https://wiki.ixheim.de/index.php?action=history&feed=atom&title=Vorlage%3ASuricata-rules
Vorlage:Suricata-rules - Versionsgeschichte
2026-05-14T17:06:32Z
Versionsgeschichte dieser Seite in Xinux Wiki
MediaWiki 1.35.1
https://wiki.ixheim.de/index.php?title=Vorlage:Suricata-rules&diff=69264&oldid=prev
Thomas.will am 30. April 2026 um 10:45 Uhr
2026-04-30T10:45:21Z
<p></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 30. April 2026, 10:45 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l23" >Zeile 23:</td>
<td colspan="2" class="diff-lineno">Zeile 23:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -sS -p1-100 10.88.2XX.21</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -sS -p1-100 10.88.2XX.21</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>drop tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;)</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>drop tcp any any -> any any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:9000060; rev:1;)</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"># Scan: TCP NULL-Scan (keine Flags gesetzt)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"># Test: nmap -sN -p1-100 10.88.2XX.21</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">drop tcp any any -> any any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:9000061; rev:1;)</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Scan: UDP-Sweep mit leerer Payload</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Scan: UDP-Sweep mit leerer Payload</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l33" >Zeile 33:</td>
<td colspan="2" class="diff-lineno">Zeile 37:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Brute Force SSH</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Brute Force SSH</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: hydra -l <del class="diffchange diffchange-inline">root </del>-P <del class="diffchange diffchange-inline">/usr/share/wordlists/rockyou.txt </del>ssh://10.88.2XX.21</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: hydra -l <ins class="diffchange diffchange-inline">kit </ins>-P <ins class="diffchange diffchange-inline">bad-passwords </ins>ssh://10.88.2XX.21</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>drop tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;)</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>drop tcp any any -> any 22 (msg:"OWN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:9000066; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<!-- diff cache key my_wiki:diff::1.12:old-69258:rev-69264 -->
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Vorlage:Suricata-rules&diff=69258&oldid=prev
Thomas.will am 30. April 2026 um 10:38 Uhr
2026-04-30T10:38:22Z
<p></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 30. April 2026, 10:38 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Zeile 1:</td>
<td colspan="2" class="diff-lineno">Zeile 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># ICMP: einfacher Ping/Traceroute (schneller Funktionstest)</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># ICMP: einfacher Ping/Traceroute (schneller Funktionstest)</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: ping -<del class="diffchange diffchange-inline">c1 <ZIEL></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: ping -<ins class="diffchange diffchange-inline">c 1 1.1.1.1</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:<del class="diffchange diffchange-inline">41</del>;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:<ins class="diffchange diffchange-inline">9000041</ins>;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: curl -X POST http://<del class="diffchange diffchange-inline"><ZIEL></del>/ -d "<del class="diffchange diffchange-inline">q</del>=<del class="diffchange diffchange-inline">test%3Bls</del>"</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: curl -X POST http://<ins class="diffchange diffchange-inline">www.it2XX.int</ins>/<ins class="diffchange diffchange-inline">host.php --data-urlencode "fqdn=example.com;ls" </ins>-d "<ins class="diffchange diffchange-inline">submit</ins>=<ins class="diffchange diffchange-inline">Auflösen</ins>"</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:<del class="diffchange diffchange-inline">2</del>;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:<ins class="diffchange diffchange-inline">9000002</ins>;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: curl -X POST http://<del class="diffchange diffchange-inline"><ZIEL></del>/<del class="diffchange diffchange-inline">login </del>-<del class="diffchange diffchange-inline">d </del>"<del class="diffchange diffchange-inline">u</del>=<del class="diffchange diffchange-inline">a&p</del>='<del class="diffchange diffchange-inline">%20OR%201=</del>1"</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: curl -X POST http://<ins class="diffchange diffchange-inline">www.it2XX.int</ins>/<ins class="diffchange diffchange-inline">sql-classic.php -</ins>-<ins class="diffchange diffchange-inline">data-urlencode </ins>"<ins class="diffchange diffchange-inline">username</ins>=<ins class="diffchange diffchange-inline">' OR '1'</ins>='1<ins class="diffchange diffchange-inline">' --</ins>"</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:<del class="diffchange diffchange-inline">3</del>;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:<ins class="diffchange diffchange-inline">9000003</ins>;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># DNS: Policy <del class="diffchange diffchange-inline">– </del>verbietet "google" in DNS-Queries</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># DNS: Policy <ins class="diffchange diffchange-inline">- </ins>verbietet "google" in DNS-Queries</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: <del class="diffchange diffchange-inline">dig </del>google.<del class="diffchange diffchange-inline">com @<FW></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: <ins class="diffchange diffchange-inline">host </ins>google.<ins class="diffchange diffchange-inline">de</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>drop dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:<del class="diffchange diffchange-inline">43</del>;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>drop dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:<ins class="diffchange diffchange-inline">9000043</ins>;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: ab -n 1000 -c 500 http://<del class="diffchange diffchange-inline"><ZIEL></del>/</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: ab -n 1000 -c 500 http://<ins class="diffchange diffchange-inline">www.it2XX.int</ins>/</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>drop tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:<del class="diffchange diffchange-inline">54</del>; rev:2<del class="diffchange diffchange-inline">; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26</del>;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>drop tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:<ins class="diffchange diffchange-inline">9000054</ins>; rev:2;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -sS -p1-100 <del class="diffchange diffchange-inline"><ZIEL></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -sS -p1-100 <ins class="diffchange diffchange-inline">10.88.2XX.21</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>drop tcp <del class="diffchange diffchange-inline">$EXTERNAL_NET </del>any -> <del class="diffchange diffchange-inline">$HOME_NET </del>any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:<del class="diffchange diffchange-inline">60</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>drop tcp <ins class="diffchange diffchange-inline">any </ins>any -> <ins class="diffchange diffchange-inline">any </ins>any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:<ins class="diffchange diffchange-inline">9000060</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Scan: <del class="diffchange diffchange-inline">TCP NULL</del>-<del class="diffchange diffchange-inline">Scan (keine Flags gesetzt)</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Scan: <ins class="diffchange diffchange-inline">UDP</ins>-<ins class="diffchange diffchange-inline">Sweep mit leerer Payload</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -<del class="diffchange diffchange-inline">sN </del>-<del class="diffchange diffchange-inline">p1</del>-<del class="diffchange diffchange-inline">100 <ZIEL></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -<ins class="diffchange diffchange-inline">sU </ins>--<ins class="diffchange diffchange-inline">min-rate=1000 10.88.2XX.21</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>drop <del class="diffchange diffchange-inline">tcp $EXTERNAL_NET </del>any -> <del class="diffchange diffchange-inline">$HOME_NET </del>any (msg:"OWN SCAN <del class="diffchange diffchange-inline">TCP NULL scan</del>"; flow:<del class="diffchange diffchange-inline">stateless,</del>to_server; <del class="diffchange diffchange-inline">flags</del>:0; detection_filter:track by_src,count <del class="diffchange diffchange-inline">5</del>,seconds 10; classtype:attempted-recon; sid:<del class="diffchange diffchange-inline">61</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>drop <ins class="diffchange diffchange-inline">udp any </ins>any -> <ins class="diffchange diffchange-inline">any </ins>any (msg:"OWN SCAN <ins class="diffchange diffchange-inline">UDP sweep (empty probes)</ins>"; flow:to_server; <ins class="diffchange diffchange-inline">dsize</ins>:0; detection_filter:track by_src,count <ins class="diffchange diffchange-inline">15</ins>,seconds 10; classtype:attempted-recon; sid:<ins class="diffchange diffchange-inline">9000064</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Scan: <del class="diffchange diffchange-inline">TCP FIN</del>-<del class="diffchange diffchange-inline">Scan </del>(<del class="diffchange diffchange-inline">nur FIN</del>)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Scan: <ins class="diffchange diffchange-inline">ICMP Ping</ins>-<ins class="diffchange diffchange-inline">Sweep </ins>(<ins class="diffchange diffchange-inline">viele Echo-Requests</ins>)</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -<del class="diffchange diffchange-inline">sF -p1-100 <ZIEL></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: nmap -<ins class="diffchange diffchange-inline">sn 10.88.2XX.0/24</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>drop <del class="diffchange diffchange-inline">tcp $EXTERNAL_NET </del>any -> <del class="diffchange diffchange-inline">$HOME_NET </del>any (msg:"OWN SCAN <del class="diffchange diffchange-inline">TCP FIN scan</del>"; <del class="diffchange diffchange-inline">flow:stateless,to_server; flags</del>:<del class="diffchange diffchange-inline">F</del>; detection_filter:track by_src,count <del class="diffchange diffchange-inline">5</del>,seconds <del class="diffchange diffchange-inline">10</del>; classtype:attempted-recon; sid:<del class="diffchange diffchange-inline">62</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>drop <ins class="diffchange diffchange-inline">icmp any </ins>any -> <ins class="diffchange diffchange-inline">any </ins>any (msg:"OWN SCAN <ins class="diffchange diffchange-inline">ICMP ping sweep</ins>"; <ins class="diffchange diffchange-inline">itype</ins>:<ins class="diffchange diffchange-inline">8</ins>; detection_filter:track by_src,count <ins class="diffchange diffchange-inline">10</ins>,seconds <ins class="diffchange diffchange-inline">5</ins>; classtype:attempted-recon; sid:<ins class="diffchange diffchange-inline">9000065</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># <del class="diffchange diffchange-inline">Scan: TCP XMAS-Scan (FIN+PSH+URG)</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># <ins class="diffchange diffchange-inline">Brute Force SSH</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: <del class="diffchange diffchange-inline">nmap </del>-<del class="diffchange diffchange-inline">sX </del>-<del class="diffchange diffchange-inline">p1-100 <ZIEL></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: <ins class="diffchange diffchange-inline">hydra </ins>-<ins class="diffchange diffchange-inline">l root </ins>-<ins class="diffchange diffchange-inline">P /usr/share/wordlists/rockyou.txt ssh://10.88.2XX.21</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>drop tcp <del class="diffchange diffchange-inline">$EXTERNAL_NET </del>any -> <del class="diffchange diffchange-inline">$HOME_NET </del>any (msg:"OWN <del class="diffchange diffchange-inline">SCAN TCP XMAS scan</del>"; flow:stateless<del class="diffchange diffchange-inline">,to_server</del>; flags:<del class="diffchange diffchange-inline">FPU</del>; detection_filter:track by_src,count <del class="diffchange diffchange-inline">5</del>,seconds <del class="diffchange diffchange-inline">10</del>; classtype:attempted-recon; sid:<del class="diffchange diffchange-inline">63</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>drop tcp <ins class="diffchange diffchange-inline">any </ins>any -> any <ins class="diffchange diffchange-inline">22 </ins>(msg:"OWN <ins class="diffchange diffchange-inline">SSH Brute Force</ins>"; flow:<ins class="diffchange diffchange-inline">to_server,</ins>stateless; flags:<ins class="diffchange diffchange-inline">S</ins>; detection_filter:track by_src,count <ins class="diffchange diffchange-inline">10</ins>,seconds <ins class="diffchange diffchange-inline">60</ins>; classtype:attempted-recon; sid:<ins class="diffchange diffchange-inline">9000066</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># <del class="diffchange diffchange-inline">Scan</del>: <del class="diffchange diffchange-inline">UDP</del>-<del class="diffchange diffchange-inline">Sweep mit leerer Payload</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># <ins class="diffchange diffchange-inline">HTTP</ins>: <ins class="diffchange diffchange-inline">sqlmap User</ins>-<ins class="diffchange diffchange-inline">Agent erkennen</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: <del class="diffchange diffchange-inline">nmap </del>-<del class="diffchange diffchange-inline">sU </del>--<del class="diffchange diffchange-inline">min</del>-<del class="diffchange diffchange-inline">rate</del>=<del class="diffchange diffchange-inline">1000 <ZIEL></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: <ins class="diffchange diffchange-inline">sqlmap </ins>-<ins class="diffchange diffchange-inline">u "http://www.it2XX.int/sql</ins>-<ins class="diffchange diffchange-inline">classic.php" </ins>--<ins class="diffchange diffchange-inline">data "username</ins>=<ins class="diffchange diffchange-inline">test"</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">drop udp $EXTERNAL_NET </del>any -> <del class="diffchange diffchange-inline">$HOME_NET 1:65535 </del>(msg:"<del class="diffchange diffchange-inline">OWN SCAN UDP sweep (empty probes)</del>"; <del class="diffchange diffchange-inline">flow:to_server</del>; <del class="diffchange diffchange-inline">dsize</del>:<del class="diffchange diffchange-inline">0</del>; <del class="diffchange diffchange-inline">detection_filter:track by_src,count 15,seconds 10</del>; classtype:<del class="diffchange diffchange-inline">attempted</del>-<del class="diffchange diffchange-inline">recon</del>; sid:<del class="diffchange diffchange-inline">64</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">alert http any </ins>any -> <ins class="diffchange diffchange-inline">any any </ins>(msg:"<ins class="diffchange diffchange-inline">SQLmap Scanner detected</ins>"; <ins class="diffchange diffchange-inline">http.user_agent</ins>; <ins class="diffchange diffchange-inline">content</ins>:<ins class="diffchange diffchange-inline">"sqlmap"</ins>; <ins class="diffchange diffchange-inline">nocase</ins>; classtype:<ins class="diffchange diffchange-inline">web-application</ins>-<ins class="diffchange diffchange-inline">attack</ins>; sid:<ins class="diffchange diffchange-inline">9000070</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># <del class="diffchange diffchange-inline">Scan</del>: <del class="diffchange diffchange-inline">ICMP Ping</del>-<del class="diffchange diffchange-inline">Sweep (viele Echo-Requests)</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># <ins class="diffchange diffchange-inline">HTTP</ins>: <ins class="diffchange diffchange-inline">curl User</ins>-<ins class="diffchange diffchange-inline">Agent erkennen</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test: <del class="diffchange diffchange-inline">nmap -sn <NETZ></del>/<del class="diffchange diffchange-inline">24</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Test: <ins class="diffchange diffchange-inline">curl http://www.it2XX.int</ins>/<ins class="diffchange diffchange-inline">host.php</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">drop icmp $EXTERNAL_NET </del>any -> <del class="diffchange diffchange-inline">$HOME_NET </del>any (msg:"<del class="diffchange diffchange-inline">OWN SCAN ICMP ping sweep</del>"; <del class="diffchange diffchange-inline">itype</del>:<del class="diffchange diffchange-inline">8</del>; <del class="diffchange diffchange-inline">detection_filter:track by_src,count 10,seconds 5</del>; classtype:<del class="diffchange diffchange-inline">attempted</del>-<del class="diffchange diffchange-inline">recon</del>; sid:<del class="diffchange diffchange-inline">65</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">alert http any </ins>any -> <ins class="diffchange diffchange-inline">any </ins>any (msg:"<ins class="diffchange diffchange-inline">curl User-Agent detected</ins>"; <ins class="diffchange diffchange-inline">http.user_agent; content</ins>:<ins class="diffchange diffchange-inline">"curl"</ins>; <ins class="diffchange diffchange-inline">nocase</ins>; classtype:<ins class="diffchange diffchange-inline">policy</ins>-<ins class="diffchange diffchange-inline">violation</ins>; sid:<ins class="diffchange diffchange-inline">9000071</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># <del class="diffchange diffchange-inline">Aktion</del>: <del class="diffchange diffchange-inline">?</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># <ins class="diffchange diffchange-inline">ICMP Tunnel - großes Payload</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">drop tcp $EXTERNAL_NET </del>any -> <del class="diffchange diffchange-inline">$HOME_NET 22 </del>(msg:"OWN <del class="diffchange diffchange-inline">SCAN SSH Brute Force</del>"; <del class="diffchange diffchange-inline">flow</del>:<del class="diffchange diffchange-inline">to_server,stateless</del>; <del class="diffchange diffchange-inline">flags</del>:<del class="diffchange diffchange-inline">S; detection_filter:track by_src,count 10,seconds 60</del>; classtype:<del class="diffchange diffchange-inline">attempted</del>-<del class="diffchange diffchange-inline">recon</del>; sid:<del class="diffchange diffchange-inline">66</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># Test</ins>: <ins class="diffchange diffchange-inline">ping -c 5 -s 500 10.88.2XX.21</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">alert icmp any </ins>any -> <ins class="diffchange diffchange-inline">any any </ins>(msg:"OWN <ins class="diffchange diffchange-inline">ICMP Large Payload - possible tunnel</ins>"; <ins class="diffchange diffchange-inline">itype</ins>:<ins class="diffchange diffchange-inline">8</ins>; <ins class="diffchange diffchange-inline">dsize</ins>:<ins class="diffchange diffchange-inline">>200</ins>; classtype:<ins class="diffchange diffchange-inline">misc</ins>-<ins class="diffchange diffchange-inline">attack</ins>; sid:<ins class="diffchange diffchange-inline">9000072</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># <del class="diffchange diffchange-inline">--- </del>TCP SYN Flood <del class="diffchange diffchange-inline">(Sehr häufiger DDos</del>-<del class="diffchange diffchange-inline">Typ) </del>---</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># TCP SYN Flood</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>alert tcp any any -> <del class="diffchange diffchange-inline">$HOME_NET </del>any (<del class="diffchange diffchange-inline">flags:S; </del>msg:"TCP SYN Flood Potential Detected"; threshold: type both, track by_dst, count 150, seconds 10; sid:<del class="diffchange diffchange-inline">1000003</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># Test: hping3 -S </ins>--<ins class="diffchange diffchange-inline">flood </ins>-<ins class="diffchange diffchange-inline">V </ins>-<ins class="diffchange diffchange-inline">p 80 10.88.2XX.21</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>alert tcp any any -> <ins class="diffchange diffchange-inline">any </ins>any (msg:"TCP SYN Flood Potential Detected"<ins class="diffchange diffchange-inline">; flags:S</ins>; threshold: type both, track by_dst, count 150, seconds 10<ins class="diffchange diffchange-inline">; classtype:misc-attack</ins>; sid:<ins class="diffchange diffchange-inline">9000073</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># <del class="diffchange diffchange-inline">--- (Optional) Einfacher "Hello World" Treffer für Tests ---</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># <ins class="diffchange diffchange-inline">SSH Connection Attempt</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>alert tcp any any -> <del class="diffchange diffchange-inline">$HOME_NET </del>any (msg:"<del class="diffchange diffchange-inline">TEST - </del>SSH Connection Attempt"; content:"SSH"; nocase; sid:<del class="diffchange diffchange-inline">1000006</del>; rev:1;)</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># Test: ssh root@10.88.2XX.21</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>alert tcp any any -> any <ins class="diffchange diffchange-inline">22 </ins>(msg:"SSH Connection Attempt"; content:"SSH"; nocase<ins class="diffchange diffchange-inline">; classtype:misc-activity</ins>; sid:<ins class="diffchange diffchange-inline">9000074</ins>; rev:1;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<!-- diff cache key my_wiki:diff::1.12:old-69257:rev-69258 -->
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Vorlage:Suricata-rules&diff=69257&oldid=prev
Thomas.will am 30. April 2026 um 10:33 Uhr
2026-04-30T10:33:01Z
<p></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 30. April 2026, 10:33 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l46" >Zeile 46:</td>
<td colspan="2" class="diff-lineno">Zeile 46:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Aktion: ?</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Aktion: ?</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"OWN SCAN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:66; rev:1;)</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"OWN SCAN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:66; rev:1;)</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"># --- TCP SYN Flood (Sehr häufiger DDos-Typ) ---</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Flood Potential Detected"; threshold: type both, track by_dst, count 150, seconds 10; sid:1000003; rev:1;)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"># --- (Optional) Einfacher "Hello World" Treffer für Tests ---</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">alert tcp any any -> $HOME_NET any (msg:"TEST - SSH Connection Attempt"; content:"SSH"; nocase; sid:1000006; rev:1;)</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Vorlage:Suricata-rules&diff=69254&oldid=prev
Thomas.will: Die Seite wurde neu angelegt: „<pre> # ICMP: einfacher Ping/Traceroute (schneller Funktionstest) # Test: ping -c1 <ZIEL> alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activi…“
2026-04-30T10:28:28Z
<p>Die Seite wurde neu angelegt: „<pre> # ICMP: einfacher Ping/Traceroute (schneller Funktionstest) # Test: ping -c1 <ZIEL> alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activi…“</p>
<p><b>Neue Seite</b></p><div><pre><br />
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest)<br />
# Test: ping -c1 <ZIEL><br />
alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:41;)<br />
<br />
# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body<br />
# Test: curl -X POST http://<ZIEL>/ -d "q=test%3Bls"<br />
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:2;)<br />
<br />
# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body<br />
# Test: curl -X POST http://<ZIEL>/login -d "u=a&p='%20OR%201=1"<br />
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:3;)<br />
<br />
# DNS: Policy – verbietet "google" in DNS-Queries<br />
# Test: dig google.com @<FW><br />
drop dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:43;)<br />
<br />
# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)<br />
# Test: ab -n 1000 -c 500 http://<ZIEL>/<br />
drop tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:54; rev:2; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26;)<br />
<br />
# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)<br />
# Test: nmap -sS -p1-100 <ZIEL><br />
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:60; rev:1;)<br />
<br />
# Scan: TCP NULL-Scan (keine Flags gesetzt)<br />
# Test: nmap -sN -p1-100 <ZIEL><br />
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:61; rev:1;)<br />
<br />
# Scan: TCP FIN-Scan (nur FIN)<br />
# Test: nmap -sF -p1-100 <ZIEL><br />
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP FIN scan"; flow:stateless,to_server; flags:F; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:62; rev:1;)<br />
<br />
# Scan: TCP XMAS-Scan (FIN+PSH+URG)<br />
# Test: nmap -sX -p1-100 <ZIEL><br />
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP XMAS scan"; flow:stateless,to_server; flags:FPU; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:63; rev:1;)<br />
<br />
# Scan: UDP-Sweep mit leerer Payload<br />
# Test: nmap -sU --min-rate=1000 <ZIEL><br />
drop udp $EXTERNAL_NET any -> $HOME_NET 1:65535 (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:64; rev:1;)<br />
<br />
# Scan: ICMP Ping-Sweep (viele Echo-Requests)<br />
# Test: nmap -sn <NETZ>/24<br />
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:65; rev:1;)<br />
<br />
# Aktion: ?<br />
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"OWN SCAN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:66; rev:1;)<br />
</pre></div>
Thomas.will