########################################## # # Non-Public Information Snort Rules # # Copyright 2005-2006 Cory Bys # All Rights Reserved # Particle.Bored@kgb.to # # This rule set is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This rule set is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # Thanks to Matt Jonkman and James Affeld for the optimization tips # # Last update 11 August 2006 # ########################################## # # NPI via Email # # Non-US Restricted alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Non-US Restricted"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/([A-Z]{3}\s)+RESTRICTED\/\/X5.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Non-US Confidential alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Non-US Confidential"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/([A-Z]{3}\s)+CONFIDENTIAL\/\/X5.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Non-US Top Secret alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Non-US Top Secret"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/([A-Z]{3}\s)+TOP\sSECRET\/\/X5.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Non-US Secret alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Non-US Secret"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/([A-Z]{3}\s)+(? $EXTERNAL_NET 25 (msg:"NPI - SMTP NATO Restricted"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/((NATO\sRESTRICTED)|NR)\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # NATO Confidential Atomal alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP NATO Confidential Atomal"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/((NATO\sCONFIDENTIAL\sATOMAL)|NCA)\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # NATO Confidential alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP NATO Confidential"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/((NATO\sCONFIDENTIAL)|NC)\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # NATO COSMIC Top Secret Atomal alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # NATO Secret Atomal alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP NATO Secret Atomal"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/((NATO\sSECRET\sATOMAL)|NSA)\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # NATO Secret alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP NATO Secret"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/((NATO\sSECRET)|NS)\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Confidential, Electronic Format alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential, Electronic"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*QQQQ\r\n.*(O|P|R|Z)\r\n(CC)\r\n.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret, Electronic Format alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret, Electronic"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*QQQQ\r\n.*(O|P|R|Z)\r\n(TT)\r\n.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret, Electronic Format alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret, Electronic"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*QQQQ\r\n.*(O|P|R|Z)\r\n(SS)\r\n.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Confidential Authorized for Release To alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential REL TO"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}REL\sTO\sUSA.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Authorized for Release To alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret REL TO"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}REL\sTO\sUSA.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Authorized for Release To alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret REL TO"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential COMINT"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}(COMINT|SI).{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Comint alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret COMINT"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}(COMINT|SI).{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Comint alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret COMINT"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US Unclassified COMSEC"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(UNCLASSIFIED|U)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Confidential Communications Security Material alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential COMSEC"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Communications Security Material alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret COMSEC"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Communications Security Material alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret COMSEC"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(SECRET|S)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Controlled Imagery alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret IMCON"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(SECRET|S)\/\/.{0,20}IMC.{0,20}\/\/(X1|MR).*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Critical Nuclear Weapon Design Information alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret CNWDI"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI).{0,20}\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Critical Nuclear Weapon Design Information alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret CNWDI"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(SECRET|S)\/\/.{0,20}(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI).{0,20}\/\/MR/ism"; classtype:policy-violation;) # # US Top Secret Talent Keyhole alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret TK"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}(TALENT\sKEYHOLE|TK).{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Talent Keyhole alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret TK"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US FGI"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\/\/FGI.{0,20}\/\/X5.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US For Official Use Only alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US FOUO"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(UNCLASSIFIED|U)\/\/(FOR\sOFFICIAL\sUSE\sONLY|FOUO).*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Confidential Not Releasable to Foreign Nationals alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential NOFORN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}NOFORN.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Not Releasable to Foreign Nationals alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret NOFORN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}NOFORN.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Not Releasable to Foreign Nationals alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret NOFORN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential ORCON"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}(ORIGINATOR\sCONTROLLED|ORCON).{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Originator Controlled alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret ORCON"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}(ORIGINATOR\sCONTROLLED|ORCON).{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Originator Controlled alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret ORCON"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US Unclassified PROPIN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(UNCLASSIFIED|U)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Confidential Proprietary Information alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential PROPIN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Proprietary Information alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret PROPIN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Proprietary Information alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret PROPIN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential RD"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}(RESTRICTED\sDATA|RD).{0,20}\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Restricted Data alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret RD"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}(RESTRICTED\sDATA|RD).{0,20}\/\/MR.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Restricted Data alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret RD"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US SAMI"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*SAMI.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Confidential Special Category alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Confidential SPECAT"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(CONFIDENTIAL|C)\/\/.{0,20}SPECAT.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Top Secret Special Category alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret SPECAT"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}SPECAT.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # US Secret Special Category alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP US Secret SPECAT"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(? $EXTERNAL_NET 25 (msg:"NPI - SMTP US Top Secret STOP"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*(TOP\sSECRET|TS)\/\/.{0,20}STOP.{0,20}\/\/(25)?X[1-9].*\r\n\.\r\n/ism"; classtype:policy-violation;) # # The phrase "law enforcement sensitive" alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wlaw\senforcement\ssensitive\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # The phrase "internal use only" alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Internal Use Only"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Winternal\suse\sonly\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Date of Birth alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Date of Birth"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*d(ate\s)?(-)?o(f\s)?(-)?b(irth\s)?\W.{0,20}[0-9]{2}[-\\\/]?[0-9]{2}[-\\\/]?[0-9]{2,4}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Health Care Common Procedure Coding System (HCPCS) Codes alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP HCPCS Code"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Whcpcs\W.{0,20}[a-z][0-9]{10}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP ICD-10 Code"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wicd\W.{0,20}[a-z][0-9]{2}\.[0-9]{2}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP FDA NDC Code"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wndc\W.{0,20}([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2})\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # American Dental Association (ADA) Dental Procedure Codes alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP ADA Procedure Code"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wada\W.{0,20}d[0-9]{4}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP DSM-IV Code"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wdsm\W.{0,20}([2-9][0-9]{2}|v[167][0-9]\.[0-9]{1,2})\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP AMA CPT Code"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wcpt\W.{0,20}([0-9]{4}[ft]|[0-9]{5})\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # American Express Credit Card Number alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Credit Card, AmEx"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wam(erican\s)?ex(press)?\W.{0,20}3[47][0-9]{13}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Japan Credit Bureau Credit Card Number alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Credit Card, JCB"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wj(apan\s)?c(redit\s)?b(ureau)?\W.{0,20}((3[12359][0-9]{14})|((1800|2131)[0-9]{11}))\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # BankCard Credit Card Number alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Credit Card, BankCard"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wb(ank)?c(ard)?\W.{0,20}56[01][0-9]{13}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Diners Club and (Old) Carte Blanche Credit Card Number alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Credit Card, Diners"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\W(diners|diner\'s)(\Wclub)?\W.{0,20}((30[0-5][0-9]{11})|(3[68][0-9]{12}))\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # MasterCard Credit Card Number alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Credit Card, MC"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wm(aster\s)?c(ard)?\W.{0,20}5[1-5][0-9]{14}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Visa Credit Card Number alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Credit Card, Visa"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wvisa\W.{0,20}(4[0-9]{12}|4[0-9]{15})\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # Social Security Number alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP SSN"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Ws(ocial\s)?s(ecurity\s)?(n(umber)?|#)\W.{0,20}[1-6][0-9]{2}[-]?[0-9]{2}[-]?[0-9]{4}\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Password"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\W[p][a4@]{0,1}[sz5]{0,2}[w]([o0][r])?[d]\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # The phrase "transaction history" alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Transaction History"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wtransaction\shistor(y|ies)\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # # The phrase "customer list" alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"NPI - SMTP Customer List"; flow:to_server,established; content:"LO "; nocase; pcre:"/(HELO|EHLO)\s.*\Wcustomer\slist(s)?\W.*\r\n\.\r\n/ism"; classtype:policy-violation;) # ########################################## # # NPI via HTTP GET or POST # # Non-US Restricted alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Non-US Restricted"; flow:to_server,established; content:"Host\:"; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+RESTRICTED\/\/X5/ism"; classtype:policy-violation;) # # Non-US Confidential alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Non-US Confidential"; flow:to_server,established; content:"Host\:"; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+CONFIDENTIAL\/\/X5/ism"; classtype:policy-violation;) # # Non-US Top Secret alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Non-US Top Secret"; flow:to_server,established; content:"Host\:"; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+TOP\sSECRET\/\/X5/ism"; classtype:policy-violation;) # # Non-US Secret alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Non-US Secret"; flow:to_server,established; content:"Host\:"; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP NATO Restricted"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/\/\/((NATO\sRESTRICTED)|NR)\/\/MR/ism"; classtype:policy-violation;) # # NATO Confidential Atomal alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP NATO Confidential Atomal"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/\/\/((NATO\sCONFIDENTIAL\sATOMAL)|NCA)\/\/MR/ism"; classtype:policy-violation;) # # NATO Confidential alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP NATO Confidential"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/\/\/((NATO\sCONFIDENTIAL)|NC)\/\/MR/ism"; classtype:policy-violation;) # # NATO COSMIC Top Secret Atomal alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/\/\/((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)\/\/MR/ism"; classtype:policy-violation;) # # NATO Secret Atomal alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP NATO Secret Atomal"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/\/\/((NATO\sSECRET\sATOMAL)|NSA)\/\/MR/ism"; classtype:policy-violation;) # # NATO Secret alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP NATO Secret"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/\/\/((NATO\sSECRET)|NS)\/\/MR/ism"; classtype:policy-violation;) # # US Confidential, Electronic Format alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential, Electronic"; flow:to_server,established; content:"Host\:"; content:"QQQQ"; pcre:"/QQQQ\r\n.*(O|P|R|Z)\r\n(CC)\r\n/ism"; classtype:policy-violation;) # # US Top Secret, Electronic Format alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret, Electronic"; flow:to_server,established; content:"Host\:"; content:"QQQQ"; pcre:"/QQQQ\r\n.*(O|P|R|Z)\r\n(TT)\r\n/ism"; classtype:policy-violation;) # # US Secret, Electronic Format alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret, Electronic"; flow:to_server,established; content:"Host\:"; content:"QQQQ"; pcre:"/QQQQ\r\n.*(O|P|R|Z)\r\n(SS)\r\n/ism"; classtype:policy-violation;) # # US Confidential Authorized for Release To alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential REL TO"; flow:to_server,established; content:"Host\:"; content:"REL TO"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}REL\sTO\sUSA.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Authorized for Release To alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret REL TO"; flow:to_server,established; content:"Host\:"; content:"REL TO"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}REL\sTO\sUSA.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Authorized for Release To alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret REL TO"; flow:to_server,established; content:"Host\:"; content:"REL TO"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential COMINT"; flow:to_server,established; content:"Host\:"; content:"X"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}(COMINT|SI).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Comint alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret COMINT"; flow:to_server,established; content:"Host\:"; content:"X"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(COMINT|SI).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Comint alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret COMINT"; flow:to_server,established; content:"Host\:"; content:"X"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Unclassified COMSEC"; flow:to_server,established; content:"Host\:"; content:"COMSEC"; pcre:"/(UNCLASSIFIED|U)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Confidential Communications Security Material alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential COMSEC"; flow:to_server,established; content:"Host\:"; content:"COMSEC"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Communications Security Material alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret COMSEC"; flow:to_server,established; content:"Host\:"; content:"COMSEC"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Communications Security Material alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret COMSEC"; flow:to_server,established; content:"Host\:"; content:"COMSEC"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret IMCON"; flow:to_server,established; content:"Host\:"; content:"IMC"; pcre:"/(SECRET|S)\/\/.{0,20}IMC.{0,20}\/\/(X1|MR)/ism"; classtype:policy-violation;) # # US Top Secret Critical Nuclear Weapon Design Information alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret CNWDI"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI).{0,20}\/\/MR/ism"; classtype:policy-violation;) # # US Secret Critical Nuclear Weapon Design Information alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret CNWDI"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret TK"; flow:to_server,established; content:"Host\:"; content:"X"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(TALENT\sKEYHOLE|TK).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Talent Keyhole alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret TK"; flow:to_server,established; content:"Host\:"; content:"X"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US FGI"; flow:to_server,established; content:"Host\:"; content:"FGI"; pcre:"/\/\/FGI.{0,20}\/\/X5/ism"; classtype:policy-violation;) # # US For Official Use Only alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US FOUO"; flow:to_server,established; content:"Host\:"; pcre:"/(UNCLASSIFIED|U)\/\/(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation;) # # US Confidential Not Releasable to Foreign Nationals alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential NOFORN"; flow:to_server,established; content:"Host\:"; content:"NOFORN"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}NOFORN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Not Releasable to Foreign Nationals alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret NOFORN"; flow:to_server,established; content:"Host\:"; content:"NOFORN"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}NOFORN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Not Releasable to Foreign Nationals alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret NOFORN"; flow:to_server,established; content:"Host\:"; content:"NOFORN"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential ORCON"; flow:to_server,established; content:"Host\:"; content:"OR"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}(ORIGINATOR\sCONTROLLED|ORCON).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Originator Controlled alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret ORCON"; flow:to_server,established; content:"Host\:"; content:"OR"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(ORIGINATOR\sCONTROLLED|ORCON).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Originator Controlled alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret ORCON"; flow:to_server,established; content:"Host\:"; content:"OR"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Unclassified PROPIN"; flow:to_server,established; content:"Host\:"; content:"PROPIN"; pcre:"/(UNCLASSIFIED|U)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Confidential Proprietary Information alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential PROPIN"; flow:to_server,established; content:"Host\:"; content:"PROPIN"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Proprietary Information alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret PROPIN"; flow:to_server,established; content:"Host\:"; content:"PROPIN"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Proprietary Information alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret PROPIN"; flow:to_server,established; content:"Host\:"; content:"PROPIN"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential RD"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}(RESTRICTED\sDATA|RD).{0,20}\/\/MR/ism"; classtype:policy-violation;) # # US Top Secret Restricted Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret RD"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(RESTRICTED\sDATA|RD).{0,20}\/\/MR/ism"; classtype:policy-violation;) # # US Secret Restricted Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret RD"; flow:to_server,established; content:"Host\:"; content:"MR"; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US SAMI"; flow:to_server,established; content:"Host\:"; content:"SAMI"; pcre:"/SAMI.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Confidential Special Category alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Confidential SPECAT"; flow:to_server,established; content:"Host\:"; content:"SPECAT"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}SPECAT.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Special Category alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret SPECAT"; flow:to_server,established; content:"Host\:"; content:"SPECAT"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}SPECAT.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Special Category alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Secret SPECAT"; flow:to_server,established; content:"Host\:"; content:"SPECAT"; pcre:"/(SECRET|S)\/\/.{0,20}SPECAT.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Single Integrated Operations Plan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP US Top Secret STOP"; flow:to_server,established; content:"Host\:"; content:"STOP"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}STOP.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # The phrase "law enforcement sensitive" alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Law Enorcement Sensitive"; flow:to_server,established; content:"Host\:"; content:"enforcement"; nocase; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation;) # # The phrase "internal use only" alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Internal Use Only"; flow:to_server,established; content:"Host\:"; content:"internal"; nocase; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation;) # # Date of Birth alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Date of Birth"; flow:to_server,established; content:"Host\:"; content:!"search.msn.com"; pcre:"/d(ate\s)?(-)?o(f\s)?(-)?b(irth\s)?\W.{0,20}[0-9]{2}[-\\\/]?[0-9]{2}[-\\\/]?[0-9]{2,4}\W/ism"; classtype:policy-violation;) # # Health Care Common Procedure Coding System (HCPCS) Codes alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP HCPCS Code"; flow:to_server,established; content:"Host\:"; content:"hcpcs"; nocase; pcre:"/\Whcpcs\W.{0,20}[a-z][0-9]{10}/ism"; classtype:policy-violation;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP ICD-10 Code"; flow:to_server,established; content:"Host\:"; content:"icd"; nocase; pcre:"/\Wicd\W.{0,20}[a-z][0-9]{2}\.[0-9]{2}/ism"; classtype:policy-violation;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP FDA NDC Code"; flow:to_server,established; content:"Host\:"; content:"ndc"; nocase; pcre:"/\Wndc\W.{0,20}([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2})/ism"; classtype:policy-violation;) # # American Dental Association (ADA) Dental Procedure Codes alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP ADA Procedure Code"; flow:to_server,established; content:"Host\:"; content:"ada"; nocase; pcre:"/\Wada\W.{0,20}d[0-9]{4}/ism"; classtype:policy-violation;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP DSM-IV Code"; flow:to_server,established; content:"Host\:"; content:"dsm"; nocase; pcre:"/\Wdsm\W.{0,20}([2-9][0-9]{2}\W|v[167][0-9]\.[0-9]{1,2})/ism"; classtype:policy-violation;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP AMA CPT Code"; flow:to_server,established; content:"Host\:"; content:"cpt"; nocase; pcre:"/\Wcpt\W.{0,20}([0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation;) # # American Express Credit Card Number alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Credit Card, AmEx"; flow:to_server,established; content:"Host\:"; content:"ex"; nocase; pcre:"/\Wam(erican\s)?ex(press)?\W.{0,20}3[47][0-9]{13}/ism"; classtype:policy-violation;) # # Japan Credit Bureau Credit Card Number alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Credit Card, JCB"; flow:to_server,established; content:"Host\:"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W.{0,20}((3[12359][0-9]{14})|((1800|2131)[0-9]{11}))/ism"; classtype:policy-violation;) # # BankCard Credit Card Number alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Credit Card, BankCard"; flow:to_server,established; content:"Host\:"; content:!"boldchat.com"; pcre:"/\Wb(ank)?c(ard)?\W.{0,20}56[01][0-9]{13}/ism"; classtype:policy-violation;) # # Diners Club and (Old) Carte Blanche Credit Card Number alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Credit Card, Diners"; flow:to_server,established; content:"Host\:"; pcre:"/\W(diners|diner\'s)(\Wclub)?\W.{0,20}((30[0-5][0-9]{11})|(3[68][0-9]{12}))/ism"; classtype:policy-violation;) # # MasterCard Credit Card Number alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Credit Card, MC"; flow:to_server,established; content:"Host\:"; pcre:"/\Wm(aster\s)?c(ard)?\W.{0,20}5[1-5][0-9]{14}/ism"; classtype:policy-violation;) # # Visa Credit Card Number alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Credit Card, Visa"; flow:to_server,established; content:"Host\:"; content:"visa"; nocase; pcre:"/\Wvisa\W.{0,20}(4[0-9]{12}|4[0-9]{15})/ism"; classtype:policy-violation;) # # Social Security Number alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP SSN"; flow:to_server,established; content:"Host\:"; pcre:"/\Ws(ocial\s)?s(ecurity\s)?(n(umber)?|#)\W.{0,20}[1-6][0-9]{2}[-]?[0-9]{2}[-]?[0-9]{4}\W/ism"; classtype:policy-violation;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Password"; flow:to_server,established; content:"Host\:"; content:!"BIGipServer"; pcre:"/\W[p][a4@]{0,1}[sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation;) # # The phrase "transaction history" alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Transaction History"; flow:to_server,established; content:"Host\:"; content:"transaction"; nocase; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation;) # # The phrase "customer list" alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"NPI - HTTP Customer List"; flow:to_server,established; content:"Host\:"; content:"customer"; nocase; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation;) # # ########################################## # # NPI via High Ports, possibly Passive FTP DATA # # Non-US Restricted alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Non-US Restricted"; flow:to_server,established; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+RESTRICTED\/\/X5/ism"; classtype:policy-violation;) # # Non-US Confidential alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Non-US Confidential"; flow:to_server,established; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+CONFIDENTIAL\/\/X5/ism"; classtype:policy-violation;) # # Non-US Top Secret alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Non-US Top Secret"; flow:to_server,established; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+TOP\sSECRET\/\/X5/ism"; classtype:policy-violation;) # # Non-US Secret alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Non-US Secret"; flow:to_server,established; content:"X5"; pcre:"/\/\/([A-Z]{3}\s)+(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports NATO Restricted"; flow:to_server,established; content:"MR"; pcre:"/\/\/((NATO\sRESTRICTED)|NR)\/\/MR/ism"; classtype:policy-violation;) # # NATO Confidential Atomal alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports NATO Confidential Atomal"; flow:to_server,established; content:"MR"; pcre:"/\/\/((NATO\sCONFIDENTIAL\sATOMAL)|NCA)\/\/MR/ism"; classtype:policy-violation;) # # NATO Confidential alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports NATO Confidential"; flow:to_server,established; content:"MR"; pcre:"/\/\/((NATO\sCONFIDENTIAL)|NC)\/\/MR/ism"; classtype:policy-violation;) # # NATO COSMIC Top Secret Atomal alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"MR"; pcre:"/\/\/((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)\/\/MR/ism"; classtype:policy-violation;) # # NATO Secret Atomal alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports NATO Secret Atomal"; flow:to_server,established; content:"MR"; pcre:"/\/\/((NATO\sSECRET\sATOMAL)|NSA)\/\/MR/ism"; classtype:policy-violation;) # # NATO Secret alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports NATO Secret"; flow:to_server,established; content:"MR"; pcre:"/\/\/((NATO\sSECRET)|NS)\/\/MR/ism"; classtype:policy-violation;) # # US Confidential, Electronic Format alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential, Electronic"; flow:to_server,established; content:"QQQQ"; pcre:"/QQQQ\r\n.*(O|P|R|Z)\r\n(CC)\r\n/ism"; classtype:policy-violation;) # # US Top Secret, Electronic Format alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret, Electronic"; flow:to_server,established; content:"QQQQ"; pcre:"/QQQQ\r\n.*(O|P|R|Z)\r\n(TT)\r\n/ism"; classtype:policy-violation;) # # US Secret, Electronic Format alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret, Electronic"; flow:to_server,established; content:"QQQQ"; pcre:"/QQQQ\r\n.*(O|P|R|Z)\r\n(SS)\r\n/ism"; classtype:policy-violation;) # # US Confidential Authorized for Release To alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential REL TO"; flow:to_server,established; content:"REL TO"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}REL\sTO\sUSA.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Authorized for Release To alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret REL TO"; flow:to_server,established; content:"REL TO"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}REL\sTO\sUSA.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Authorized for Release To alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret REL TO"; flow:to_server,established; content:"REL TO"; pcre:"/(SECRET|S)\/\/.{0,20}REL\sTO\sUSA.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Confidential Comint alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential COMINT"; flow:to_server,established; content:"X"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}(COMINT|SI).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Comint alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret COMINT"; flow:to_server,established; content:"X"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(COMINT|SI).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Comint alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret COMINT"; flow:to_server,established; content:"X"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Unclassified COMSEC"; flow:to_server,established; content:"COMSEC"; pcre:"/(UNCLASSIFIED|U)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Confidential Communications Security Material alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential COMSEC"; flow:to_server,established; content:"COMSEC"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Communications Security Material alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret COMSEC"; flow:to_server,established; content:"COMSEC"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}COMSEC.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Communications Security Material alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret COMSEC"; flow:to_server,established; content:"COMSEC"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret IMCON"; flow:to_server,established; content:"IMC"; pcre:"/(SECRET|S)\/\/.{0,20}IMC.{0,20}\/\/(X1|MR)/ism"; classtype:policy-violation;) # # US Top Secret Critical Nuclear Weapon Design Information alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret CNWDI"; flow:to_server,established; content:"MR"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI).{0,20}\/\/MR/ism"; classtype:policy-violation;) # # US Secret Critical Nuclear Weapon Design Information alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret CNWDI"; flow:to_server,established; content:"MR"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret TK"; flow:to_server,established; content:"X"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(TALENT\sKEYHOLE|TK).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Talent Keyhole alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret TK"; flow:to_server,established; content:"X"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US FGI"; flow:to_server,established; content:"FGI"; pcre:"/\/\/FGI.{0,20}\/\/X5/ism"; classtype:policy-violation;) # # US For Official Use Only alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US FOUO"; flow:to_server,established; content:"U"; pcre:"/(UNCLASSIFIED|U)\/\/(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation;) # # US Confidential Not Releasable to Foreign Nationals alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential NOFORN"; flow:to_server,established; content:"NOFORN"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}NOFORN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Not Releasable to Foreign Nationals alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret NOFORN"; flow:to_server,established; content:"NOFORN"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}NOFORN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Not Releasable to Foreign Nationals alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret NOFORN"; flow:to_server,established; content:"NOFORN"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential ORCON"; flow:to_server,established; content:"X"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}(ORIGINATOR\sCONTROLLED|ORCON).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Originator Controlled alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret ORCON"; flow:to_server,established; content:"X"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(ORIGINATOR\sCONTROLLED|ORCON).{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Originator Controlled alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret ORCON"; flow:to_server,established; content:"X"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Unclassified PROPIN"; flow:to_server,established; content:"PROPIN"; pcre:"/(UNCLASSIFIED|U)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Confidential Proprietary Information alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential PROPIN"; flow:to_server,established; content:"PROPIN"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Proprietary Information alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret PROPIN"; flow:to_server,established; content:"PROPIN"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}PROPIN.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Proprietary Information alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret PROPIN"; flow:to_server,established; content:"PROPIN"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential RD"; flow:to_server,established; content:"MR"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}(RESTRICTED\sDATA|RD).{0,20}\/\/MR/ism"; classtype:policy-violation;) # # US Top Secret Restricted Data alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret RD"; flow:to_server,established; content:"MR"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}(RESTRICTED\sDATA|RD).{0,20}\/\/MR/ism"; classtype:policy-violation;) # # US Secret Restricted Data alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret RD"; flow:to_server,established; content:"MR"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US SAMI"; flow:to_server,established; content:"SAMI"; pcre:"/SAMI.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Confidential Special Category alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Confidential SPECAT"; flow:to_server,established; content:"SPECAT"; pcre:"/(CONFIDENTIAL|C)\/\/.{0,20}SPECAT.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Top Secret Special Category alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret SPECAT"; flow:to_server,established; content:"SPECAT"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}SPECAT.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # US Secret Special Category alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Secret SPECAT"; flow:to_server,established; content:"SPECAT"; pcre:"/(? $EXTERNAL_NET 1024: (msg:"NPI - High Ports US Top Secret STOP"; flow:to_server,established; content:"STOP"; pcre:"/(TOP\sSECRET|TS)\/\/.{0,20}STOP.{0,20}\/\/(25)?X[1-9]/ism"; classtype:policy-violation;) # # The phrase "law enforcement sensitive" alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Law Enorcement Sensitive"; flow:to_server,established; content:"enforcement"; nocase; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation;) # # The phrase "internal use only" alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Internal Use Only"; flow:to_server,established; content:"internal"; nocase; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation;) # # Date of Birth alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Date of Birth"; flow:to_server,established; content:"D"; nocase; pcre:"/d(ate\s)?(-)?o(f\s)?(-)?b(irth\s)?\W.{0,20}[0-9]{2}[-\\\/]?[0-9]{2}[-\\\/]?[0-9]{2,4}\W/ism"; classtype:policy-violation;) # # Health Care Common Procedure Coding System (HCPCS) Codes alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports HCPCS Code"; flow:to_server,established; content:"hcpcs"; nocase; pcre:"/\Whcpcs\W.{0,20}[a-z][0-9]{10}/ism"; classtype:policy-violation;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports ICD-10 Code"; flow:to_server,established; content:"icd"; nocase; pcre:"/\Wicd\W.{0,20}[a-z][0-9]{2}\.[0-9]{2}/ism"; classtype:policy-violation;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports FDA NDC Code"; flow:to_server,established; content:"ndc"; nocase; pcre:"/\Wndc\W.{0,20}([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2})/ism"; classtype:policy-violation;) # # American Dental Association (ADA) Dental Procedure Codes alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports ADA Procedure Code"; flow:to_server,established; content:"ada"; nocase; pcre:"/\Wada\W.{0,20}d[0-9]{4}/ism"; classtype:policy-violation;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports DSM-IV Code"; flow:to_server,established; content:"dsm"; nocase; pcre:"/\Wdsm\W.{0,20}([2-9][0-9]{2}\W|v[167][0-9]\.[0-9]{1,2})/ism"; classtype:policy-violation;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports AMA CPT Code"; flow:to_server,established; content:"cpt"; nocase; pcre:"/\Wcpt\W.{0,20}([0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation;) # # American Express Credit Card Number alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Credit Card, AmEx"; flow:to_server,established; content:"ex"; nocase; pcre:"/\Wam(erican\s)?ex(press)?\W.{0,20}3[47][0-9]{13}/ism"; classtype:policy-violation;) # # Japan Credit Bureau Credit Card Number alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Credit Card, JCB"; flow:to_server,established; content:"j"; nocase; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W.{0,20}((3[12359][0-9]{14})|((1800|2131)[0-9]{11}))/ism"; classtype:policy-violation;) # # BankCard Credit Card Number alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Credit Card, BankCard"; flow:to_server,established; content:"c"; nocase; pcre:"/\Wb(ank)?c(ard)?\W.{0,20}56[01][0-9]{13}/ism"; classtype:policy-violation;) # # Diners Club and (Old) Carte Blanche Credit Card Number alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Credit Card, Diners"; flow:to_server,established; content:"dine"; nocase; pcre:"/\W(diners|diner\'s)(\Wclub)?\W.{0,20}((30[0-5][0-9]{11})|(3[68][0-9]{12}))/ism"; classtype:policy-violation;) # # MasterCard Credit Card Number alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Credit Card, MC"; flow:to_server,established; content:"m"; nocase; pcre:"/\Wm(aster\s)?c(ard)?\W.{0,20}5[1-5][0-9]{14}/ism"; classtype:policy-violation;) # # Visa Credit Card Number alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Credit Card, Visa"; flow:to_server,established; content:"visa"; nocase; pcre:"/\Wvisa\W.{0,20}(4[0-9]{12}|4[0-9]{15})/ism"; classtype:policy-violation;) # # Social Security Number alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports SSN"; flow:to_server,established; content:"s"; nocase; pcre:"/\Ws(ocial\s)?s(ecurity\s)?(n(umber)?|#)\W.{0,20}[1-6][0-9]{2}[-]?[0-9]{2}[-]?[0-9]{4}/ism"; classtype:policy-violation;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Password"; flow:to_server,established; content:"p"; nocase; pcre:"/\W[p][a4@]{0,1}[sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation;) # # The phrase "transaction history" alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Transaction History"; flow:to_server,established; content:"transaction"; nocase; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation;) # # The phrase "customer list" alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"NPI - High Ports Customer List"; flow:to_server,established; content:"customer"; nocase; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation;) #