File: test.suricata.ref

package info (click to toggle)
kf6-syntax-highlighting 6.18.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 49,060 kB
  • sloc: xml: 203,100; cpp: 12,878; python: 3,055; sh: 965; perl: 814; ruby: 494; pascal: 393; javascript: 161; php: 150; jsp: 132; lisp: 131; haskell: 124; ada: 119; ansic: 107; makefile: 96; f90: 94; ml: 85; cobol: 81; yacc: 71; csh: 62; exp: 61; erlang: 54; sql: 51; java: 47; sed: 45; objc: 37; tcl: 36; awk: 31; asm: 30; fortran: 18; cs: 10
file content (18 lines) | stat: -rw-r--r-- 7,271 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
<Comment># Suricata Samples</Comment><br/>
<Comment># See: https://suricata.readthedocs.io/en/latest/rules/intro.html</Comment><br/>
<Normal Text></Normal Text><br/>
<Action>drop</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>$HOME_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>$EXTERNAL_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>msg</Options Keyword><Normal Text>:</Normal Text><String>”ET TROJAN Likely Bot Nick in IRC (USA +..)”</String><Normal Text>; </Normal Text><Options Keyword>flow</Options Keyword><Normal Text>:established,to_server; </Normal Text><Options Keyword>flowbits</Options Keyword><Normal Text>:isset,is_proto_irc; </Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>”NICK ”</String><Normal Text>; </Normal Text><Options Keyword>pcre</Options Keyword><Normal Text>:</Normal Text><String>”/NICK .*USA.*[0-9]{3,}/i”</String><Normal Text>; </Normal Text><Options Keyword>reference</Options Keyword><Normal Text>:url,doc.emergingthreats.net/</Normal Text><Decimal>2008124</Decimal><Normal Text>; </Normal Text><Options Keyword>classtype</Options Keyword><Normal Text>:trojan-activity; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>2008124</Decimal><Normal Text>; </Normal Text><Options Keyword>rev</Options Keyword><Normal Text>:</Normal Text><Decimal>2</Decimal><Normal Text>;)</Normal Text><br/>
<Normal Text></Normal Text><br/>
<Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Decimal>1</Decimal><Normal Text>.</Normal Text><Decimal>2</Decimal><Normal Text>.</Normal Text><Decimal>3</Decimal><Normal Text>.</Normal Text><Decimal>4</Decimal><Normal Text> </Normal Text><Decimal>1024</Decimal><Normal Text> -> </Normal Text><Decimal>5</Decimal><Normal Text>.</Normal Text><Decimal>6</Decimal><Normal Text>.</Normal Text><Decimal>7</Decimal><Normal Text>.</Normal Text><Decimal>8</Decimal><Normal Text> </Normal Text><Decimal>80</Decimal><br/>
<Normal Text></Normal Text><br/>
<Action>alert</Action><Normal Text> </Normal Text><Header Keyword>http</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>"index.php"</String><Normal Text>; </Normal Text><Options Keyword>http_uri</Options Keyword><Normal Text>; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>1</Decimal><Normal Text>;)</Normal Text><br/>
<Normal Text></Normal Text><br/>
<Action>alert</Action><Normal Text> </Normal Text><Header Keyword>http</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (http_response_line; </Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>"403 Forbidden"</String><Normal Text>; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>1</Decimal><Normal Text>;)</Normal Text><br/>
<Normal Text></Normal Text><br/>
<Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>$EXTERNAL_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>$HOME_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>msg</Options Keyword><Normal Text>:</Normal Text><String>”GPL DELETED typot trojan traffic”</String><Normal Text>; </Normal Text><Options Keyword>flow</Options Keyword><Normal Text>:stateless; </Normal Text><Options Keyword>flags</Options Keyword><Normal Text>:S,</Normal Text><Decimal>12</Decimal><Normal Text>; </Normal Text><Options Keyword>window</Options Keyword><Normal Text>:</Normal Text><Decimal>55808</Decimal><Normal Text>; </Normal Text><Options Keyword>reference</Options Keyword><Normal Text>:mcafee,</Normal Text><Decimal>100406</Decimal><Normal Text>; </Normal Text><Options Keyword>classtype</Options Keyword><Normal Text>:trojan-activity; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>2182</Decimal><Normal Text>; </Normal Text><Options Keyword>rev</Options Keyword><Normal Text>:</Normal Text><Decimal>8</Decimal><Normal Text>;)</Normal Text><br/>
<Normal Text></Normal Text><br/>
<Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>$EXTERNAL_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Header Keyword>$HOME_NET</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> (</Normal Text><Options Keyword>flags</Options Keyword><Normal Text>:S,</Normal Text><Decimal>12</Decimal><Normal Text>; </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text>.hdr; </Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>”|02 04|”</String><Normal Text>; </Normal Text><Options Keyword>offset</Options Keyword><Normal Text>:</Normal Text><Decimal>20</Decimal><Normal Text>; </Normal Text><Options Keyword>byte_test</Options Keyword><Normal Text>:</Normal Text><Decimal>2</Decimal><Normal Text>,<,</Normal Text><Decimal>536</Decimal><Normal Text>,</Normal Text><Decimal>0</Decimal><Normal Text>,big,relative; </Normal Text><Options Keyword>sid</Options Keyword><Normal Text>:</Normal Text><Decimal>1234</Decimal><Normal Text>; </Normal Text><Options Keyword>rev</Options Keyword><Normal Text>:</Normal Text><Decimal>5</Decimal><Normal Text>;)</Normal Text><br/>
<Normal Text></Normal Text><br/>
<Comment># Snort Samples</Comment><br/>
<Normal Text></Normal Text><br/>
<Action>alert</Action><Normal Text> </Normal Text><Header Keyword>tcp</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> </Normal Text><Header Keyword>any</Header Keyword><Normal Text> -> </Normal Text><Decimal>192</Decimal><Normal Text>.</Normal Text><Decimal>168</Decimal><Normal Text>.</Normal Text><Decimal>1</Decimal><Normal Text>.</Normal Text><Decimal>0</Decimal><Normal Text>/</Normal Text><Decimal>24</Decimal><Normal Text> </Normal Text><Decimal>111</Decimal><Normal Text> (</Normal Text><Options Keyword>content</Options Keyword><Normal Text>:</Normal Text><String>"|00 01 86 a5|"</String><Normal Text>; </Normal Text><Options Keyword>msg</Options Keyword><Normal Text>: </Normal Text><String>"mountd access"</String><Normal Text>;)</Normal Text><br/>