+ 133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
352
+ 133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
353
+ 133 || 20 || dcerpc2: SMB - Excessive command chaining
354
+ 133 || 21 || dcerpc2: SMB - Multiple chained login requests
355
+ 133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
356
+ 133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff
357
+ 133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect
358
+ 133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe
359
+ 133 || 26 || dcerpc2: SMB - Invalid share access
360
+ 133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
361
+ 133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
362
+ 133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
363
+ 133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
364
+ 133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
365
+ 133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
366
+ 133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
367
+ 133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
368
+ 133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
369
+ 133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
370
+ 133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
371
+ 133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
372
+ 133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
373
+ 133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
374
+ 133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
375
+ 133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
376
+ 133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
377
+ 133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
378
+ 133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
379
+ 133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
380
+ 133 || 47 || dcerpc2: SMB - Excessive command compounding
381
+ 134 || 1 || ppm: rule tree disabled
382
+ 134 || 2 || ppm: rule tree enabled
383
+ 135 || 1 || internal: syn received
384
+ 135 || 2 || internal: session established
385
+ 135 || 3 || internal: session cleared
386
+ 138 || 2 || sensitive_data: sensitive data - Credit card numbers
387
+ 138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes
388
+ 138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes
389
+ 138 || 5 || sensitive_data: sensitive data - eMail addresses
390
+ 138 || 6 || sensitive_data: sensitive data - U.S. phone numbers
391
+ 139 || 1 || sensitive_data: sensitive data global threshold exceeded