unified2 0.5.4 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- data/ChangeLog.md +10 -0
- data/README.md +41 -35
- data/Rakefile +3 -2
- data/bin/ru2 +76 -0
- data/example/example.rb +10 -18
- data/example/example2.rb +44 -0
- data/example/seeds/classification.config +1 -1
- data/example/seeds/gen-msg.map +86 -9
- data/example/seeds/sid-msg.map +2849 -316
- data/example/seeds/unified2-current.log +0 -0
- data/example/seeds/{unified2.log → unified2-legacy.log} +0 -0
- data/gemspec.yml +2 -1
- data/lib/unified2/classification.rb +12 -0
- data/lib/unified2/config_file.rb +4 -1
- data/lib/unified2/constructor/construct.rb +52 -6
- data/lib/unified2/constructor/event_ip4.rb +18 -3
- data/lib/unified2/constructor/event_ip6.rb +22 -4
- data/lib/unified2/constructor/extra_construct.rb +46 -0
- data/lib/unified2/constructor/extra_data.rb +37 -0
- data/lib/unified2/constructor/extra_data_header.rb +28 -0
- data/lib/unified2/constructor/legacy_event_ip4.rb +54 -0
- data/lib/unified2/constructor/legacy_event_ip6.rb +52 -0
- data/lib/unified2/constructor/packet.rb +9 -1
- data/lib/unified2/constructor/primitive/ipv4.rb +9 -0
- data/lib/unified2/constructor/record_header.rb +9 -0
- data/lib/unified2/constructor.rb +2 -1
- data/lib/unified2/core_ext/string.rb +2 -1
- data/lib/unified2/event.rb +290 -165
- data/lib/unified2/exceptions/binary_read_error.rb +11 -0
- data/lib/unified2/exceptions/file_not_found.rb +4 -1
- data/lib/unified2/exceptions/file_not_readable.rb +4 -1
- data/lib/unified2/exceptions/unknown_load_type.rb +4 -1
- data/lib/unified2/exceptions.rb +2 -1
- data/lib/unified2/extra.rb +128 -0
- data/lib/unified2/packet.rb +211 -0
- data/lib/unified2/protocol.rb +54 -63
- data/lib/unified2/sensor.rb +14 -2
- data/lib/unified2/signature.rb +12 -0
- data/lib/unified2/version.rb +4 -1
- data/lib/unified2.rb +65 -81
- data/spec/event_spec.rb +40 -27
- data/spec/legacy_event_spec.rb +122 -0
- data/spec/spec_helper.rb +10 -21
- data/spec/unified2_spec.rb +3 -3
- metadata +124 -140
- data/lib/unified2/payload.rb +0 -114
data/ChangeLog.md
CHANGED
@@ -1,3 +1,13 @@
|
|
1
|
+
=== 0.6.0 / 2011-11-13
|
2
|
+
|
3
|
+
* update deps
|
4
|
+
* added support for unified2 extra data
|
5
|
+
* refactor Unified2#read & Unified2#watch
|
6
|
+
* Interrupt now returns file position
|
7
|
+
* updated spec for legacy u2 and current format changes
|
8
|
+
* events can now have multiple packets
|
9
|
+
* bug fixes and documentation
|
10
|
+
|
1
11
|
=== 0.5.4 / 2011-06-27
|
2
12
|
|
3
13
|
* update packetfu ~> 1.1
|
data/README.md
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
#
|
1
|
+
# Unified2
|
2
2
|
|
3
3
|
* [Homepage](http://github.com/mephux/unified2)
|
4
4
|
* [Issues](http://github.com/mephux/unified2/issues)
|
@@ -12,57 +12,63 @@ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified
|
|
12
12
|
## Features
|
13
13
|
|
14
14
|
* Monitor/Read unified2 logs & manipulate the data.
|
15
|
-
* Numerous
|
15
|
+
* Numerous convenience methods
|
16
16
|
* Simple & Intuitive to Use
|
17
|
+
* Supports legacy unified2 formats and the most current as of snort 2.9.1.3
|
18
|
+
* Packet data, headers, hexdumps and more.
|
17
19
|
|
18
20
|
## Examples
|
19
21
|
|
20
|
-
|
21
|
-
require 'unified2'
|
22
|
+
require 'unified2'
|
22
23
|
|
23
|
-
#
|
24
|
-
|
25
|
-
#
|
24
|
+
# Unified2 Configuration
|
25
|
+
Unified2.configuration do
|
26
26
|
|
27
|
-
|
28
|
-
|
29
|
-
|
27
|
+
# Sensor Configurations
|
28
|
+
sensor :interface => 'en1',
|
29
|
+
:name => 'Unified2 Example', :id => 3
|
30
30
|
|
31
|
-
|
32
|
-
load :signatures, 'sid-msg.map'
|
33
|
-
load :generators, 'gen-msg.map'
|
34
|
-
load :classifications, 'classification.config'
|
35
|
-
end
|
31
|
+
load :signatures, 'seeds/sid-msg.map'
|
36
32
|
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
# Watch a unified2 file for changes and process the results.
|
41
|
-
#
|
33
|
+
load :generators, 'seeds/gen-msg.map'
|
34
|
+
|
35
|
+
load :classifications, 'seeds/classification.config'
|
42
36
|
|
43
|
-
|
44
|
-
next if event.signature.name.blank?
|
45
|
-
puts event
|
46
|
-
end
|
37
|
+
end
|
47
38
|
|
48
|
-
|
49
|
-
# Parse a unified2 file and process the results.
|
39
|
+
Unified2.watch('seeds/unified2-current.log', :first) do |event|
|
50
40
|
|
51
|
-
|
41
|
+
puts event.id
|
52
42
|
|
53
|
-
|
43
|
+
puts event.severity
|
54
44
|
|
55
|
-
|
45
|
+
puts event.classification.name
|
56
46
|
|
57
|
-
|
58
|
-
|
47
|
+
puts event.signature.name
|
48
|
+
|
49
|
+
event.extras.each do |extra|
|
50
|
+
puts extra.name
|
51
|
+
puts extra.value
|
52
|
+
end
|
53
|
+
|
54
|
+
event.packets.each do |packet|
|
55
|
+
puts packet.ip_header
|
56
|
+
puts packet.protocol.header
|
57
|
+
puts packet.hexdump(:header => false, :width => 40)
|
58
|
+
end
|
59
|
+
|
60
|
+
end
|
59
61
|
|
60
62
|
## Requirements
|
61
63
|
|
62
|
-
* bindata ~> 1.
|
63
|
-
* hexdump: ~> 0.
|
64
|
-
* packetfu: ~> 1.
|
65
|
-
|
64
|
+
* bindata ~> 1.4.x
|
65
|
+
* hexdump: ~> 0.2.x
|
66
|
+
* packetfu: ~> 1.1.x
|
67
|
+
|
68
|
+
## TODO
|
69
|
+
|
70
|
+
* Make both Event#watch and Event#read evented
|
71
|
+
* User eventmachine to monitor the file i.e modify/delete/move/symlink
|
66
72
|
|
67
73
|
## Install
|
68
74
|
|
data/Rakefile
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
require 'psych'
|
1
2
|
require 'rubygems'
|
2
3
|
require 'rake'
|
3
4
|
|
@@ -26,7 +27,7 @@ task :test => :spec
|
|
26
27
|
task :default => :spec
|
27
28
|
|
28
29
|
begin
|
29
|
-
gem 'yard', '~> 0.
|
30
|
+
gem 'yard', '~> 0.7'
|
30
31
|
require 'yard'
|
31
32
|
|
32
33
|
YARD::Rake::YardocTask.new
|
@@ -36,4 +37,4 @@ rescue LoadError => e
|
|
36
37
|
end
|
37
38
|
end
|
38
39
|
|
39
|
-
task :doc => :yard
|
40
|
+
task :doc => :yard
|
data/bin/ru2
ADDED
@@ -0,0 +1,76 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
require 'unified2'
|
3
|
+
|
4
|
+
path = ARGV.first
|
5
|
+
|
6
|
+
Unified2.configuration do
|
7
|
+
sensor :interface => 'en1',
|
8
|
+
:name => 'Unified2 Example', :id => 0
|
9
|
+
end
|
10
|
+
|
11
|
+
|
12
|
+
def render(event)
|
13
|
+
data = "EVENT\n"
|
14
|
+
data += "\tevent id: #{event.id}\n"
|
15
|
+
data += "\tsensor id: #{event.sensor.id}\n"
|
16
|
+
data += "\ttimestamp: #{event.timestamp.strftime('%D %H:%M:%S')}\n"
|
17
|
+
data += "\tseverity: #{event.severity}\n"
|
18
|
+
data += "\tprotocol: #{event.protocol}\n"
|
19
|
+
data += "\tsource ip: #{event.source_ip} (#{event.source_port})\n"
|
20
|
+
data += "\tdestination ip: #{event.destination_ip} (#{event.destination_port})\n"
|
21
|
+
data += "\tsignature: #{event.signature.id}\n"
|
22
|
+
data += "\tclassification: #{event.classification.id}\n"
|
23
|
+
data += "\tchecksum: #{event.checksum}\n"
|
24
|
+
|
25
|
+
packet_count = 1
|
26
|
+
length = event.packets.count
|
27
|
+
|
28
|
+
event.packets.each do |packet|
|
29
|
+
data += "\n\tPACKET (#{packet_count} of #{length})\n\n"
|
30
|
+
|
31
|
+
data += "\tsensor id: #{event.sensor.id}"
|
32
|
+
data += "\tevent id: #{event.id}"
|
33
|
+
data += "\tevent second: #{packet.event_timestamp.to_i}\n"
|
34
|
+
data += "\tpacket second: #{packet.timestamp.to_i}"
|
35
|
+
data += "\tpacket microsecond: #{packet.microsecond.to_i}\n"
|
36
|
+
data += "\tlinktype: #{packet.link_type}"
|
37
|
+
data += "\tpacket length: #{packet.length}\n"
|
38
|
+
data += "\tchecksum: #{packet.checksum}\n\n"
|
39
|
+
|
40
|
+
hexdump = packet.hexdump(:width => 16)
|
41
|
+
hexdump.each_line { |line| data += "\t" + line }
|
42
|
+
|
43
|
+
packet_count += 1
|
44
|
+
end
|
45
|
+
|
46
|
+
extra_count = 1
|
47
|
+
length = event.extras.count
|
48
|
+
|
49
|
+
event.extras.each do |extra|
|
50
|
+
data += "\n\tEXTRA (#{extra_count} of #{length})\n\n"
|
51
|
+
|
52
|
+
data += "\tname: #{extra.name}"
|
53
|
+
data += "\tevent type: #{extra.header[:event_type]}"
|
54
|
+
data += "\tevent length: #{extra.header[:event_length]}\n"
|
55
|
+
data += "\tsensor id: #{event.sensor.id}"
|
56
|
+
data += "\tevent id: #{event.id}"
|
57
|
+
data += "\tevent second: #{extra.timestamp}\n"
|
58
|
+
data += "\ttype: #{extra.type_id}"
|
59
|
+
data += "\tdata type: #{extra.data_type}"
|
60
|
+
data += "\tlength: #{extra.length}\n"
|
61
|
+
data += "\tvalue: " + extra.value + "\n"
|
62
|
+
|
63
|
+
extra_count += 1
|
64
|
+
end
|
65
|
+
|
66
|
+
data += "\n"
|
67
|
+
end
|
68
|
+
|
69
|
+
unless path
|
70
|
+
STDERR.puts "You must supply a unified2 log file."
|
71
|
+
exit 1
|
72
|
+
end
|
73
|
+
|
74
|
+
Unified2.read(path) do |event|
|
75
|
+
puts render(event)
|
76
|
+
end
|
data/example/example.rb
CHANGED
@@ -1,33 +1,25 @@
|
|
1
|
-
|
1
|
+
$:<< '../lib' << 'lib'
|
2
|
+
|
2
3
|
require 'unified2'
|
3
4
|
|
4
5
|
# Unified2 Configuration
|
5
6
|
Unified2.configuration do
|
6
|
-
|
7
|
+
|
7
8
|
# Sensor Configurations
|
8
|
-
sensor :interface => 'en1',
|
9
|
-
|
9
|
+
sensor :interface => 'en1',
|
10
|
+
:name => 'Unified2 Example', :id => 3
|
10
11
|
|
11
|
-
# Load signatures, generators & classifications into memory
|
12
12
|
load :signatures, 'seeds/sid-msg.map'
|
13
13
|
|
14
14
|
load :generators, 'seeds/gen-msg.map'
|
15
15
|
|
16
16
|
load :classifications, 'seeds/classification.config'
|
17
|
-
|
17
|
+
|
18
18
|
end
|
19
19
|
|
20
|
-
|
21
|
-
|
22
|
-
#
|
23
|
-
# The second argument is the last event processed by
|
24
|
-
# the sensor. If the last_event_id column is blank in the
|
25
|
-
# sensor table it will begin at the first available event.
|
26
|
-
#
|
27
|
-
Unified2.watch('seeds/unified2.log', :first) do |event|
|
28
|
-
next if event.signature.blank?
|
29
|
-
|
20
|
+
Unified2.watch('seeds/unified2-current.log', :first) do |event|
|
21
|
+
|
30
22
|
puts event
|
31
|
-
|
32
|
-
|
23
|
+
|
33
24
|
end
|
25
|
+
|
data/example/example2.rb
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
$:<< '../lib' << 'lib'
|
2
|
+
|
3
|
+
require 'unified2'
|
4
|
+
|
5
|
+
# Unified2 Configuration
|
6
|
+
Unified2.configuration do
|
7
|
+
|
8
|
+
# Sensor Configurations
|
9
|
+
sensor :interface => 'en1',
|
10
|
+
:name => 'Unified2 Example', :id => 3
|
11
|
+
|
12
|
+
# Load signatures, generate events will be sent over the web socket
|
13
|
+
# quickly so we slow down the process of
|
14
|
+
# pushing events onto the channel.rs & classifications into memory
|
15
|
+
load :signatures, 'seeds/sid-msg.map'
|
16
|
+
|
17
|
+
load :generators, 'seeds/gen-msg.map'
|
18
|
+
|
19
|
+
load :classifications, 'seeds/classification.config'
|
20
|
+
|
21
|
+
end
|
22
|
+
|
23
|
+
Unified2.watch('seeds/unified2-current.log', :first) do |event|
|
24
|
+
|
25
|
+
puts event.id
|
26
|
+
|
27
|
+
puts event.severity
|
28
|
+
|
29
|
+
puts event.classification.name
|
30
|
+
|
31
|
+
puts event.signature.name
|
32
|
+
|
33
|
+
event.extras.each do |extra|
|
34
|
+
puts extra.name
|
35
|
+
puts extra.value
|
36
|
+
end
|
37
|
+
|
38
|
+
event.packets.each do |packet|
|
39
|
+
puts packet.ip_header
|
40
|
+
puts packet.protocol.header
|
41
|
+
puts packet.hexdump(:header => false, :width => 40)
|
42
|
+
end
|
43
|
+
|
44
|
+
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# $Id: classification.config,v 1.4 2010
|
1
|
+
# $Id: classification.config,v 1.4 2010-04-15 19:53:02 mwatchinski Exp $
|
2
2
|
# The following includes information for prioritizing rules
|
3
3
|
#
|
4
4
|
# Each classification includes a shortname, a description, and a default
|
data/example/seeds/gen-msg.map
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# $Id: gen-msg.map,v 1.10
|
1
|
+
# $Id: gen-msg.map,v 1.14 2011-10-07 20:21:24 nhoughton Exp $
|
2
2
|
# GENERATORS -> msg map
|
3
3
|
# Format: generatorid || alertid || MSG
|
4
4
|
|
@@ -40,7 +40,7 @@
|
|
40
40
|
111 || 5 || spp_stream4: Data on SYN Packet
|
41
41
|
111 || 6 || spp_stream4: Full XMAS Stealth Scan
|
42
42
|
111 || 7 || spp_stream4: SAPU Stealth Scan
|
43
|
-
111 || 8 || spp_stream4: FIN Stealth Scan
|
43
|
+
111 || 8 || spp_stream4: FIN Stealth Scan
|
44
44
|
111 || 9 || spp_stream4: NULL Stealth Scan
|
45
45
|
111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
|
46
46
|
111 || 11 || spp_stream4: VECNA Stealth Scan
|
@@ -163,6 +163,10 @@
|
|
163
163
|
116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header
|
164
164
|
116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present
|
165
165
|
116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header
|
166
|
+
116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header.
|
167
|
+
116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers
|
168
|
+
116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present
|
169
|
+
116 || 298 || snort_decoder: WARNING: GTP header length is invalid
|
166
170
|
116 || 400 || snort_decoder: WARNING: XMAS Attack Detected!
|
167
171
|
116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected!
|
168
172
|
116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected!
|
@@ -215,6 +219,11 @@
|
|
215
219
|
116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol
|
216
220
|
116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol
|
217
221
|
116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt
|
222
|
+
116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt
|
223
|
+
116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof
|
224
|
+
116 || 454 || snort_decoder: WARNING: PGM NAK overflow
|
225
|
+
116 || 455 || snort_decoder: WARNING: IGMP options dos
|
226
|
+
116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers
|
218
227
|
117 || 1 || spp_portscan2: Portscan detected!
|
219
228
|
118 || 1 || spp_conversation: Bad IP protocol!
|
220
229
|
119 || 1 || http_inspect: ASCII ENCODING
|
@@ -240,8 +249,22 @@
|
|
240
249
|
119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
|
241
250
|
119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
|
242
251
|
119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER
|
252
|
+
119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED
|
253
|
+
119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS
|
254
|
+
119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION
|
255
|
+
119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
|
256
|
+
119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS
|
243
257
|
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
|
244
258
|
120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
|
259
|
+
120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
|
260
|
+
120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
|
261
|
+
120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET
|
262
|
+
120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
|
263
|
+
120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
|
264
|
+
120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
|
265
|
+
120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 2
|
266
|
+
120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
|
267
|
+
120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATION FUNCS
|
245
268
|
121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
|
246
269
|
121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
|
247
270
|
121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
|
@@ -294,6 +317,11 @@
|
|
294
317
|
124 || 6 || smtp: Illegal command
|
295
318
|
124 || 7 || smtp: Attempted header name buffer overflow
|
296
319
|
124 || 8 || smtp: Attempted X-Link2State command buffer overflow
|
320
|
+
124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded.
|
321
|
+
124 || 10 || smtp: Base64 Decoding failed
|
322
|
+
124 || 11 || smtp: Quoted-Printable Decoding failed
|
323
|
+
124 || 12 || smtp: 7bit/8bit/binary/text Extraction failed
|
324
|
+
124 || 13 || smtp: Unix-to-Unix Decoding failed
|
297
325
|
125 || 1 || ftp_pp: Telnet command on FTP command channel
|
298
326
|
125 || 2 || ftp_pp: Invalid FTP command
|
299
327
|
125 || 3 || ftp_pp: FTP parameter length overflow
|
@@ -306,8 +334,8 @@
|
|
306
334
|
126 || 1 || telnet_pp: Telnet consecutive AYT overflow
|
307
335
|
126 || 2 || telnet_pp: Telnet data encrypted
|
308
336
|
126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
|
309
|
-
128 || 1 || ssh: Gobbles exploit
|
310
|
-
128 || 2 || ssh: SSH1 CRC32 exploit
|
337
|
+
128 || 1 || ssh: Gobbles exploit
|
338
|
+
128 || 2 || ssh: SSH1 CRC32 exploit
|
311
339
|
128 || 3 || ssh: Server version string overflow
|
312
340
|
128 || 4 || ssh: Protocol mismatch
|
313
341
|
128 || 5 || ssh: Bad message direction
|
@@ -323,10 +351,15 @@
|
|
323
351
|
129 || 8 || stream5: Data sent on stream after TCP Reset
|
324
352
|
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
|
325
353
|
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
|
326
|
-
129 || 11 || stream5: TCP Data with no TCP Flags set
|
354
|
+
129 || 11 || stream5: TCP Data with no TCP Flags set
|
327
355
|
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
|
328
356
|
129 || 13 || stream5: TCP 4-way handshake detected
|
329
357
|
129 || 14 || stream5: TCP Timestamp is missing
|
358
|
+
129 || 15 || stream5: Reset outside window
|
359
|
+
129 || 16 || stream5: FIN number is greater than prior FIN
|
360
|
+
129 || 17 || stream5: ACK number is greater than prior FIN
|
361
|
+
129 || 18 || stream5: Data sent on stream after TCP Reset received
|
362
|
+
129 || 19 || stream5: TCP window closed before receiving data
|
330
363
|
130 || 1 || dcerpc: Maximum memory usage reached
|
331
364
|
131 || 1 || dns: Obsolete DNS RData Type
|
332
365
|
131 || 2 || dns: Experimental DNS RData Type
|
@@ -374,18 +407,62 @@
|
|
374
407
|
133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
|
375
408
|
133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
|
376
409
|
133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
|
377
|
-
133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
|
378
|
-
133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
|
379
|
-
133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
|
380
|
-
133 || 47 || dcerpc2: SMB - Excessive command compounding
|
410
|
+
#133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
|
411
|
+
#133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
|
412
|
+
#133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
|
413
|
+
#133 || 47 || dcerpc2: SMB - Excessive command compounding
|
381
414
|
134 || 1 || ppm: rule tree disabled
|
382
415
|
134 || 2 || ppm: rule tree enabled
|
383
416
|
135 || 1 || internal: syn received
|
384
417
|
135 || 2 || internal: session established
|
385
418
|
135 || 3 || internal: session cleared
|
419
|
+
136 || 1 || reputation: Packet is blacklisted
|
420
|
+
136 || 2 || reputation: Packet is whitelisted
|
421
|
+
137 || 1 || ssp_ssl: Invalid Client HELLO after Server HELLO Detected
|
422
|
+
137 || 2 || ssp_ssl: Invalid Server HELLO without Client HELLO Detected
|
386
423
|
138 || 2 || sensitive_data: sensitive data - Credit card numbers
|
387
424
|
138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes
|
388
425
|
138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes
|
389
426
|
138 || 5 || sensitive_data: sensitive data - eMail addresses
|
390
427
|
138 || 6 || sensitive_data: sensitive data - U.S. phone numbers
|
391
428
|
139 || 1 || sensitive_data: sensitive data global threshold exceeded
|
429
|
+
140 || 1 || sip: Maximum sessions reached
|
430
|
+
140 || 2 || sip: Empty request URI
|
431
|
+
140 || 3 || sip: URI is too long
|
432
|
+
140 || 4 || sip: Empty call-Id
|
433
|
+
140 || 5 || sip: Call-Id is too long
|
434
|
+
140 || 6 || sip: CSeq number is too large or negative
|
435
|
+
140 || 7 || sip: Request name in CSeq is too long
|
436
|
+
140 || 8 || sip: Empty From header
|
437
|
+
140 || 9 || sip: From header is too long
|
438
|
+
140 || 10 || sip: Empty To header
|
439
|
+
140 || 11 || sip: To header is too long
|
440
|
+
140 || 12 || sip: Empty Via header
|
441
|
+
140 || 13 || sip: Via header is too long
|
442
|
+
140 || 14 || sip: Empty Contact
|
443
|
+
140 || 15 || sip: Contact is too long
|
444
|
+
140 || 16 || sip: Content length is too large or negative
|
445
|
+
140 || 17 || sip: Multiple SIP messages in a packet
|
446
|
+
140 || 18 || sip: Content length mismatch
|
447
|
+
140 || 19 || sip: Request name is invalid
|
448
|
+
140 || 20 || sip: Invite replay attack
|
449
|
+
140 || 21 || sip: Illegal session information modification
|
450
|
+
140 || 22 || sip: Response status code is not a 3 digit number
|
451
|
+
140 || 23 || sip: Empty Content type
|
452
|
+
140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid
|
453
|
+
140 || 25 || sip: Mismatch in Method of request and the CSEQ header
|
454
|
+
140 || 26 || sip: The method is unknown
|
455
|
+
141 || 1 || imap: Unknown IMAP4 command
|
456
|
+
141 || 2 || imap: Unknown IMAP4 response
|
457
|
+
141 || 3 || imap: No memory available for decoding. Memcap exceeded.
|
458
|
+
141 || 4 || imap: Base64 Decoding failed
|
459
|
+
141 || 5 || imap: Quoted-Printable Decoding failed
|
460
|
+
141 || 6 || imap: 7bit/8bit/binary/text Extraction failed
|
461
|
+
141 || 7 || imap: Unix-to-Unix Decoding failed
|
462
|
+
142 || 1 || pop: Unknown POP3 command
|
463
|
+
142 || 2 || pop: Unknown POP3 response
|
464
|
+
142 || 3 || pop: No memory available for decoding. Memcap exceeded.
|
465
|
+
142 || 4 || pop: Base64 Decoding failed
|
466
|
+
142 || 5 || pop: Quoted-Printable Decoding failed
|
467
|
+
142 || 6 || pop: 7bit/8bit/binary/text Extraction failed
|
468
|
+
142 || 7 || pop: Unix-to-Unix Decoding failed
|