Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules Fri Dec 2 00:55:08 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 1 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 2 | # $Id: bleeding-policy.rules,v 1.666 2005/11/30 00:14:20 bhartstein Exp $
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 3 | # Bleeding Snort Policy rules.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 4 | # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 5 | # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 6 | # This is for the bleeding edge junkies. Use at your own risk!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 7 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 8 | # SID's are 2000000+ to avoid conflicts
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 9 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 10 | # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 11 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 12 | # More information available at www.bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 13 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 14 | # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 15 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 16 | #*************************************************************
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 17 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 18 | # Copyright (c) 2005, Bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 19 | # All rights reserved.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 20 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 21 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 22 | # following conditions are met:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 23 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 24 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 25 | # disclaimer.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 26 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 27 | # following disclaimer in the documentation and/or other materials provided with the distribution.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 28 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 29 | # from this software without specific prior written permission.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 30 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 31 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 32 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 33 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 34 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 35 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 36 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 37 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 38 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 39 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 40 | #By merphie. Please test this out, it should work on NT domains and 98. Disabled by default
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 41 | #alert udp $HOME_NET any -> $HOME_NET 137 (msg: "BLEEDING-EDGE POLICY Administrator Login Detected"; content:"ebeeenejeoejfdfefcebfeepfc"; nocase; classtype: policy-violation; sid: 2001806; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 42 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 43 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 44 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE AOL Webmail Message Send"; flow: to_server,established; uricontent:"/compose_frame.adp"; content:"POST"; classtype: policy-violation; sid: 2000571; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 45 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE AOL Webmail Login"; flow: to_server,established; uricontent:"/login/login.psp?siteId="; content:"triedAimAuth"; classtype: policy-violation; sid: 2000572; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 46 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 47 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 48 | #Good rules, turn them on if you are interested. They are accurate.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 49 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE Executable and linking format (ELF) file download"; flow: established; content:"|7F|ELF"; content:"|00 00 00 00 00 00 00 00|"; reference: url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000418; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 50 | #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE or DLL Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; classtype: misc-activity; sid: 2000419; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 51 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE REG files version 4 download"; flow: established; content:"REGEDIT4"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference: url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000420; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 52 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference: url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000421; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 53 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference: url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000422; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 54 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE NE EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"NE"; distance: 0; reference: url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000423; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 55 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE LX EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"LX"; distance: 0; reference: url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000424; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 56 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE NE EXE Windows 3.x file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program requires Microsoft Windows."; isdataat: 10,relative; content:"NE"; distance: 0; reference: url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000425; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 57 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference: url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000426; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 58 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; reference: url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 59 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, < =, 0x14, 0, string, hex;content:"|00 00 00|"; distance: 0; reference: url,zziplib.sourceforge.net/zzip-parse.print.html; classtype: misc-activity; sid: 2000428; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 60 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference: url,www.speakeasy.org/~russotto/chm/chmformat.html; reference: url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000489; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 60 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference: url,www.speakeasy.org/~russotto/chm/chmformat.html; reference: url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000489; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 61 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference: url,www.speakeasy.org/~russotto/chm/chmformat.html; reference: url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000429; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 61 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference: url,www.speakeasy.org/~russotto/chm/chmformat.html; reference: url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000429; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 62 | #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE MSI (microsoft installer file) download"; flow: established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype: bad-unknown; sid: 2001115; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 63 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 64 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 65 | alert tcp $HOME_NET 23 -> any any (msg: "BLEEDING-EDGE Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; classtype: not-suspicious; sid: 2001239; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 66 | alert tcp $HOME_NET 23 -> any any (msg: "BLEEDING-EDGE Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; classtype: not-suspicious; sid: 2001240; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 67 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 68 | #By Cory Bys, Particle.bored.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 69 | # These are going to increase load on a snort process, and are NOT FOOLPROOF. But they may help reveal issues
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 70 | # with informaion flow. NOTE: These will not detect classified UUEncoded docs (email attachments) etc.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 71 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 72 | # Email
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 73 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 74 | # Non-US Restricted
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 75 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002410; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 76 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 77 | # Non-US Confidential
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 78 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002411; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 79 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 80 | # Non-US Top Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 81 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002412; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 82 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 83 | # Non-US Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 84 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 85 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 86 | # NATO Restricted
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 87 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002414; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 88 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 89 | # NATO Confidential Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 90 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002415; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 91 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 92 | # NATO Confidential
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 93 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002416; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 94 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 95 | # NATO COSMIC Top Secret Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 96 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002417; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 97 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 98 | # NATO Secret Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 99 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002418; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 100 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 101 | # NATO Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 102 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002419; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 103 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 104 | # US Confidential, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 105 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002420; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 106 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 107 | # US Top Secret, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 108 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002421; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 109 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 110 | # US Secret, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 111 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002422; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 112 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 113 | # US Confidential Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 114 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002423; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 115 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 116 | # US Top Secret Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 117 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002424; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 118 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 119 | # US Secret Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 120 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 121 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 122 | # US Confidential Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 123 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002426; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 124 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 125 | # US Top Secret Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 126 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002427; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 127 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 128 | # US Secret Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 129 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 130 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 131 | # US Unclassified Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 132 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002429; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 133 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 134 | # US Confidential Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 135 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002430; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 136 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 137 | # US Top Secret Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 138 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002431; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 139 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 140 | # US Secret Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 141 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 142 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 143 | # US Controlled Imagery
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 144 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret IMCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 145 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 146 | # US Top Secret Critical Nuclear Weapon Design Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 147 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002434; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 148 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 149 | # US Secret Critical Nuclear Weapon Design Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 150 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 151 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 152 | # US Top Secret Talent Keyhole
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 153 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002436; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 154 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 155 | # US Secret Talent Keyhole
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 156 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 157 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 158 | # US Foreign Government Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 159 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002438; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 160 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 161 | # US For Official Use Only
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 162 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002439; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 163 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 164 | # US Confidential Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 165 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002440; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 166 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 167 | # US Top Secret Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 168 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002441; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 169 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 170 | # US Secret Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 171 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 172 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 173 | # US Confidential Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 174 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002443; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 175 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 176 | # US Top Secret Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 177 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002444; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 178 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 179 | # US Secret Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 180 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 181 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 182 | # US Unclassified Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 183 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002446; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 184 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 185 | # US Confidential Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 186 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002447; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 187 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 188 | # US Top Secret Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 189 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002448; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 190 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 191 | # US Secret Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 192 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 193 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 194 | # US Confidential Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 195 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002450; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 196 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 197 | # US Top Secret Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 198 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002451; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 199 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 200 | # US Secret Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 201 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 202 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 203 | # US Sources and Methods Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 204 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002453; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 205 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 206 | # US Confidential Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 207 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002454; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 208 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 209 | # US Top Secret Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 210 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002455; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 211 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 212 | # US Secret Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 213 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 214 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 215 | # US Top Secret Single Integrated Operations Plan
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 216 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002457; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 217 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 218 | # The word "private"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 219 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002458; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 220 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 221 | # The word "restricted"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 222 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 223 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 224 | # The word "confidential"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 225 | # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 226 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 227 | # The word "secret"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 228 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 229 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 230 | # The phrase "top secret"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 231 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 232 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 233 | # The word "sealed"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 234 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002463; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 235 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 236 | # The word "sensitive"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 237 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 238 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 239 | # The word "proprietary"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 240 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002465; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 241 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 242 | # The word "protected"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 243 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002466; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 244 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 245 | # The phrase "law enforcement sensitive"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 246 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002467; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 247 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 248 | # The phrase "internal use only"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 249 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002468; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 250 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 251 | # The phrase "date of birth" or its typical abbreviations
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 252 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002469; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 253 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 254 | # Health Care Common Procedure Coding System (HCPCS) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 255 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002470; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 256 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 257 | # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 258 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002471; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 259 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 260 | # Food and Drug Administration (FDA) National Drug Code (NDC) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 261 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002472; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 262 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 263 | # American Dental Association (ADA) Dental Procedure Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 264 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002473; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 265 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 266 | # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 267 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2)?)|(v[167][0-9]\.[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002474; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 268 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 269 | # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 270 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002475; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 271 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 272 | # Japan Credit Bureau Credit Card Number
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 273 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002477; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 274 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 275 | # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 276 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002483; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 277 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 278 | # The word "appraisal"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 279 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002484; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 280 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 281 | # The phrase "account balance"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 282 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002485; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 283 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 284 | # The phrase "payment history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 285 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002486; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 286 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 287 | # The phrase "annual income"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 288 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002487; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 289 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 290 | # The phrase "credit history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 291 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002488; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 292 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 293 | # The phrase "transaction history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 294 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002489; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 295 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 296 | # The phrase "customer list"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 297 | #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002490; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 298 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 299 | ##########################################
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 300 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 301 | # HTTP POST
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 302 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 303 | # Non-US Restricted
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 304 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002495; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 305 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 306 | # Non-US Confidential
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 307 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002496; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 308 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 309 | # Non-US Top Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 310 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002497; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 311 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 312 | # Non-US Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 313 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 314 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 315 | # NATO Restricted
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 316 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002499; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 317 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 318 | # NATO Confidential Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 319 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002500; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 320 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 321 | # NATO Confidential
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 322 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002501; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 323 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 324 | # NATO COSMIC Top Secret Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 325 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002502; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 326 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 327 | # NATO Secret Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 328 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002503; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 329 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 330 | # NATO Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 331 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002504; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 332 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 333 | # US Confidential, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 334 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002505; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 335 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 336 | # US Top Secret, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 337 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002506; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 338 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 339 | # US Secret, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 340 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002507; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 341 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 342 | # US Confidential Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 343 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002508; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 344 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 345 | # US Top Secret Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 346 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002509; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 347 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 348 | # US Secret Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 349 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret REL TO"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 350 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 351 | # US Confidential Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 352 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002511; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 353 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 354 | # US Top Secret Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 355 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002512; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 356 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 357 | # US Secret Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 358 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret COMINT"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 359 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 360 | # US Unclassified Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 361 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002514; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 362 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 363 | # US Confidential Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 364 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002515; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 365 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 366 | # US Top Secret Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 367 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002516; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 368 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 369 | # US Secret Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 370 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret COMSEC"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 371 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 372 | # US Controlled Imagery
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 373 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret IMCON"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 374 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 375 | # US Top Secret Critical Nuclear Weapon Design Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 376 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002519; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 377 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 378 | # US Secret Critical Nuclear Weapon Design Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 379 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret CNWDI"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 380 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 381 | # US Top Secret Talent Keyhole
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 382 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002521; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 383 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 384 | # US Secret Talent Keyhole
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 385 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret TK"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 386 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 387 | # US Foreign Government Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 388 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002523; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 389 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 390 | # US For Official Use Only
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 391 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002524; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 392 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 393 | # US Confidential Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 394 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002525; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 395 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 396 | # US Top Secret Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 397 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002526; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 398 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 399 | # US Secret Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 400 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret NOFORN"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 401 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 402 | # US Confidential Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 403 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 404 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 405 | # US Top Secret Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 406 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002528; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 407 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 408 | # US Secret Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 409 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret ORCON"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 410 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 411 | # US Unclassified Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 412 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002530; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 413 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 414 | # US Confidential Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 415 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002531; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 416 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 417 | # US Top Secret Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 418 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002532; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 419 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 420 | # US Secret Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 421 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret PROPIN"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 422 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 423 | # US Confidential Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 424 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002534; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 425 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 426 | # US Top Secret Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 427 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002535; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 428 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 429 | # US Secret Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 430 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret RD"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 431 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 432 | # US Sources and Methods Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 433 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002537; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 434 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 435 | # US Confidential Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 436 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002538; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 437 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 438 | # US Top Secret Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 439 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002539; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 440 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 441 | # US Secret Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 442 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret SPECAT"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 443 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 444 | # US Top Secret Single Integrated Operations Plan
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 445 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002541; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 446 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 447 | # The word "private"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 448 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002542; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 449 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 450 | # The word "restricted"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 451 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Restricted"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 452 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 453 | # The word "confidential"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 454 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Confidential"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 455 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 456 | # The word "secret"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 457 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Secret"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 458 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 459 | # The phrase "top secret"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 460 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Top Secret"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 461 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 462 | # The word "sealed"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 463 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002547; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 464 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 465 | # The word "sensitive"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 466 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Sensitive"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 467 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 468 | # The word "proprietary"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 469 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002549; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 470 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 471 | # The word "protected"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 472 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002550; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 473 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 474 | # The phrase "law enforcement sensitive"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 475 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002551; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 476 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 477 | # The phrase "internal use only"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 478 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002552; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 479 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 480 | # The phrase "date of birth" or its typical abbreviations
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 481 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002553; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 482 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 483 | # Health Care Common Procedure Coding System (HCPCS) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 484 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002554; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 485 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 486 | # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 487 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002555; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 488 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 489 | # Food and Drug Administration (FDA) National Drug Code (NDC) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 490 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002556; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 491 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 492 | # American Dental Association (ADA) Dental Procedure Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 493 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002557; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 494 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 495 | # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 496 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2)?)|(v[167][0-9]\.[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002558; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 497 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 498 | # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 499 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002559; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 500 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 501 | # Japan Credit Bureau Credit Card Number
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 502 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002561; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 503 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 504 | # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 505 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002567; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 506 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 507 | # The word "appraisal"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 508 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002568; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 509 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 510 | # The phrase "account balance"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 511 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002569; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 512 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 513 | # The phrase "payment history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 514 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002570; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 515 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 516 | # The phrase "annual income"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 517 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002571; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 518 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 519 | # The phrase "credit history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 520 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002572; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 521 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 522 | # The phrase "transaction history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 523 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002573; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 524 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 525 | # The phrase "customer list"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 526 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002574; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 527 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 528 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 529 | ##########################################
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 530 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 531 | # High Ports, possibly Passive FTP DATA
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 532 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 533 | # Non-US Restricted
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 534 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002575; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 535 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 536 | # Non-US Confidential
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 537 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002576; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 538 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 539 | # Non-US Top Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 540 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002577; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 541 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 542 | # Non-US Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 543 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 544 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 545 | # NATO Restricted
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 546 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002579; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 547 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 548 | # NATO Confidential Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 549 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002580; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 550 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 551 | # NATO Confidential
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 552 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002581; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 553 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 554 | # NATO COSMIC Top Secret Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 555 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002582; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 556 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 557 | # NATO Secret Atomal
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 558 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002583; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 559 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 560 | # NATO Secret
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 561 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002584; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 562 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 563 | # US Confidential, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 564 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002585; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 565 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 566 | # US Top Secret, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 567 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002586; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 568 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 569 | # US Secret, Electronic Format
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 570 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002587; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 571 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 572 | # US Confidential Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 573 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002588; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 574 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 575 | # US Top Secret Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 576 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002589; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 577 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 578 | # US Secret Authorized for Release To
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 579 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret REL TO"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 580 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 581 | # US Confidential Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 582 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002591; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 583 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 584 | # US Top Secret Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 585 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002592; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 586 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 587 | # US Secret Comint
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 588 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret COMINT"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 589 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 590 | # US Unclassified Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 591 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002594; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 592 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 593 | # US Confidential Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 594 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002595; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 595 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 596 | # US Top Secret Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 597 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002596; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 598 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 599 | # US Secret Communications Security Material
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 600 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret COMSEC"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 601 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 602 | # US Controlled Imagery
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 603 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret IMCON"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 604 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 605 | # US Top Secret Critical Nuclear Weapon Design Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 606 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002599; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 607 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 608 | # US Secret Critical Nuclear Weapon Design Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 609 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret CNWDI"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 610 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 611 | # US Top Secret Talent Keyhole
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 612 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002601; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 613 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 614 | # US Secret Talent Keyhole
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 615 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret TK"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 616 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 617 | # US Foreign Government Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 618 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002603; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 619 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 620 | # US For Official Use Only
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 621 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002604; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 622 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 623 | # US Confidential Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 624 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002605; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 625 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 626 | # US Top Secret Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 627 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002606; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 628 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 629 | # US Secret Not Releasable to Foreign Nationals
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 630 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret NOFORN"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 631 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 632 | # US Confidential Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 633 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002608; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 634 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 635 | # US Top Secret Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 636 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002609; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 637 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 638 | # US Secret Originator Controlled
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 639 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret ORCON"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 640 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 641 | # US Unclassified Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 642 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002611; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 643 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 644 | # US Confidential Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 645 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002612; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 646 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 647 | # US Top Secret Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 648 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002613; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 649 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 650 | # US Secret Proprietary Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 651 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret PROPIN"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 652 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 653 | # US Confidential Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 654 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002615; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 655 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 656 | # US Top Secret Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 657 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002616; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 658 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 659 | # US Secret Restricted Data
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 660 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret RD"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 661 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 662 | # US Sources and Methods Information
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 663 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002618; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 664 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 665 | # US Confidential Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 666 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002619; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 667 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 668 | # US Top Secret Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 669 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002620; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 670 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 671 | # US Secret Special Category
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 672 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret SPECAT"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 673 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 674 | # US Top Secret Single Integrated Operations Plan
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 675 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002622; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 676 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 677 | # The word "private"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 678 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002623; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 679 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 680 | # The word "restricted"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 681 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Restricted"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 682 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 683 | # The word "confidential"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 684 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Confidential"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 685 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 686 | # The word "secret"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 687 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Secret"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 688 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 689 | # The phrase "top secret"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 690 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Top Secret"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 691 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 692 | # The word "sealed"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 693 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002628; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 694 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 695 | # The word "sensitive"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 696 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Sensitive"; flow:to_server,established; pcre:"/(? |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 697 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 698 | # The word "proprietary"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 699 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002630; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 700 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 701 | # The word "protected"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 702 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002631; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 703 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 704 | # The phrase "law enforcement sensitive"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 705 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002632; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 706 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 707 | # The phrase "internal use only"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 708 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002633; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 709 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 710 | # The phrase "date of birth" or its typical abbreviations
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 711 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002634; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 712 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 713 | # Health Care Common Procedure Coding System (HCPCS) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 714 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002635; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 715 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 716 | # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 717 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002636; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 718 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 719 | # Food and Drug Administration (FDA) National Drug Code (NDC) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 720 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002637; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 721 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 722 | # American Dental Association (ADA) Dental Procedure Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 723 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002638; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 724 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 725 | # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 726 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2)?)|(v[167][0-9]\.[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002639; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 727 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 728 | # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 729 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002640; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 730 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 731 | # Japan Credit Bureau Credit Card Number
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 732 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002642; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 733 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 734 | # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 735 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002648; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 736 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 737 | # The word "appraisal"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 738 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002649; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 739 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 740 | # The phrase "account balance"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 741 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002650; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 742 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 743 | # The phrase "payment history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 744 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002651; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 745 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 746 | # The phrase "annual income"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 747 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002652; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 748 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 749 | # The phrase "credit history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 750 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002653; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 751 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 752 | # The phrase "transaction history"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 753 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002654; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 754 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 755 | # The phrase "customer list"
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 756 | #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002655; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 757 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 758 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 759 | #Thees rules are disabled by default. They should generally be run on the outside of your network, not internally. Enable it where useful.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 760 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001375; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 761 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001376; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 762 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001377; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 763 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001378; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 764 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001379; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 765 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001380; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 766 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001381; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 767 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001382; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 768 | #alert ip any any - > any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference: url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001383; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 769 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 770 | #Submitted by Ole-Martin
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 771 | alert tcp any any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; classtype: successful-admin; sid: 2001294; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 772 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 773 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 774 | #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Format error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; classtype: not-suspicious; sid: 2001116; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 775 | #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Name Error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; classtype: not-suspicious; sid: 2001117; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 776 | #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Not Implemented"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; classtype: not-suspicious; sid: 2001118; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 777 | #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Refused"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; classtype: not-suspicious; sid: 2001119; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 778 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 779 | #by Myron Davis
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 780 | alert udp $HOME_NET any - > $EXTERNAL_NET 53 (msg:"BLEEDING-EDGE POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; classtype:bad-unknown; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; sid:2002676; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 780 | alert udp $HOME_NET any - > $EXTERNAL_NET 53 (msg:"BLEEDING-EDGE POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; classtype:bad-unknown; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; sid:2002676; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 781 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 782 | #From Charles Lacroix
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 783 | # All form elements are encoded before they are sent to the server
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 784 | # This makes things a bit more complicated to decode via snort at least
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 785 | # for me. This rule will trigger when a user is starting to place
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 786 | # an item for sale on the ebay site.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 787 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 788 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Bid Placed"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll/"; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; classtype: policy-violation; sid: 2001898; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 789 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Placing Item for sale"; flow: to_server,established; uricontent:"/ws2/eBayISAPI.dll"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001907; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 790 | # Look for a single item
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 791 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay View Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001908; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 792 | # Mark an item to watch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 793 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Watch This Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001909; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 794 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 795 | #By Matt Jonkman. Reviving this rule as it's been dropped from the snort.org rulesets.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 796 | alert tcp $HOME_NET any -> 66.151.158.177 any (msg: "BLEEDING-EDGE GotoMyPC Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2000309; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 797 | #This intends to be a more intelligent version of the old gotomypc rule, eventually to replace the old if it catches everything
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 798 | alert tcp 66.151.158.177 8200 -> $HOME_NET any (msg: "BLEEDING-EDGE GotoMyPC poll.gotomypc.com Server Response to Polling Client OK"; flow: established,from_server; content:"cnt=0"; nocase; depth: 40; content:"eventid="; nocase; depth: 40; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2002022; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 799 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 800 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 801 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/HoTMaiL\?curmbox=/i"; classtype: policy-violation; sid: 2000035; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 802 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/getmsg\?msg=MSG/i"; classtype: policy-violation; sid: 2000036; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 803 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/compose\?/i"; classtype: policy-violation; sid: 2000037; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 804 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/premail/i"; classtype: policy-violation; sid: 2000038; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 805 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; classtype: policy-violation; sid: 2000039; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 806 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 807 | #Submitted by Thomas Alex
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 808 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg: "BLEEDING-EDGE MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference: bugtraq,10224; classtype: attempted-admin; sid: 2001055; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 809 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 810 | #Submitted by Brandon Barnes
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 811 | #pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel"; content:"CONNECT "; nocase; content:"80"; content:" HTTP/1."; nocase; flow:to_server,established; classtype:misc-activity; sid:2000549; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 812 | #pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel"; content:"CONNECT "; nocase; content:"443"; content:" HTTP/1."; nocase; flow:to_server,established; classtype:misc-activity; sid:2000550; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 813 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel"; flow: to_server,established; content:"CONNECT "; nocase; content:!"80"; content:" HTTP/1."; nocase; classtype: misc-activity; sid: 2000547; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 814 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel"; flow: to_server,established; content:"CONNECT "; nocase; content:!"443"; content:" HTTP/1."; nocase; classtype: misc-activity; sid: 2000548; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 815 | #Submitted by Jason
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 816 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel Attempt"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:443"; within: 5; distance: -12; classtype: misc-activity; sid: 2000560; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 817 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 818 | #By Merphie from the forums
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 819 | alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001801; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 820 | alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001802; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 821 | alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001803; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 822 | alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; classtype: policy-violation; sid: 2001804; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 823 | alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; classtype: policy-violation; sid: 2001805; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 824 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 825 | #by Mark Tombaugh
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 826 | alert tcp $HOME_NET any - > $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002327; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 826 | alert tcp $HOME_NET any - > $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002327; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 827 | alert tcp $HOME_NET any - > $EXTERNAL_NET 443 (msg:"BLEEDING-EDGE POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002330; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 827 | alert tcp $HOME_NET any - > $EXTERNAL_NET 443 (msg:"BLEEDING-EDGE POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002330; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 828 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 829 | #by Brad Doctor
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 830 | alert tcp $HOME_NET any - > $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms\:xml\:ns\:xmpp-s"; content:"X-GOOGLE-TOKEN\" > "; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002332; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 831 | alert tcp $HOME_NET any - > $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic friend invited"; flow:to_server; content:"\" > < invitati"; content:"on xmlns=\"google"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002333; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 832 | alert tcp $HOME_NET any - > $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google IM traffic Jabber client sign-on"; flow:to_server; pcre:"/gmail.com/i"; pcre:"/jabber.org/i"; pcre:"/version=/"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002334; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 833 | alert tcp $HOME_NET any - > $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic Windows client user sign-off"; flow:to_server; content:"|3C 2F|stream\:s"; content:"tream > "; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002335; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 834 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 835 | #Submitted by Joel Esler
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 836 | alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; nocase; distance: 0; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; classtype: policy-violation; sid: 2001241; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 837 | alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; classtype: policy-violation; sid: 2001242; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 838 | alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; classtype: policy-violation; sid: 2001243; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 839 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 840 | #Matt Jonkman, more msn
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 841 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Policy MSN IM Poll via HTTP"; flow: established,to_server; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; threshold: type limit, track by_src, count 10, seconds 3600; classtype: policy-violation; sid: 2001682; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 842 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 843 | #Submitted by Scott Melnick
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 844 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MSN status change"; flow:established,to_server; content:"CHG "; depth:55; classtype:policy-violation; sid:2002192; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 845 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; within:90; classtype:policy-violation; sid:2002312; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 846 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 847 | #Submitted by Joel Esler
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 848 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001253; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 849 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001254; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 850 | #Commenting out, duplicated in Snort.org set
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 851 | #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001255; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 852 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001256; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 853 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001257; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 854 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001258; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 855 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; depth: 55; classtype: policy-violation; sid: 2001427; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 856 | alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00|M"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001259; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 857 | #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; classtype: policy-violation; sid: 2001260; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 858 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001261; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 859 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001262; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 860 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference request"; flow: to_server,established; content:" |
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 861 | #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; classtype: policy-violation; sid: 2001264; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 862 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 863 | #Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 864 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE CHAT Yahoo IM Client Install"; flow: to_server,established; uricontent:"/ycontent/stats.php?version="; nocase; uricontent:"EVENT=InstallBegin"; nocase; classtype: policy-violation; sid: 2002659; rev:1; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 865 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 866 | #Moved from Malware, this is not spyware related
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 867 | #alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Infotriever Spyware User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: Client"; nocase; classtype: trojan-activity; reference:url,www.infotriever.com/Intro_SysAdmins.asp; sid: 2002082; rev:5;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 868 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 869 | #Submitted by Vernon Stark
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 870 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; sid: 2000355; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 871 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; sid: 2000356; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 872 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 873 | #by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 874 | #alert ip any any - > any any (msg: "BLEEDING-EDGE POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ /d/d-/d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; classtype:policy-violation; sid:2002658; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 874 | #alert ip any any - > any any (msg: "BLEEDING-EDGE POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ /d/d-/d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; classtype:policy-violation; sid:2002658; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 875 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 876 | #Submitted by Jonathan Miner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 877 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY KitCo Kcast Ticker (agtray)"; flow: to_server,established; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; sid: 2000569; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 878 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY KitCo Kcast Ticker (autray)"; flow: to_server,established; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; sid: 2000570; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 879 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 880 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 881 | #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Policy Mozilla XPI install files download"; flow: from_server,established; content:"content-type\: application/x-xpinstall"; nocase; classtype: bad-unknown; sid: 2001114; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 882 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 883 | #Submitted by Lance Boon
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 884 | alert udp any any - > any any (msg: "BLEEDING-EDGE Policy Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference: url,www.netop.com; classtype: policy-violation; sid: 2001597; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 885 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 886 | #New way to do ssh. First to detect legit ssh sessions on normal ports. Enable these ONLY if you need to know about
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 887 | # normal ssh sessions
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 888 | #Written by Erik Fichtner, adapted some
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 889 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 890 | #alert tcp any $SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; sid: 2001973; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 891 | #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_client_banner; classtype:misc-activity; sid: 2001974; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 892 | #alert tcp any $SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; classtype:misc-activity; sid: 2001975; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 893 | #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5;flowbits: set,is_ssh_client_kex; classtype:misc-activity; sid: 2001976; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 894 | #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5;flowbits: set,is_proto_ssh; classtype:misc-activity; sid: 2001977; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 895 | #alert tcp any any <> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH session in progress on Expected Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001978; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 896 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 897 | #And now to detect Non-standard port usage
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 898 | alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; sid: 2001979; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 899 | alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH Client Banner Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; classtype:misc-activity; sid: 2001980; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 900 | alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5;flowbits: set,is_ssh_server_kex; classtype:misc-activity; sid: 2001981; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 901 | alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; classtype:misc-activity; sid: 2001982; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 902 | alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; classtype:misc-activity; sid: 2001983; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 903 | alert tcp any any <> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH session in progress on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001984; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 904 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 905 | # Added by Frank Knobbe
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 906 | alert tcp $HOME_NET any - > $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY Prospero Chat Session in Progress"; flow: established,to_server; content:"PCHAT2 "; offset: 0; depth: 7; content:"v='"; nocase; offset: 8; depth: 400; content:"jv='"; nocase; offset: 8; depth: 400; content:"u='"; nocase; offset: 8; depth: 400; reference: url,www.prospero.com/technology.htm; classtype: policy-violation; sid: 2001989; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 907 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 908 | #By Sam Pabon
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 909 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY RAR File Outbound"; flow: established; content:"|52 61 72 21|"; offset: 0; depth: 4; tag: session; classtype: not-suspicious; sid: 2001950; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 910 | #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY RAR File Inbound"; flow: established; content:"|52 61 72 21|"; offset: 0; depth: 4; tag: session; classtype: not-suspicious; sid: 2001951; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 911 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 912 | #Submitted by James Ashton
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 913 | alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001329; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 914 | alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001330; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 915 | alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001331; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 916 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 917 | #By Chich Thierry
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 918 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Policy Skype VOIP Checking Version (Startup)"; flow: to_server,established; uricontent:"/ui/"; nocase; uricontent:"/getlatestversion?ver="; nocase; reference: url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype: policy-violation; sid: 2001595; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 919 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Policy Skype VOIP Reporting Install"; flow: to_server,established; uricontent:"/ui/"; nocase; uricontent:"/installed"; nocase; reference: url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype: policy-violation; sid: 2001596; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 920 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 921 | #By Robert Grabowsky
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 922 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 923 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 924 | #By Chris Norton
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 925 | #alert tcp any any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Policy SSH Successful user connection"; dsize: 52; flags: AP; threshold: type both, track by_src, count 3, seconds 60; classtype: successful-user; sid: 2001637; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 926 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 927 | #Submitted by Patrick Harper. pcre by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 928 | #This rule is disabled by default. It should generally be run on the outside of your network, not internally. Enable it where useful.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 929 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in Clear Text"; flow: established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; classtype: policy-violation; sid: 2001328; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 930 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in Clear Text"; flow: established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4} /"; classtype: policy-violation; sid: 2001384; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 931 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 932 | #by Mark Tombaugh, updated by Robert Grabowsky
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 933 | alert tcp $HOME_NET any - > $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY TOR 1.0 Client Circuit Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:10; within:20; threshold:type both, track by_src, count 1, seconds 60; classtype:policy-violation; reference:url,tor.eff.org; sid:2001728; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 934 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 935 | #Submitted by Erik Vincent
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 936 | #alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "BLEEDING-EDGE Policy Proxy Connection detected"; flow: established; content:"Proxy-Connection"; classtype: attempted-user; sid: 2001449; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 937 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 938 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 939 | #You MUST add the SMTP_SERVERS var to your snort.conf!!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 940 | alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; flags: S,12; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:7;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 941 | alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Inbound Frequent Emails -- Possible Spambot Inbound"; flags: S,12; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 942 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 943 | # Submitted by Jason Alvarado
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 944 | alert tcp $HOME_NET any - > [208.8.81.0/24,64.68.96.0/19] 443 (msg: "BLEEDING-EDGE MyWebEx Server Traffic"; flow: to_server,established; dsize: < 50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference: url,www.mywebexpc.com/how.php; classtype: policy-violation; sid: 2001712; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 945 | alert tcp $HOME_NET any - > [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg: "BLEEDING-EDGE MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference: url,www.mywebexpc.com/how.php; classtype: policy-violation; sid: 2001713; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 946 | alert tcp [208.8.81.0/24,64.68.96.0/19] 443 - > $HOME_NET any (msg: "BLEEDING-EDGE MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference: url,www.mywebexpc.com/how.php; classtype: policy-violation; sid: 2001714; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 947 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 948 | #Originally posted by Matt Jonkman, major tweaks by Matt Watchinski.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 949 | #Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 950 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Inbox View"; flow: to_server,established; uricontent:"/ym/ShowFolder"; nocase; content:"rb=Inbox"; nocase; classtype: policy-violation; sid: 2000041; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 951 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message View"; flow: to_server,established; uricontent:"/ym/ShowLetter"; nocase; content:"MsgId"; nocase; classtype: policy-violation; sid: 2000042; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 952 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message Compose Open"; flow: to_server,established; uricontent:"/ym/Compose"; nocase; classtype: policy-violation; sid: 2000043; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 953 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message Send"; flow: to_server,established; uricontent:"/ym/Compose"; nocase; classtype: policy-violation; sid: 2000044; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 954 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; classtype: policy-violation; sid: 2000045; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 955 | #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail General Page View"; flow: to_server,established; uricontent:"/ym/login"; nocase; content:".rand="; nocase; classtype: policy-violation; sid: 2000341; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 956 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 957 | #Submitted by Jonathan Miner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 958 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Briefcase Upload"; flow: to_server,established; content:"briefcase.yahoo.com"; uricontent:"/process_bcmultipart_form"; nocase; classtype: policy-violation; sid: 2001044; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 959 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 960 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 961 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Gmail Inbox Access"; flow: to_server,established; uricontent:"/gmail?view=tl&search=inbox&start="; nocase; classtype: policy-violation; sid: 2001424; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 962 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Gmail File Send"; flow: to_server,established; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; content:"name=\"form-data\; file0\"\; filename=\""; nocase; classtype: policy-violation; sid: 2001425; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 963 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Gmail Message Send"; flow: to_server,established; content:"Content-Disposition\: form-data\; name=\"to\""; nocase; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; classtype: policy-violation; sid: 2001426; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 964 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 965 | #By Robert Grabowsky
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 966 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY WebshotsNetClient"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WebshotsNetClient/i"; reference:url,www.webshots.com; classtype:policy-violation; sid:2002407; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 967 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 968 | #Submitted by Joel Esler
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 969 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE ZIPPED DOC in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase; classtype: not-suspicious; sid: 2001402; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 970 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE ZIPPED XLS in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase; classtype: not-suspicious; sid: 2001403; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 971 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE ZIPPED EXE in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase; classtype: not-suspicious; sid: 2001404; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 972 | #alert tcp any any -> any any (msg: "BLEEDING-EDGE ZIPPED PPT in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase; classtype: not-suspicious; sid: 2001405; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 973 | #From David Glosser
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 974 | alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg: "BLEEDING-EDGE Possible hidden zip extension .cpl"; flowbits: isnotset,tagged; content:"|20 20 2E 63 70 6C 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; sid: 2001406; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 975 | alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg: "BLEEDING-EDGE Possible hidden zip extension .pif"; flowbits:isnotset,tagged; content:"|20 20 2E 70 69 66 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; sid: 2001407; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 976 | alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg: "BLEEDING-EDGE Possible hidden zip extension .scr"; flowbits:isnotset,tagged; content:"|20 20 2E 73 63 72 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; sid: 2001408; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-policy.rules : 977 |
|