Vorlage:Suricata-rules

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen 
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest)
# Test: ping -c1 <ZIEL>
alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:41;)

# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body
# Test: curl -X POST http://<ZIEL>/ -d "q=test%3Bls"
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:2;)

# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body
# Test: curl -X POST http://<ZIEL>/login -d "u=a&p='%20OR%201=1"
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:3;)

# DNS: Policy – verbietet "google" in DNS-Queries
# Test: dig google.com @<FW>
drop dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:43;)

# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)
# Test: ab -n 1000 -c 500 http://<ZIEL>/
drop tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:54; rev:2; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)
# Test: nmap -sS -p1-100 <ZIEL>
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:60; rev:1;)

# Scan: TCP NULL-Scan (keine Flags gesetzt)
# Test: nmap -sN -p1-100 <ZIEL>
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:61; rev:1;)

# Scan: TCP FIN-Scan (nur FIN)
# Test: nmap -sF -p1-100 <ZIEL>
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP FIN scan"; flow:stateless,to_server; flags:F; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:62; rev:1;)

# Scan: TCP XMAS-Scan (FIN+PSH+URG)
# Test: nmap -sX -p1-100 <ZIEL>
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP XMAS scan"; flow:stateless,to_server; flags:FPU; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:63; rev:1;)

# Scan: UDP-Sweep mit leerer Payload
# Test: nmap -sU --min-rate=1000 <ZIEL>
drop udp $EXTERNAL_NET any -> $HOME_NET 1:65535 (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:64; rev:1;)

# Scan: ICMP Ping-Sweep (viele Echo-Requests)
# Test: nmap -sn <NETZ>/24
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:65; rev:1;)

# Aktion: ?
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"OWN SCAN SSH Brute Force"; flow:to_server,stateless; flags:S; detection_filter:track by_src,count 10,seconds 60; classtype:attempted-recon; sid:66; rev:1;)

# --- TCP SYN Flood (Sehr häufiger DDos-Typ) ---
alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Flood Potential Detected"; threshold: type both, track by_dst, count 150, seconds 10; sid:1000003; rev:1;)

# --- (Optional) Einfacher "Hello World" Treffer für Tests ---
alert tcp any any -> $HOME_NET any (msg:"TEST - SSH Connection Attempt"; content:"SSH"; nocase; sid:1000006; rev:1;)
Abgerufen von „http://wiki.ixheim.de/index.php?title=Vorlage:Suricata-rules&oldid=69257