suricata/rules: reduce saar flag false positives

ANSSI-FR · Aug 9, 2024 · 47f4044 · 47f4044
1 parent 8bc1ab8
commit 47f4044
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -38,9 +38,9 @@ alert ip any any -> any any (msg: "A ICC flag was placed in our services (probab
 alert ip any any -> any any (msg: "A saarCTF flag was sent to client"; flow:to_client; content: "SAAR"; pcre: "/(SAAR\{[A-Za-z0-9-_]{32}\})/, flow:match"; distance: -4; metadata: tag FLAG OUT, color danger; sid: 51;)
 alert ip any any -> any any (msg: "A saarCTF flag was sent to client"; flow:to_client; file.data; content: "SAAR{"; pcre: "/(SAAR\{[A-Za-z0-9-_]{32}\})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 52;)
 alert ip any any -> any any (msg: "A saarCTF flag was sent to client (URL encoded)"; flow:to_client; content: "SAAR%7B"; pcre: "/(SAAR%7B[A-Za-z0-9-_]{32}%7D)/, flow:match"; distance: -7; metadata: tag FLAG OUT, color danger; sid: 53;)
-alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "U0FBUn"; metadata: tag FLAG OUT B64, color danger; sid: 54;)
-alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "NBQVJ7"; metadata: tag FLAG OUT B64, color danger; sid: 55;)
-alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "TQUFSe"; metadata: tag FLAG OUT B64, color danger; sid: 56;)
+alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "U0FBUnt"; metadata: tag FLAG OUT B64, color danger; sid: 54;)
+alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "NBQVJ7"; pcre: "/(NBQVJ7[A-Za-z\d]{43}9)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 55;)
+alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "TQUFSe"; pcre: "/(TQUFSe[A-Za-z\d]{43}f)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 56;)
 alert ip any any -> any any (msg: "A saarCTF flag was placed in our services (probably by checkers)"; flow:to_server; content: "SAAR"; pcre: "/(SAAR\{[A-Za-z0-9-_]{32}\})/, flow:match"; distance: -4; metadata: tag FLAG IN, color success; sid: 57;)
 alert ip any any -> any any (msg: "A saarCTF flag was placed in our services (probably by checkers, URL encoded)"; flow:to_server; content: "SAAR%7B"; pcre: "/(SAAR%7B[A-Za-z0-9-_]{32}%7D)/, flow:match"; distance: -7; metadata: tag FLAG IN, color success; sid: 58;)