Skip to content

Commit b77dbc2

Browse files
iadgovuser61iadgovuser61
authored
Add files via upload
1 parent 194bc99 commit b77dbc2

4 files changed

+67
-0
lines changed

ELITEWOLF_SNORT_AllenBradley_RockwellAutomation.txt

+14
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-TCP REQUEST"; content:"/rokform/advancedDiags?pageReq=tcp"; sid:1; rev:1;)
2+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-SYSTEM DATA DETAIL"; content:"/rokform/SysDataDetail?name="; sid:1; rev:1;)
3+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-UDP TABLE"; content:"/rokform/advancedDiags?pageReq=udptable"; sid:1; rev:1;)
4+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-TCP CONNECT"; content:"rokform/advancedDiags?pageReq=tcpconn"; sid:1; rev:1;)
5+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IP ROUTE"; content:"/rokform/advancedDiags?pageReq=iproute"; sid:1; rev:1;)
6+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-GENERAL MEMORY"; content:"/rokform/advancedDiags?pageReq=genmem"; sid:1; rev:1;)
7+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-HEAP REQUEST"; content:"/rokform/advancedDiags?pageReq=heap"; sid:1; rev:1;)
8+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-ICMP REQUEST"; content:"/rokform/advancedDiags?pageReq=icmp"; sid:1; rev:1;)
9+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-ARP REQUEST"; content:"/rokform/advancedDiags?pageReq=arp"; sid:1; rev:1;)
10+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-UDP REQUEST"; content:"/rokform/advancedDiags?pageReq=udp"; sid:1; rev:1;)
11+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IF REQUEST"; content:"/rokform/advancedDiags?pageReq=if"; sid:1; rev:1;)
12+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-IP REQUEST"; content:"/rokform/advancedDiags?pageReq=ip"; sid:1; rev:1;)
13+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-CSS Path"; content:"/css/radevice.css"; sid:1; rev:1;)
14+
alert tcp any 80 -> any any (msg: "ELITEWOLF Allen-Bradley/Rockwell Automation URL Path Activity-SYSTEM LIST DATA"; content:"/rokform/SysListDetail?name=";sid:1;rev:1;)

ELITEWOLF_SNORT_README.txt

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
SNORT Rules
2+
WARNING: These signatures/analytics aren't necessarily malicious activity. They will require follow on analysis to truly determine if this activity is malicious or not. The provided SNORT rules are alerting rules. Investigation for accuracy is required for hits. The rules have been tested, but every system can be configured differently, so ensure that the signature is triggered properly or is adjusted as needed based on the sensors and the environment.
3+
4+
5+
This page lists references to files that contain SNORT rules.
6+
7+
ELITEWOLF SNORT Rules
8+
9+
ELITEWOLF_SNORT_AllenBradley_RockwellAutomation.txt
10+
ELITEWOLF_SNORT_Siemens.txt
11+
ELITEWOLF_SNORT_SchweitzerEngineeringLaboratories.txt

ELITEWOLF_SNORT_SchweitzerEngineeringLaboratories.txt

+37
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - homepage"; content:"/home.sel"; sid:1; rev:1;)
2+
alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - LoginError"; content:"/errors/err401.sel?username="; sid:1; rev:1;)
3+
alert tcp any 443 -> any any (msg: "ELITEWOLF SEL-3530-RTAC URL path activity - default.sel page"; content:"/default.sel"; sid:1; rev:1;)
4+
alert tcp any 1024 -> any any (msg: "ELITEWOLF SEL-3530-RTAC Possible SSH Login Activity"; content:"SSH-2.0-dropbear_2016.74"; sid:1; rev:1;)
5+
alert tcp any 5432 -> any any (msg: "ELITEWOLF SEL-3530-RTAC Possible AcSELerator Firmware Activity"; content:"SEL-3530 RTAC"; sid:1; rev:1;)
6+
7+
alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "http://www.sel-secure.com"; sid:1; rev:1;)
8+
alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "commonname=http://www.sel-secure.com"; sid:1; rev:1;)
9+
alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-3620 X509 certificate activity"; content: "issuer_CN: http://www.sel-secure.com"; sid:1; rev:1;)
10+
11+
alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 URL path activity"; content: "/scripts/dScripts.sel"; sid:1; rev:1;)
12+
alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 URL path activity"; content: "/css/sel.css?vid="; sid:1; rev:1;)
13+
alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 X509 certificate activity"; content: "commonName=http://www.selinc.com/EthernetCommunications/"; sid:1; rev:1;)
14+
alert tcp any 443 -> any any (msg:"ELITEWOLF_SEL-2488 X509 certificate activity"; content: "issuer_CN: http://www.selinc.com/EthernetCommunications/"; sid:1; rev:1;)
15+
16+
alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Telnet Activity"; pcre:"/SEL-[0-9]{3,4}/"; sid:1; rev:1;)
17+
alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Access Level 1 Change"; content: "Level 1"; sid:1; rev:1;)
18+
alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Access Level 2 Change"; content: "Level 2"; sid:1; rev:1;)
19+
alert tcp any 23 -> any any (msg:"ELITEWOLF SEL 2032 Processor"; content:"COMMUNICATIONS PROCESSOR-S/N"; sid:1; rev:1;)
20+
alert tcp any 23 -> any any (msg:"ELITEWOLF SEL Callibration Access Level Login Success"; content:"Calibration Access Established"; sid:1; rev:1;)
21+
22+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Access Change"; content: "USER 2AC"; sid:1; rev:1;)
23+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Change working directory 2701"; content: "CWD SEL-2701"; sid:1; rev:1;)
24+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Change working directory 2701"; content: "CWD /SEL-2701"; sid:1; rev:1;)
25+
alert tcp any 21 -> any any (msg: "ELITEWOLF SEL FTP Activity - Current directory"; content: "/SEL-2701"; sid:1; rev:1;)
26+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR DNPMAP.TXT file"; content: "RETR DNPMAP.TXT"; sid:1; rev:1;)
27+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - STOR SET_DNP1.TXT file"; content: "STOR SET_DNP1.TXT"; sid:1; rev:1;)
28+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - potential file change"; content:"STOR SET_"; pcre:"/STOR SET_[0-9A-Z]{1,4}.TXT/"; sid:1; rev:1;)
29+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Access Change ACC"; content: "USER ACC"; sid:1; rev:1;)
30+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Password Login otter"; content: "PASS otter"; sid:1; rev:1;)
31+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - STOR DNPMAP.TXT file"; content: "STOR DNPMAP.TXT"; sid:1; rev:1;)
32+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR ERR.TXT file"; content: "RETR ERR.TXT"; sid:1; rev:1;)
33+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - RETR SET_DNP1.TXT file 2701"; content: "RETR SET_DNP1.TXT"; sid:1; rev:1;)
34+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - File Retrieval"; content:"RETR SET_"; pcre:"/RETR SET_[0-9A-Z]{1,4}/"; sid:1; rev:1;)
35+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Default Username"; content:"USER FTPUSER"; sid:1; rev:1;)
36+
alert tcp any any -> any 21 (msg: "ELITEWOLF SEL FTP Activity - Default Password"; content:"PASS TAIL"; sid:1; rev:1;)
37+
alert tcp any 21 -> any any (msg: "ELITEWOLF SEL-751A FTP SERVER"; content:"SEL-751A"; sid:1; rev:1;)

ELITEWOLF_SNORT_Siemens.txt

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
alert tcp any 80 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens Web Activity"; content:"/CSS/S7Web.css"; sid:1; rev:1;)
2+
alert tcp any 80 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens Web Activity"; content:"/Images/CPU1200/"; sid:1; rev:1;)
3+
alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"S7-1200 Controller Family"; sid:1; rev:1;)
4+
alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"commonName=S7-1200 Controller Family"; sid:1; rev:1;)
5+
alert tcp any 443 -> any any (msg: "ELITEWOLF S7-1200 Possible Siemens X509 certificate activity"; content:"issuer_CN: S7-1200 Controller Family"; sid:1; rev:1;)

0 commit comments

Comments
 (0)