-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathcisco-ios.rules
153 lines (128 loc) · 29.1 KB
/
cisco-ios.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Sagan cisco-ios.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SNMP Authentication Failure [0/5]"; content: "SNMP-3-AUTHFAIL"; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: attempted-recon; xbits: set,recon,track ip_src,expire 86400; xbits: set,brute_force,track ip_src,expire 86400; parse_src_ip: 1; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5000051; rev:11;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Attempted RSHELL connection"; content: "RCMD-4-RSHPORTATTEMPT"; default_proto: tcp; default_dst_port: 514; classtype: unsuccessful-user; sid: 5000052; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINK-3-UPDOWN"; classtype: network-event; sid: 5000053; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINEPROTO-5-UPDOWN"; classtype: network-event; sid: 5000054; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Configuration from console"; content: "SYS-5-CONFIG_I|3a| Configured from console"; parse_src_ip: 1; classtype: configuration-change; sid: 5000055; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS configuration changed"; content: "SYS-5-CONFIG"; classtype: configuration-change; sid:5000111; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-IOS] Successful login from Public IP Address"; content:"SEC_LOGIN-5-LOGIN_SUCCESS"; pcre:"/Source\:\s(\d+)(?<!10)\.(\d+)(?<!192\.168)(?<!172\.(1[6-9]|2\d|3[0-1]))\.(\d+)\.(\d+)/"; parse_src_ip:1; classtype:successful-admin; sid:5000112; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; normalize; sid:5001520; rev:2;)
drop any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: brute-force; xbits: set,brute_force,track ip_src,expire 21600; after: track by_src, count 10, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; parse_src_ip: 1; normalize; sid:5000113; rev:15;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fan failure - Fan not rotating [0/2]"; content: "ENVMON-3-FAN_FAILED"; classtype: hardware-event; threshold: type suppress, track by_src, count 2, seconds 300; sid:5000388; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fans had a rotation error reported [0/2]"; content: "%FAN-3-FAN_FAILED"; classtype: hardware-event; threshold: type suppress, track by_src, count 5, seconds 300; sid:5001198; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Power Controller reports power Imax error detected"; content: "%ILPOWER-3-CONTROLLER_PORT_ERR"; threshold: type suppress, track by_src, count 1, seconds 3600; classtype: hardware-event; sid:5001199; rev:3;)
# Rules submitted by Sniffty Dugen (July 31, 2012)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported Hardware Module"; content: "C6KPWR-SP-4-UNSUPPORTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1ab; sid: 5001476; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet recieved to short"; content: "EARL_L3_ASIC-SP-4-INTR_THROTTLE: Throttling"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1abb; sid: 5001477; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet with probable bad checksum Dropped"; content: "EARL_L3_ASIC-SP-3-INTR_WARN"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#EARL; sid: 5001478; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] NetFlow addressable memory almost full"; content: "EARL_NETFLOW-SP-4-TCAM_THRLD"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1a; sid: 5001479; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS Keepalive Loop Detected"; content: "ETHCNTR-3-LOOP_BACK_DETECTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1b; sid: 5001480; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Possible IOS System Crash"; content: "loadprog: error"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1bc; sid: 5001481; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Error in Layer 3 Forwarding ASIC [0/2]"; content: "L3_ASIC-DFC3-4-ERR_INTRPT"; threshold: type suppress, track by_src, count 2, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#ASIC; sid: 5001482; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] MAC/IP length inconsistencies"; content: "MLS_STAT-SP-4-IP_LEN_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1; sid: 5001483; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IP Checksum detected"; content: "MLS_STAT-SP-4-IP_CSUM_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob2; sid: 5001484; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Excessive Multicast Traffic to IGMP reserved address"; content: "MCAST-SP-6-ADDRESS_ALIASING_FALLBACK"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob3; sid: 5001485; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] PIM Hold Time Out of range"; content: "MROUTE-3-TWHEEL_DELAY_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob5; sid: 5001486; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Maximum Number of L2 Multicast Group Entries Created"; content: "MCAST-SP-6-GC_LIMIT_EXCEEDED"; classtype: system-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob6; sid: 5001487; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Internal Table Manager Parity Error"; content: "MISTRAL-SP-3-ERROR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob7; sid: 5001488; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Short IP Packets Detected"; content: "MLS_STAT-4-IP_TOO_SHRT"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob8; sid: 5001489; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Creating Session to module/slot failed"; content: "Processor"; content: "cannot service session requests"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#Processor; sid: 5001490; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Firmware error detected"; content: "PM_SCP-1-LCP_FW_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob9; sid: 5001491; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Error Condition"; content: "PM_SCP-2-LCP_FW_ERR_INFORM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-error; sid: 5001492; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Error Detected [0/3]"; content: "PM_SCP-SP-2-LCP_FW_ERR_INFORM"; threshold: type suppress, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#mod-issue; sid: 5001493; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported SFP GBIC Detected"; content: "PM_SCP-SP-3-TRANSCEIVER_BAD_EEPROM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badkey; sid: 5001494; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] TCAM Resource Exhaustion Detected"; content: "QM-4-TCAM_ENTRY"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#TCAM; sid: 5001495; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Supervisor Engine Parity Errors [0/3]"; content: "SYSTEM_CONTROLLER-SP-3-ERROR"; threshold: type suppress, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tmparity; sid: 5001496; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Memory Parity Error [0/3]"; content: "SYSTEM_CONTROLLER-SW2_SPSTBY-3-ERROR"; threshold: type suppress, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-controller; sid: 5001497; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Linecard Endpoint Lost Sync"; content: "SP: Linecard endpoint of Channel 14 lost Sync"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#sp141; sid: 5001498; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Misconfigured Boot Variables"; content: "SYSTEM-1-INITFAIL: Network boot is not supported"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#nwboot; sid: 5001499; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Time Outs [0/3]"; content: "CPU_MONITOR-3-TIMED_OUT"; threshold: type suppress, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001500; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Not Heard [0/3]"; content: "CPU_MONITOR-6-NOT_HEARD"; threshold: type suppress, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001501; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IDPROM Image"; content: "Invalid IDPROM image for"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#idprom; sid: 5001502; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Module Powered Off"; content: "C6KPWR-4-DISABLED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#pwrdis; sid: 5001503; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC Failed to Synchronize"; content: "ONLINE-SP-6-INITFAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#onlinefail; sid: 5001504; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Flow Mask Request Failed"; content: "FM_EARL7-4-FLOW_FEAT_FLOWMASK_REQ_FAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#flowmask; sid: 5001505; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IGMP join packet Flood"; content: "MCAST-2-IGMP_SNOOP_DISABLE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#igmpsnoop; sid: 5001506; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC/Pinnacle Unrecoverable resources"; content: "C6KERRDETECT-2-FIFOCRITLEVEL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#dr; sid: 5001507; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Stalled"; content: "C6KERRDETECT-SP-4-SWBUSSTALL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001508; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Recovered"; content: "C6KERRDETECT-SP-4-SWBUSSTALL_RECOVERED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001509; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SP-RP ping test failed, High Traffic"; content: "SP-RP Ping Test[7]"; classtype: system-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#srp; sid: 5001510; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Sub-interface Limit Reached"; content: "SW_VLAN-4-MAX_SUB_INT"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#subint; sid: 5001511; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Hash Bucket Collision"; content: "MCAST-6-L2_HASH_BUCKET_COLLISION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#l2hash; sid: 5001512; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] QoS Hardware Resources Exceeded"; content: "QM-4-AGG_POL_EXCEEDED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#qm_agg; sid: 5001513; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel MTU Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "MTU"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-bundle; sid: 5001514; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel Flow Control Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "flow control"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#port; sid: 5001515; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Route entries about to reach FIB capacity"; content: "CFIB-7-CFIB_EXCEPTION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tcamexception; sid: 5001516; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Data Path Error"; content: "CONST_DIAG-SP-3-HM_PORT_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#disablingport; sid: 5001517; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Bad CRC on ASIC Line Card"; content: "CONST_DIAG-SP-4-ERROR_COUNTER_WARNING"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module; sid: 5001518; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Detected Unknown Protocol"; content: "SYS-3-PORT_RX_BADCODE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode; sid: 5001519; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; sid: 5001625; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; xbits: set,brute_force,track ip_src,expire 21600; after: track by_src, count 10, seconds 300; threshold: type suppress, track by_src, count 1, seconds 86400; classtype: brute-force; parse_src_ip: 1; sid: 5001686; rev:11;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] High CPU usage detected"; content: "HIGH CPU DETECTED"; threshold: type suppress, track by_src, count 1, seconds 3600; classtype: system-event; sid: 5001626; rev:3;)
# %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user cisco from 10.10.10.10 - sshd[27924]
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Authentication Failure SSH"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; sid: 5001668; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Authentication Failure SSH - Brute force [5/5]"; content: "%DAEMON-3-SYSTEM_MSG|3a|"; content:"Authentication failure for"; content: !"illegal"; content: "sshd["; parse_src_ip:1; xbits: set,brute_force,track ip_src,expire 21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: brute-force; after: track by_src, count 5, seconds 300; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001670; rev:12;)
# %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user cisco from 10.10.10.10 - sshd[27926]
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Illegal User SSH"; content: "%DAEMON-3-SYSTEM_MSG|3a|"; content: "Authentication failure for illegal user"; content: "sshd["; parse_src_ip: 1; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; sid: 5001669; rev:7;)
# %USER-3-SYSTEM_MSG: FATAL: bad tty - login (no program)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] FATAL - bad tty - login (no program)"; content: "%USER-3-SYSTEM_MSG|3a|"; content: "FATAL: bad tty"; content: "no program"; classtype: system-event; sid: 5001671; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Auth to privilege 15 failed"; content: "%SYS-5-PRIV_AUTH_FAIL"; parse_src_ip: 1; classtype: unsuccessful-admin; sid: 5001672; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Multicast storm detected"; content: "%STORM_CONTROL-3-FILTERED"; classtype: network-event; sid: 5001673; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid ARP"; content: "%SW_DAI-4-INVALID_ARP"; classtype: network-event; sid: 5001674; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Low FAN RPM - Service recommended"; content: "%ENVMON-4-FAN_LOW_RPM"; classtype: hardware-event; threshold: type suppress, track by_src, count 1, seconds 3600; sid: 5001688; rev:4;)
# Submitted by Robert Nunley ([email protected]) - 08/14/2013
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Up"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is up"; classtype: system-event; parse_src_ip: 1; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001707; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Down"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is down"; classtype: system-event; parse_src_ip: 1; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001708; rev:6;)
# Submittied by Robert Nunley ([email protected]) - 11/18/2013
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Up"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Up"; classtype: system-event; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001718; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Down"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Down"; classtype: system-event; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001719; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Neighbor Removed From Topology"; content: "%BGP_SESSION-5-ADJCHANGE"; content: "neighbor"; content: "topology"; classtype: system-event; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001720; rev:2;)
# Submitted by Adam Hall ([email protected]) - 11/18.2013
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP Requesting Active State"; content: "Grp"; content: "Coup"; classtype: system-event; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001721; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%STANDBY-6-STATECHANGE"; content: "state"; classtype: system-event; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001722; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%HSRP-5-STATECHANGE"; content: "state"; classtype: system-event; threshold: type suppress, track by_src, count 5, seconds 300; sid: 5001723; rev:2;)
# %PARSER-5-CFGLOG_LOGGEDCMD: User:bob logged command:!exec: enable
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Command logged"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; classtype: misc-activity; sid: 5001871; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Enable command executed"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; content: "exec"; nocase; content: "enable"; nocase; classtype: successful-admin; sid: 5001872; rev:2;)
# Jan 22 16:03:51: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: bob] [Source: 10.10.0.1] [localport: 22] at 16:03:51 UTC Wed Jan 22 2014
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Success"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; default_proto: tcp; classtype: successful-admin; parse_src_ip: 1; parse_port; sid: 5001952; rev:2;)
#Rules for CVE-2023-20198
#Added 18 October 2023 - BS
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-IOS] WebUI Accessed by cisco_tac_admin or cisco_support"; content:"%SYS-5-CONFIG_P|3a|"; content:"process SEP_webui_wsma_http"; meta_content:"from console as %sagan%",cisco_tac_admin,cisco_support; reference:cve,2023-20198; reference:url,www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; classtype:targeted-activity; sid:5013940; rev:1; metadata:deployment Server,affected_product cisco_ios_xe,affected_version all,mitigation www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html,deprecation_reason NONE,tag cve, created_at 2023_10_17, updated_at 2023_10_17, mitre_tactic_id TA0004, mitre_technique_id T1068;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-IOS] WebUI Accessed by any user"; content:"%SYS-5-CONFIG_P|3a|"; content:"process SEP_webui_wsma_http"; reference:cve,2023-20198; reference:url,www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; classtype:targeted-activity; sid:5013941; rev:1; metadata:deployment Server,affected_product cisco_ios_xe,affected_version all,mitigation www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html,deprecation_reason NONE,tag cve, created_at 2023_10_17, updated_at 2023_10_17, mitre_tactic_id TA0004, mitre_technique_id T1068;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-IOS] Web Login Successful - Public IP Address"; content:"%SEC_LOGIN-5-WEBLOGIN_SUCCESS|3a|"; content:"Source|3a|"; pcre:"/Source\:\s(\d+)(?<!10)\.(\d+)(?<!192\.168)(?<!172\.(1[6-9]|2\d|3[0-1]))\.(\d+)\.(\d+)/"; reference:cve,2023-20198; reference:url,www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; classtype:targeted-activity; sid:5013942; rev:1; metadata:deployment Server,affected_product cisco_ios_xe,affected_version all,mitigation www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html,deprecation_reason NONE,tag cve, created_at 2023_10_17, updated_at 2023_10_17, mitre_tactic_id TA0004, mitre_technique_id T1068;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-IOS] File Added via Web User Interface"; content:"%WEBUI-6-INSTALL_OPERATION_INFO|3a|"; content:"Install Operation|3a| ADD"; reference:cve,2023-20198; reference:url,www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; classtype:targeted-activity; sid:5013943; rev:1; metadata:deployment Server,affected_product cisco_ios_xe,affected_version all,mitigation www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-webui-privesc-j22SaA4z.html,deprecation_reason NONE,tag cve, created_at 2023_10_17, updated_at 2023_10_17, mitre_tactic_id TA0004, mitre_technique_id T1068;)
#=================================================================
#The below rules are not necessarily Cisco related
#Put in place on 3/5/2025 and initially disabled intentionally - Charles Goggins
#alert any any any -> any any (msg: "[SWITCH-HARDWARE] Faulty System Fan(s) Detected"; content: "faulty system fan|28|s|29|) in the system"; json_map: "src_ip",".xff"; threshold: type suppress, track by_src, count 1, seconds 10800; classtype: hardware-event; sid:5015346; rev:1;)
#alert any any any -> any any (msg: "[SWITCH-HARDWARE] System Shutting Down - Faulty System Fans"; content: "System shutting down in"; content: "seconds because"; content: "faulty system fan|28|s|29| exceeds limit"; json_map: "src_ip", ".xff"; threshold: type suppress, track by_src, count 1, seconds 3600; classtype: hardware-event; sid:5015347; rev:2;)
#alert any any any -> any any (msg: "[SWITCH-HARDWARE] System Shutting Down - CatchAll"; content: "System shutting down in"; content: "seconds because"; content: !"faulty system fan|28|s|29| exceeds limit"; json_map: "src_ip", ".xff"; threshold: type suppress, track by_src, count 1, seconds 3600; classtype: hardware-event; sid:5015348; rev:1;)
#alert any any any -> any any (msg: "[SWITCH-HARDWARE] Chassis Fan Failure Event - Total Failure"; pcre:"/chassis: Fan failure: Fan: \d Failures: (\d)+/"; json_map: "src_ip", ".xff"; threshold: type suppress, track by_src, count 5, seconds 3600; classtype: hardware-event; sid:5015349; rev:1;)
#alert any any any -> any any (msg: "[SWITCH-HARDWARE] Chassis Fan Failure Event - Partial Failure"; pcre: "/chassis: Fan OK: Fan: \d Failures: (\d)+/"; json_map: "src_ip", ".xff"; threshold: type suppress, track by_src, count 5, seconds 3600; classtype: hardware-event; sid:5015350; rev:1;)
#==================================================================