suricata: improve UA rules

ANSSI-FR · Nov 27, 2023 · 50734fa · 50734fa
1 parent 3892170
commit 50734fa
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -70,10 +70,13 @@ alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; start
 alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color warning; sid: 2117;)
 
 # Identify user agents and some common response messages (sid 3001-4000)
-alert http any any -> $HOME_NET any (msg: "Found python-requests User-Agent"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color warning; sid: 3001;)
-alert http any any -> $HOME_NET any (msg: "Found python-httpx User-Agent"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color warning; sid: 3002;)
-alert http any any -> $HOME_NET any (msg: "Found HeadlessChrome User-Agent"; flow:to_server; content: "HeadlessChrome/"; startswith; http_user_agent; metadata: tag UA HLCHROME, color warning; sid: 3003;)
-alert http any any -> $HOME_NET any (msg: "Found Firefox User-Agent"; flow:to_server; content: "Firefox/"; startswith; http_user_agent; metadata: tag UA FIREFOX, color warning; sid: 3004;)
+alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color warning; sid: 3001;)
+alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color warning; sid: 3002;)
+alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color warning; sid: 3003;)
+alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color warning; sid: 3004;)
+alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color warning; sid: 3005;)
+alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color warning; sid: 3006;)
+alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color warning; sid: 3007;)
 
 # Common exploit payloads (sid 4001-5000)
 alert ip any any -> $HOME_NET any (msg: "Found Bash space bypass '${IFS}'"; flow:to_server; content: "|24 7b|IFS|7d|"; nocase; metadata: tag BASH IFS, color warning; sid: 4001;)