Vorlage:Suricata-rules
Version vom 30. April 2026, 10:28 Uhr von Thomas.will (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „<pre> # ICMP: einfacher Ping/Traceroute (schneller Funktionstest) # Test: ping -c1 <ZIEL> alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activi…“)
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest) # Test: ping -c1 <ZIEL> alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:41;) # HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body # Test: curl -X POST http://<ZIEL>/ -d "q=test%3Bls" alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:2;) # HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body # Test: curl -X POST http://<ZIEL>/login -d "u=a&p='%20OR%201=1" alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:3;) # DNS: Policy – verbietet "google" in DNS-Queries # Test: dig google.com @<FW> drop dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:43;) # DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich) # Test: ab -n 1000 -c 500 http://<ZIEL>/ drop tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:54; rev:2; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26;) # Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit) # Test: nmap -sS -p1-100 <ZIEL> drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:60; rev:1;) # Scan: TCP NULL-Scan (keine Flags gesetzt) # Test: nmap -sN -p1-100 <ZIEL> drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:61; rev:1;) # Scan: TCP FIN-Scan (nur FIN) # Test: nmap -sF -p1-100 <ZIEL> drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP FIN scan"; flow:stateless,to_server; flags:F; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:62; rev:1;) # Scan: TCP XMAS-Scan (FIN+PSH+URG) # Test: nmap -sX -p1-100 <ZIEL> drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP XMAS scan"; flow:stateless,to_server; flags:FPU; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:63; rev:1;) # Scan: UDP-Sweep mit leerer Payload # Test: nmap -sU --min-rate=1000 <ZIEL> drop udp $EXTERNAL_NET any -> $HOME_NET 1:65535 (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:64; rev:1;) # Scan: ICMP Ping-Sweep (viele Echo-Requests) # Test: nmap -sn <NETZ>/24 drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:65; rev:1;) # Aktion: ? drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"OWN SCAN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:66; rev:1;)