-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathaws-appconfig.rules
75 lines (73 loc) · 16.3 KB
/
aws-appconfig.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# Sagan aws-appconfig.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Bryant Smith" <[email protected]>
# 03/27/2023
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (CreateApplication) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|CreateApplication"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011547; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (CreateConfigurationProfile) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|CreateConfigurationProfile"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011548; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (CreateDeploymentStrategy) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|CreateDeploymentStrategy"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011549; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (CreateEnvironment) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|CreateEnvironment"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011550; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (CreateExtension) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|CreateExtension"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011551; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (CreateExtensionAssociation) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|CreateExtensionAssociation"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011552; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (CreateHostedConfigurationVersion) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|CreateHostedConfigurationVersion"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011553; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (DeleteApplication) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|DeleteApplication"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011554; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (DeleteConfigurationProfile) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|DeleteConfigurationProfile"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011555; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (DeleteDeploymentStrategy) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|DeleteDeploymentStrategy"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011556; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (DeleteEnvironment) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|DeleteEnvironment"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011557; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (DeleteExtension) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|DeleteExtension"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011558; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (DeleteExtensionAssociation) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|DeleteExtensionAssociation"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011559; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (DeleteHostedConfigurationVersion) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|DeleteHostedConfigurationVersion"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011560; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetApplication) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetApplication"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011561; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetConfiguration) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetConfiguration"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011562; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetConfigurationProfile) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetConfigurationProfile"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011563; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetDeployment) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetDeployment"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011564; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetDeploymentStrategy) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetDeploymentStrategy"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011565; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetEnvironment) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetEnvironment"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011566; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetExtension) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetExtension"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011567; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetExtensionAssociation) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetExtensionAssociation"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011568; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetHostedConfigurationVersion) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetHostedConfigurationVersion"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011569; rev:1;)
##alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListApplications) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListApplications"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011570; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListConfigurationProfiles) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListConfigurationProfiles"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011571; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListDeployments) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListDeployments"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011572; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListDeploymentStrategies) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListDeploymentStrategies"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011573; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListEnvironments) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListEnvironments"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011574; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListExtensionAssociations) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListExtensionAssociations"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011575; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListExtensions) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListExtensions"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011576; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListHostedConfigurationVersions) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListHostedConfigurationVersions"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011577; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ListTagsForResource) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ListTagsForResource"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011578; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (StartDeployment) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|StartDeployment"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011579; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (StopDeployment) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|StopDeployment"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011580; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (TagResource) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|TagResource"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011581; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (UntagResource) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|UntagResource"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011582; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (UpdateApplication) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|UpdateApplication"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011583; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (UpdateConfigurationProfile) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|UpdateConfigurationProfile"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011584; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (UpdateDeploymentStrategy) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|UpdateDeploymentStrategy"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011585; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (UpdateEnvironment) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|UpdateEnvironment"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011586; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (UpdateExtension) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|UpdateExtension"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011587; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (UpdateExtensionAssociation) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|UpdateExtensionAssociation"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011588; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (ValidateConfiguration) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|ValidateConfiguration"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011589; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (GetLatestConfiguration) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|GetLatestConfiguration"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011590; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AWS-APPCONFIG] AppConfig event detected (StartConfigurationSession) "; program:appconfig.amazonaws.com; content:"eventName|22 3a 20 22|StartConfigurationSession"; classtype:system-event; reference:url,docs.aws.amazon.com/appconfig/2019-10-09/APIReference/Welcome.html; sid:5011591; rev:1;)