1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
<!DOCTYPE html>
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>test.suricata</title>
<meta name="generator" content="KF5::SyntaxHighlighting - Definition (Snort/Suricata) - Theme (Breeze Light)"/>
</head><body style="background-color:#ffffff;color:#1f1c1b"><pre>
<span style="color:#898887"># Suricata Samples</span>
<span style="color:#898887"># See: https://suricata.readthedocs.io/en/latest/rules/intro.html</span>
<span style="font-weight:bold">drop</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">$HOME_NET</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">$EXTERNAL_NET</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">msg</span>:<span style="color:#bf0303">”ET TROJAN Likely Bot Nick in IRC (USA +..)”</span>; <span style="font-weight:bold">flow</span>:established,to_server; <span style="font-weight:bold">flowbits</span>:isset,is_proto_irc; <span style="font-weight:bold">content</span>:<span style="color:#bf0303">”NICK ”</span>; <span style="font-weight:bold">pcre</span>:<span style="color:#bf0303">”/NICK .*USA.*[0-9]{3,}/i”</span>; <span style="font-weight:bold">reference</span>:url,doc.emergingthreats.net/<span style="color:#b08000">2008124</span>; <span style="font-weight:bold">classtype</span>:trojan-activity; <span style="font-weight:bold">sid</span>:<span style="color:#b08000">2008124</span>; <span style="font-weight:bold">rev</span>:<span style="color:#b08000">2</span>;)
<span style="font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="color:#b08000">1</span>.<span style="color:#b08000">2</span>.<span style="color:#b08000">3</span>.<span style="color:#b08000">4</span> <span style="color:#b08000">1024</span> -> <span style="color:#b08000">5</span>.<span style="color:#b08000">6</span>.<span style="color:#b08000">7</span>.<span style="color:#b08000">8</span> <span style="color:#b08000">80</span>
<span style="font-weight:bold">alert</span> <span style="font-weight:bold">http</span> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">content</span>:<span style="color:#bf0303">"index.php"</span>; <span style="font-weight:bold">http_uri</span>; <span style="font-weight:bold">sid</span>:<span style="color:#b08000">1</span>;)
<span style="font-weight:bold">alert</span> <span style="font-weight:bold">http</span> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> (http_response_line; <span style="font-weight:bold">content</span>:<span style="color:#bf0303">"403 Forbidden"</span>; <span style="font-weight:bold">sid</span>:<span style="color:#b08000">1</span>;)
<span style="font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">$EXTERNAL_NET</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">$HOME_NET</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">msg</span>:<span style="color:#bf0303">”GPL DELETED typot trojan traffic”</span>; <span style="font-weight:bold">flow</span>:stateless; <span style="font-weight:bold">flags</span>:S,<span style="color:#b08000">12</span>; <span style="font-weight:bold">window</span>:<span style="color:#b08000">55808</span>; <span style="font-weight:bold">reference</span>:mcafee,<span style="color:#b08000">100406</span>; <span style="font-weight:bold">classtype</span>:trojan-activity; <span style="font-weight:bold">sid</span>:<span style="color:#b08000">2182</span>; <span style="font-weight:bold">rev</span>:<span style="color:#b08000">8</span>;)
<span style="font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">$EXTERNAL_NET</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">$HOME_NET</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">flags</span>:S,<span style="color:#b08000">12</span>; <span style="font-weight:bold">tcp</span>.hdr; <span style="font-weight:bold">content</span>:<span style="color:#bf0303">”|02 04|”</span>; <span style="font-weight:bold">offset</span>:<span style="color:#b08000">20</span>; <span style="font-weight:bold">byte_test</span>:<span style="color:#b08000">2</span>,<,<span style="color:#b08000">536</span>,<span style="color:#b08000">0</span>,big,relative; <span style="font-weight:bold">sid</span>:<span style="color:#b08000">1234</span>; <span style="font-weight:bold">rev</span>:<span style="color:#b08000">5</span>;)
<span style="color:#898887"># Snort Samples</span>
<span style="font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> -> <span style="color:#b08000">192</span>.<span style="color:#b08000">168</span>.<span style="color:#b08000">1</span>.<span style="color:#b08000">0</span>/<span style="color:#b08000">24</span> <span style="color:#b08000">111</span> (<span style="font-weight:bold">content</span>:<span style="color:#bf0303">"|00 01 86 a5|"</span>; <span style="font-weight:bold">msg</span>: <span style="color:#bf0303">"mountd access"</span>;)
</pre></body></html>
|
