Dev2

rules/properties_all/100.USBwithMalware.xml

@@ -0,0 +1,72 @@
+<beginning>
+<!-- Property 100: USB stick with malware inserted   
+-->
+<property value="THEN" delay_units="ms" delay_min="0" delay_max="0" property_id="99" type_property="ATTACK" 
+    description="USB stick with malware inserted "
+    >
+   <event value="COMPUTE" event_id="1" 
+           description="IP destination is a known bot receiving reports from a keylogger"
+           boolean_expression="(#em_check_botnetcc(ip.dst, ip.dst) == true)"/>
+    <event value="COMPUTE" event_id="2" 
+           description="IP packet"
+           boolean_expression="((ip.src != ip.dst)&amp;&amp;(tcp.dest_port==5000))"/>
+</property>
+<embedded_functions><![CDATA[
+#include <arpa/inet.h>
+//hash table
+static mmt_hash_t *table = NULL;
+
+static inline int em_check_botnetcc( const char *ip_src, const char *ip_dst ){
+	//struct in_addr addr;
+	//uint32_t ip = *(uint32_t *) ip_dst;
+	//addr.s_addr = ip;
+	//mmt_debug("Checking IP %"PRIu32" - %s", ip, inet_ntoa( addr ) );
+
+	if( mmt_hash_search( table, ip_dst, 4 ) != NULL )
+	  return true;
+
+	if( mmt_hash_search( table, ip_src, 4 ) != NULL )
+     return true;
+
+   return false;
+}
+
+static const char* list_ips[] = {
+"10.223.1.232"};
+
+//This fuction is called when the rules in this file being loaded into MMT-Security
+void on_load(){
+   int i;
+   //number of uri
+   int length = sizeof( list_ips ) / sizeof( list_ips[0] );
+   const char* ip;
+   uint32_t    key;
+   struct in_addr addr;
+
+   //create a new hash table
+   table = mmt_hash_create( length );
+   mmt_debug("Rule 32.botcc: Created a table for checking bootnet having %d IPs", length );
+
+   //add items to the hash table
+   for( i=0; i<length; i++ ){
+      ip  = list_ips[i];
+      //convert ip string to uint32_t
+      if( inet_aton( ip, &addr ) == 0 ){
+         mmt_error( "Invalid IP address: %s", ip );
+         continue;
+      }
+
+      key = addr.s_addr;
+
+      mmt_hash_add( table, &key, 4, (void*) ip, false ); 
+   }
+}//end on_load()
+
+//This fuction is called when exiting MMT-Security
+void on_unload(){
+   mmt_hash_free( table );
+}//end on_unload()
+]]></embedded_functions>
+</beginning>
+
+

rules/properties_all/103.rdp.xml

@@ -0,0 +1,73 @@
+<beginning>
+<!-- Property 103: RDP honeypot (Draft)   
+-->
+<property value="THEN" delay_units="ms" delay_min="0" delay_max="0" property_id="103" type_property="ATTACK" 
+    description="RDP traffic to honeypot 15.235.141.63"
+    >
+   <event value="COMPUTE" event_id="1" 
+           description="IP add of the honeypot 15.235.141.63"
+           boolean_expression="(#em_check_botnetcc(ip.src, ip.dst) == true)"/>
+    <event value="COMPUTE" event_id="2" 
+           description="RDP packet"
+           boolean_expression="(rdp.packet_count &gt; 0)"/>
+</property>
+
+<embedded_functions><![CDATA[
+#include <arpa/inet.h>
+//hash table
+static mmt_hash_t *table = NULL;
+
+static inline int em_check_botnetcc( const char *ip_src, const char *ip_dst ){
+	//struct in_addr addr;
+	//uint32_t ip = *(uint32_t *) ip_dst;
+	//addr.s_addr = ip;
+	//mmt_debug("Checking IP %"PRIu32" - %s", ip, inet_ntoa( addr ) );
+
+	if( mmt_hash_search( table, ip_dst, 4 ) != NULL )
+	  return true;
+
+	if( mmt_hash_search( table, ip_src, 4 ) != NULL )
+     return true;
+
+   return false;
+}
+
+static const char* list_ips[] = {
+"15.235.141.63"};
+
+//This fuction is called when the rules in this file being loaded into MMT-Security
+void on_load(){
+   int i;
+   //number of uri
+   int length = sizeof( list_ips ) / sizeof( list_ips[0] );
+   const char* ip;
+   uint32_t    key;
+   struct in_addr addr;
+
+   //create a new hash table
+   table = mmt_hash_create( length );
+   mmt_debug("Rule 32.botcc: Created a table for checking bootnet having %d IPs", length );
+
+   //add items to the hash table
+   for( i=0; i<length; i++ ){
+      ip  = list_ips[i];
+      //convert ip string to uint32_t
+      if( inet_aton( ip, &addr ) == 0 ){
+         mmt_error( "Invalid IP address: %s", ip );
+         continue;
+      }
+
+      key = addr.s_addr;
+
+      mmt_hash_add( table, &key, 4, (void*) ip, false ); 
+   }
+}//end on_load()
+
+//This fuction is called when exiting MMT-Security
+void on_unload(){
+   mmt_hash_free( table );
+}//end on_unload()
+]]></embedded_functions>
+</beginning>
+
+

rules/properties_all/97.ssh_brute_force_slow.xml

@@ -0,0 +1,23 @@
+<beginning>
+<!-- Property 97: Probable slow SSH brute force attack.
+-->
+	<property value="THEN" delay_units="ms" delay_min="0+" delay_max="1000" property_id="97" type_property="ATTACK" 
+    description="Probable slow SSH brute force attack">
+    <operator value="THEN" delay_units="ms" delay_min="0+" delay_max="500">
+      <event value="COMPUTE" event_id="1" 
+             description="SSH New Key 1"
+             boolean_expression="((tcp.flags == 24)&amp;&amp;((ip.src != ip.dst)&amp;&amp;(ssh.packet_count != 0)))"/>
+      <event value="COMPUTE" event_id="2" 
+             description="SSH New Key 2"
+             boolean_expression="((tcp.flags == 24)&amp;&amp;((ip.src == ip.src.1)&amp;&amp;((ip.dst == ip.dst.1)&amp;&amp;(ssh.packet_count != 0))))"/>
+    </operator>
+    <operator value="THEN" delay_units="ms" delay_min="0+" delay_max="500">
+      <event value="COMPUTE" event_id="3" 
+             description="SSH New Key 3"
+             boolean_expression="((tcp.flags == 24)&amp;&amp;((ip.src == ip.src.1)&amp;&amp;((ip.dst == ip.dst.1)&amp;&amp;(ssh.packet_count != 0))))"/>
+      <event value="COMPUTE" event_id="4" 
+             description="SSH New Key 4"
+             boolean_expression="((tcp.flags == 24)&amp;&amp;((ip.src == ip.src.1)&amp;&amp;((ip.dst == ip.dst.1)&amp;&amp;(ssh.packet_count != 0))))"/>
+    </operator>
+</property>
+</beginning>

rules/properties_all/98.RDP_brute_force.xml

@@ -0,0 +1,23 @@
+<beginning>
+<!-- Property 98: Probable Remote Desktop Protocol brute force attack.
+-->
+	<property value="THEN" delay_units="ms" delay_min="0+" delay_max="1000" property_id="98" type_property="ATTACK" 
+    description="Probable Remote Desktop Protocol brute force attack">
+    <operator value="THEN" delay_units="ms" delay_min="0+" delay_max="500">
+      <event value="COMPUTE" event_id="1" 
+             description="Login incorrect 1"
+             boolean_expression="((ftp.packet_response_code == 530)&amp;&amp;(ip.src != ip.dst))"/>
+      <event value="COMPUTE" event_id="2" 
+             description="Login incorrect 2"
+             boolean_expression="((ftp.packet_response_code == 530)&amp;&amp;((ip.src == ip.src.1)&amp;&amp;(ip.dst == ip.dst.1)))"/>
+    </operator>
+    <operator value="THEN" delay_units="ms" delay_min="0+" delay_max="500">
+      <event value="COMPUTE" event_id="3" 
+             description="Login incorrect 3"
+             boolean_expression="((ftp.packet_response_code == 530)&amp;&amp;((ip.src == ip.src.1)&amp;&amp;(ip.dst == ip.dst.1)))"/>
+      <event value="COMPUTE" event_id="4" 
+             description="Login incorrect 4"
+             boolean_expression="((ftp.packet_response_code == 530)&amp;&amp;((ip.src == ip.src.1)&amp;&amp;(ip.dst == ip.dst.1)))"/>
+    </operator>
+</property>
+</beginning>

rules/properties_all/99.keylogger_bot.xml

@@ -0,0 +1,72 @@
+<beginning>
+<!-- Property 99: Keylogger connect and send reports to a bot  
+-->
+<property value="THEN" delay_units="ms" delay_min="0" delay_max="0" property_id="99" type_property="ATTACK" 
+    description="Keylogger connect and send reports to a bot"
+    >
+   <event value="COMPUTE" event_id="1" 
+           description="IP destination is a known bot receiving reports from a keylogger"
+           boolean_expression="(#em_check_botnetcc(ip.dst, ip.dst) == true)"/>
+    <event value="COMPUTE" event_id="2" 
+           description="IP packet"
+           boolean_expression="((ip.src != ip.dst)&amp;&amp;(tcp.dest_port==5000))"/>
+</property>
+<embedded_functions><![CDATA[
+#include <arpa/inet.h>
+//hash table
+static mmt_hash_t *table = NULL;
+
+static inline int em_check_botnetcc( const char *ip_src, const char *ip_dst ){
+	//struct in_addr addr;
+	//uint32_t ip = *(uint32_t *) ip_dst;
+	//addr.s_addr = ip;
+	//mmt_debug("Checking IP %"PRIu32" - %s", ip, inet_ntoa( addr ) );
+
+	if( mmt_hash_search( table, ip_dst, 4 ) != NULL )
+	  return true;
+
+	if( mmt_hash_search( table, ip_src, 4 ) != NULL )
+     return true;
+
+   return false;
+}
+
+static const char* list_ips[] = {
+"10.223.1.232"};
+
+//This fuction is called when the rules in this file being loaded into MMT-Security
+void on_load(){
+   int i;
+   //number of uri
+   int length = sizeof( list_ips ) / sizeof( list_ips[0] );
+   const char* ip;
+   uint32_t    key;
+   struct in_addr addr;
+
+   //create a new hash table
+   table = mmt_hash_create( length );
+   mmt_debug("Rule 32.botcc: Created a table for checking bootnet having %d IPs", length );
+
+   //add items to the hash table
+   for( i=0; i<length; i++ ){
+      ip  = list_ips[i];
+      //convert ip string to uint32_t
+      if( inet_aton( ip, &addr ) == 0 ){
+         mmt_error( "Invalid IP address: %s", ip );
+         continue;
+      }
+
+      key = addr.s_addr;
+
+      mmt_hash_add( table, &key, 4, (void*) ip, false ); 
+   }
+}//end on_load()
+
+//This fuction is called when exiting MMT-Security
+void on_unload(){
+   mmt_hash_free( table );
+}//end on_unload()
+]]></embedded_functions>
+</beginning>
+
+