after: track by_src, count 5, seconds: 86400;

Sagan will segfault because of the ":" after "seconds".

Create flowbits based on anything found in a log. For instance, pull a username from a log and create a flowbit named the same as the username (user bob would have a flowbit called "bob"). Idea is to be able to track the DC a user normally logs into and alert when they log into a different DC.

Can the rulebase files be bundled into an additional location besides the rules file?

http://sagan.softwink.com/rules/|sagan-rules-current.tar.gz

FYI: Created issue for pulledpork on .rulebase files

http://code.google.com/p/pulledpork/issues/detail?id=111

possible "dead lock" issue when bluedot returns an "empty response".

SID 5003939 in the latest commit has 'sid:' twice.

Current:
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[RSA-DPM] Physical Memory status RED [Critical]"; content: "RKMA_MONITORING_EVENT"; content: "|5b|Type|3a|Physical"; content: "RED"; distance: 45; within: 25; threshold: type threshold, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5003939; sid: sid:5003939; rev:2;)

change:
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[RSA-DPM] Physical Memory status RED [Critical]"; content: "RKMA_MONITORING_EVENT"; content: "|5b|Type|3a|Physical"; content: "RED"; distance: 45; within: 25; threshold: type threshold, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5003939; sid:5003939; rev:2;)

Could these be disabled by default?

Some normalization rules match only ipv4 addresses: e.g.

rule=: Accepted publickey for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2

However, I see this message for real with IPv6 addresses, and it's not getting normalized.

Some rules are duplicated to match both ipv4 and ipv6. And some try to, but are obviously broken:

rule=: Did not receive identification string from %src-p:ipv4%
rule=: Did not receive identification string from %src-ip:ipv6%

I think a better solution is to define a user-defined type which matches both IPv4 and IPv6, and update the rules to use it.

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content:!"\encoding"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou; meta_nocase; program: Security; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002819; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002819; rev:7;)

When starting a sagan with the rules, an error is issued:

[E] [rules.c, line 2879] Invalid threshold time 'seconds' at line 31 in /usr/local/etc/sagan-rules/honeyd.rules. Abort.

There are rules like facility: kern which should be syslog_facility: kern

(There don't seem to any which would need changing to syslog_level, syslog_tag or syslog_priority)

This is currently made moot by beave/sagan#140

No warning is generated for the bad rules: beave/sagan#141

Seems to detect
1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft? Windows? Operating System Company: Microsoft Corporation CommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\NETWORK SERVICE LogonGuid: {872FCC10-1436-5C34-0000-0020E4030000} LogonId: 0x3E4 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=FA121970C68FC5E586DEF0B21D5BCDAD,SHA256=AFB9BC4BDE1632B3012FBB26B989943D9E8031EF2CE903E3A5BBE1F8DB01B27D,IMPHASH=D8183AF5CC04BCC9C15AF0AB66CE6DB7 ParentProcessGuid: {872FCC10-169B-5C34-0000-00100A062B00} ParentProcessId: 4080 ParentImage: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe ParentCommandLine: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MpCmdRun.exe" SignatureUpdate -ScheduleJob -RestrictPrivileges

What would be the best way to tighten that rule up? Maybe something like this?

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-SYSMON] SYSMON Possible CMD detected"; content: " 1|3a| "; pcre: "/CommandLine: (.*)cmd.exe/i"; classtype: suspicious-command; program: Sysmon; reference: url,findingbad.blogspot.cz/2017/12/a-few-of-my-favorite-things-continued.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5003388; reference: url,www.quadrantsec.com/about/blog/using_jack_crooks_log_analysis_concepts_with_sagan; sid:5003388; rev:1;)

I'm currently working with CentOS 6.4 and I'm having issues getting the ./configure setup to recognize the mysql libraries that I have verified are installed. I noticed in a few versions back you could specify the mysql library directory and include directory. This is no longer available in the current configure.in file. Any change on getting this added?

The website that hosts the rules:

[ ] sagan-rules-05032012..> 03-May-2012 20:25 98K
[ ] sagan-rules-current...> 03-May-2012 20:25 98K
[TXT] sagan-rules-05032012..> 03-May-2012 20:26 70

Note:

http://sagan.quadrantsec.com/rules/sagan-rules-05032012.tar.gz
http://sagan.quadrantsec.com/rules/sagan-rules-05032012.tar.gz-sha.txt

http://sagan.quadrantsec.com/rules/sagan-rules-current.tar.gz

This is breaking the pulledpork download hash verification step.

For 5003377, would you consider also excluding events with IPv4 and IPv6 link-local addresses for the Source Network Address?

alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [FLOWBIT SET]"; content: " 1074|3a| "; program: System|USER32; xbits: set, reboot.windows, 60; xbits: noalert; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:7;)

The rule for "1100: The event logging service has shut down" isn't recognizing the reboot.windows flowbit.