Skip to content

Commit

Permalink
suricata/rules: do not match AAAAAAA= as flag
Browse files Browse the repository at this point in the history
  • Loading branch information
@aiooss-anssi
aiooss-anssi committed Jul 12, 2024
1 parent ac8cde3 commit 5906702
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions suricata/rules/suricata.rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@
# Please test your regex at https://regex101.com/ using "PCRE2" mode.
# Some rules match also in 'file.data' in case of compressed payload.
# ENOWARS rules are disabled by default as they cause false positives
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG OUT, color danger; sid: 1;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; file.data; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG OUT, color danger; sid: 2;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; content: "="; content:!"AAAAA="; distance: -6; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG OUT, color danger; sid: 1;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; file.data; content: "="; content:!"AAAAA="; distance: -6; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG OUT, color danger; sid: 2;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3d"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 3;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3D"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG OUT HEX, color danger; sid: 4;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (base64)"; flow:to_client; content: "0="; pcre: "/((?:[MNOQ-W][DEFjkl01TUVz][014589ABEFIJMNQRUVYZcdghklopstwx][0-5B-Zawxyz]){10}[MNOQ-W][jDzT]0=)/, flow:match"; distance: -44; metadata: tag FLAG OUT B64, color danger; sid: 5;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was placed in our services (probably by checkers)"; flow:to_server; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG IN, color success; sid: 6;)
alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was placed in our services (probably by checkers)"; flow:to_server; content: "="; content:!"AAAAA="; distance: -6; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG IN, color success; sid: 6;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 11;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; file.data; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 12;)
alert ip any any -> any any (msg: "A ECSC flag was sent to client (base64)"; flow:to_client; content: "RUNTQ1"; pcre: "/(RUNTQ1[A-Za-z0-9\/+]{44}==)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 13;)
Expand All @@ -28,8 +28,8 @@ alert ip any any -> any any (msg: "A ECSC flag was send to server (probably by c
#alert ip any any -> any any (msg: "A ENOWARS flag was placed in our services (probably by checkers)"; flow:to_server; content: "ENO"; pcre: "/ENO[A-Za-z0-9+\/=]{48}/, flow:match"; distance: -3; metadata: tag FLAG IN, color success; sid: 25;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client"; flow:to_client; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG OUT, color danger; sid: 31;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client"; flow:to_client; file.data; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG OUT, color danger; sid: 32;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client (base64)"; flow:to_client; content: "RkFVU1Rf"; metadata: tag FLAG OUT B64, color danger; sid: 33;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client (base64)"; flow:to_client; file.data; content: "RkFVU1Rf"; metadata: tag FLAG OUT B64, color danger; sid: 34;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client (base64)"; flow:to_client; content: "RkFVU1Rf"; pcre: "/(RkFVU1Rf[A-Za-z0-9\/+]{43}=)/, flow:match"; distance: -8; metadata: tag FLAG OUT B64, color danger; sid: 33;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was sent to client (base64)"; flow:to_client; file.data; content: "RkFVU1Rf"; pcre: "/(RkFVU1Rf[A-Za-z0-9\/+]{43}=)/, flow:match"; distance: -8; metadata: tag FLAG OUT B64, color danger; sid: 34;)
alert ip any any -> any any (msg: "A FAUSTCTF flag was placed in our services (probably by checkers)"; flow:to_server; content: "FAUST_"; pcre: "/(FAUST_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -6; metadata: tag FLAG IN, color success; sid: 35;)
alert ip any any -> any any (msg: "A ICC flag was sent to client"; flow:to_client; content: "ICC_"; pcre: "/(ICC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -4; metadata: tag FLAG OUT, color danger; sid: 41;)
alert ip any any -> any any (msg: "A ICC flag was sent to client"; flow:to_client; file.data; content: "ICC_"; pcre: "/(ICC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -4; metadata: tag FLAG OUT, color danger; sid: 42;)
Expand Down

0 comments on commit 5906702

Please sign in to comment.