File indexing completed on 2024-05-12 04:02:10 

0001 <!DOCTYPE html>
0002 <html><head>
0003 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
0004 <title>test.suricata</title>
0005 <meta name="generator" content="KF5::SyntaxHighlighting - Definition (Snort/Suricata) - Theme (Breeze Dark)"/>
0006 </head><body style="background-color:#232629;color:#cfcfc2"><pre>
0007 <span style="color:#7a7c7d"># Suricata Samples</span>
0008 <span style="color:#7a7c7d"># See: https://suricata.readthedocs.io/en/latest/rules/intro.html</span>
0009 
0010 <span style="color:#fdbc4b;font-weight:bold">drop</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">$HOME_NET</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">$EXTERNAL_NET</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">msg</span>:<span style="color:#f44f4f">”ET TROJAN Likely Bot Nick in IRC (USA +..)”</span>; <span style="font-weight:bold">flow</span>:established,to_server; <span style="font-weight:bold">flowbits</span>:isset,is_proto_irc; <span style="font-weight:bold">content</span>:<span style="color:#f44f4f">”NICK ”</span>; <span style="font-weight:bold">pcre</span>:<span style="color:#f44f4f">”/NICK .*USA.*[0-9]{3,}/i”</span>; <span style="font-weight:bold">reference</span>:url,doc.emergingthreats.net/<span style="color:#f67400">2008124</span>; <span style="font-weight:bold">classtype</span>:trojan-activity; <span style="font-weight:bold">sid</span>:<span style="color:#f67400">2008124</span>; <span style="font-weight:bold">rev</span>:<span style="color:#f67400">2</span>;)
0011 
0012 <span style="color:#fdbc4b;font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="color:#f67400">1</span>.<span style="color:#f67400">2</span>.<span style="color:#f67400">3</span>.<span style="color:#f67400">4</span> <span style="color:#f67400">1024</span> -> <span style="color:#f67400">5</span>.<span style="color:#f67400">6</span>.<span style="color:#f67400">7</span>.<span style="color:#f67400">8</span> <span style="color:#f67400">80</span>
0013 
0014 <span style="color:#fdbc4b;font-weight:bold">alert</span> <span style="font-weight:bold">http</span> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">content</span>:<span style="color:#f44f4f">"index.php"</span>; <span style="font-weight:bold">http_uri</span>; <span style="font-weight:bold">sid</span>:<span style="color:#f67400">1</span>;)
0015 
0016 <span style="color:#fdbc4b;font-weight:bold">alert</span> <span style="font-weight:bold">http</span> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> (http_response_line; <span style="font-weight:bold">content</span>:<span style="color:#f44f4f">"403 Forbidden"</span>; <span style="font-weight:bold">sid</span>:<span style="color:#f67400">1</span>;)
0017 
0018 <span style="color:#fdbc4b;font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">$EXTERNAL_NET</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">$HOME_NET</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">msg</span>:<span style="color:#f44f4f">”GPL DELETED typot trojan traffic”</span>; <span style="font-weight:bold">flow</span>:stateless; <span style="font-weight:bold">flags</span>:S,<span style="color:#f67400">12</span>; <span style="font-weight:bold">window</span>:<span style="color:#f67400">55808</span>; <span style="font-weight:bold">reference</span>:mcafee,<span style="color:#f67400">100406</span>; <span style="font-weight:bold">classtype</span>:trojan-activity; <span style="font-weight:bold">sid</span>:<span style="color:#f67400">2182</span>; <span style="font-weight:bold">rev</span>:<span style="color:#f67400">8</span>;)
0019 
0020 <span style="color:#fdbc4b;font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">$EXTERNAL_NET</span> <span style="font-weight:bold">any</span> -> <span style="font-weight:bold">$HOME_NET</span> <span style="font-weight:bold">any</span> (<span style="font-weight:bold">flags</span>:S,<span style="color:#f67400">12</span>; <span style="font-weight:bold">tcp</span>.hdr; <span style="font-weight:bold">content</span>:<span style="color:#f44f4f">”|02 04|”</span>; <span style="font-weight:bold">offset</span>:<span style="color:#f67400">20</span>; <span style="font-weight:bold">byte_test</span>:<span style="color:#f67400">2</span>,&lt;,<span style="color:#f67400">536</span>,<span style="color:#f67400">0</span>,big,relative; <span style="font-weight:bold">sid</span>:<span style="color:#f67400">1234</span>; <span style="font-weight:bold">rev</span>:<span style="color:#f67400">5</span>;)
0021 
0022 <span style="color:#7a7c7d"># Snort Samples</span>
0023 
0024 <span style="color:#fdbc4b;font-weight:bold">alert</span> <span style="font-weight:bold">tcp</span> <span style="font-weight:bold">any</span> <span style="font-weight:bold">any</span> -> <span style="color:#f67400">192</span>.<span style="color:#f67400">168</span>.<span style="color:#f67400">1</span>.<span style="color:#f67400">0</span>/<span style="color:#f67400">24</span> <span style="color:#f67400">111</span> (<span style="font-weight:bold">content</span>:<span style="color:#f44f4f">"|00 01 86 a5|"</span>; <span style="font-weight:bold">msg</span>: <span style="color:#f44f4f">"mountd access"</span>;)
0025 </pre></body></html>