From 6aa0ba25a56cb9d344f4b13842e9c52ce513f2a2 Mon Sep 17 00:00:00 2001
From: aiooss-anssi <alexandre.iooss@ssi.gouv.fr>
Date: Mon, 12 Aug 2024 14:00:48 +0200
Subject: [PATCH] suricata/rules: rename tags

---
 suricata/rules/suricata.rules | 135 +++++++++++++++++-----------------
 1 file changed, 69 insertions(+), 66 deletions(-)

diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
index 93aa595..53f932c 100644
--- a/suricata/rules/suricata.rules
+++ b/suricata/rules/suricata.rules
@@ -96,25 +96,25 @@ alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; start
 alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2119;)
 
 # Identify user agents and some common response messages (sid 3001-4000)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color info; sid: 3001;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PyReq, color info; sid: 3001;)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color info; sid: 3002;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color info; sid: 3003;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color info; sid: 3004;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color info; sid: 3005;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/"; content: " (KHTML, like Gecko) Version/"; distance: 0; content: " Safari/"; distance: 0; http_user_agent; metadata: tag UA SAFARI, color info; sid: 3006;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLChrome, color info; sid: 3003;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA Firefox, color info; sid: 3004;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA Chrome, color info; sid: 3005;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/"; content: " (KHTML, like Gecko) Version/"; distance: 0; content: " Safari/"; distance: 0; http_user_agent; metadata: tag UA Safari, color info; sid: 3006;)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "Mozilla/4.0 (compatible|3B| MSIE 9.0|3B| Windows "; startswith; http_user_agent; metadata: tag UA IE, color info; sid: 3007;)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color info; sid: 3008;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color info; sid: 3009;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA Py, color info; sid: 3009;)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-urllib3/"; startswith; http_user_agent; metadata: tag UA URLLIB3, color info; sid: 3010;)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "curl/"; startswith; http_user_agent; metadata: tag UA CURL, color info; sid: 3011;)
-alert http any any -> any any (msg: "tag"; flow:to_server; content: "Go-http-client/"; startswith; http_user_agent; metadata: tag UA GO, color info; sid: 3012;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Go-http-client/"; startswith; http_user_agent; metadata: tag UA Go, color info; sid: 3012;)
 
 # Common exploit payloads (sid 4001-5000)
 # content can not use doublequote, ;, : and |, see https://docs.suricata.io/en/suricata-7.0.6/rules/payload-keywords.html
-rejectboth ip any any -> any any (msg: "Found Bash space bypass '${IFS}'"; flow:to_server; content: "${IFS}"; metadata: tag BASH IFS, color warning; sid: 4001;)
-rejectboth ip any any -> any any (msg: "Found Bash space bypass '${IFS}' (URL encoded)"; flow:to_server; content: "%24%7BIFS%7D"; metadata: tag BASH IFS, color warning; sid: 4002;)
-rejectboth ip any any -> any any (msg: "Found Bash space bypass '$IFS'"; flow:to_server; content: "$IFS"; pcre: "/[\t-~]{5}/"; distance: 0; metadata: tag BASH IFS, color warning; sid: 4003;)
-rejectboth ip any any -> any any (msg: "Found Bash space bypass '$IFS' (URL encoded)"; flow:to_server; content: "%24IFS"; pcre: "/[\t-~]{5}/"; distance: 0; metadata: tag BASH IFS, color warning; sid: 4004;)
+rejectboth ip any any -> any any (msg: "Found Bash space bypass '${IFS}'"; flow:to_server; content: "${IFS}"; metadata: tag BASH ${IFS}, color warning; sid: 4001;)
+rejectboth ip any any -> any any (msg: "Found Bash space bypass '${IFS}' (URL encoded)"; flow:to_server; content: "%24%7BIFS%7D"; metadata: tag BASH ${IFS}, color warning; sid: 4002;)
+rejectboth ip any any -> any any (msg: "Found Bash space bypass '$IFS'"; flow:to_server; content: "$IFS"; pcre: "/[\t-~]{5}/"; distance: 0; metadata: tag BASH $IFS, color warning; sid: 4003;)
+rejectboth ip any any -> any any (msg: "Found Bash space bypass '$IFS' (URL encoded)"; flow:to_server; content: "%24IFS"; pcre: "/[\t-~]{5}/"; distance: 0; metadata: tag BASH $IFS, color warning; sid: 4004;)
 rejectboth ip any any -> any any (msg: "Found LaTeX '\\include{'"; flow:to_server; content: "|5c|include|7b|"; metadata: tag LATEX INC, color warning; sid: 4051;)
 rejectboth ip any any -> any any (msg: "Found LaTeX '\\input{'"; flow:to_server; content: "|5c|input|7b|"; metadata: tag LATEX INPUT, color warning; sid: 4052;)
 rejectboth ip any any -> any any (msg: "Found LaTeX '\\lstinputlisting{'"; flow:to_server; content: "|5c|lstinputlisting|7b|"; metadata: tag LATEX LST, color warning; sid: 4053;)
@@ -126,43 +126,43 @@ rejectboth ip any any -> any any (msg: "Found LDAP 'givenName='"; flow:to_server
 rejectboth ip any any -> any any (msg: "Found LDAP 'objectClass='"; flow:to_server; content: "objectClass="; metadata: tag LDAP FIELD, color warning; sid: 4103;)
 rejectboth ip any any -> any any (msg: "Found LDAP 'userPassword='"; flow:to_server; content: "userPassword="; metadata: tag LDAP FIELD, color warning; sid: 4104;)
 rejectboth ip any any -> any any (msg: "Found NodeJS serialized function '_$$ND_FUNC$$_'"; flow:to_server; content: "_$$ND_FUNC$$_"; nocase; metadata: tag NODEJS NDFUNC, color warning; sid: 4151;)
-rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/'"; flow:to_server; content: "/dev/tcp/"; metadata: tag DEV TCP, color warning; sid: 4201;)
-rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/' (URL encoded)"; flow:to_server; content: "%2Fdev%2Ftcp"; metadata: tag DEV TCP, color warning; sid: 4202;)
-rejectboth ip any any -> any any (msg: "Found path '/etc/passwd'"; flow:to_server; content: "/etc/passwd"; metadata: tag ETC PASSWD, color warning; sid: 4203;)
-rejectboth ip any any -> any any (msg: "Found path '/etc/passwd' (URL encoded)"; flow:to_server; content: "%2Fetc%2Fpasswd"; metadata: tag ETC PASSWD, color warning; sid: 4204;)
-rejectboth ip any any -> any any (msg: "Found path '/var/lib/'"; flow:to_server; content: "/var/lib/"; metadata: tag VARLIB PATH, color warning; sid: 4205;)
-rejectboth ip any any -> any any (msg: "Found path '/var/lib/' (URL encoded)"; flow:to_server; content: "%2Fvar%2Flib%2F"; metadata: tag VARLIB PATH, color warning; sid: 4206;)
-rejectboth ip any any -> any any (msg: "Found path '/var/log/'"; flow:to_server; content: "/var/log/"; metadata: tag VARLOG PATH, color warning; sid: 4207;)
-rejectboth ip any any -> any any (msg: "Found path '/var/log/ (URL encoded)'"; flow:to_server; content: "%2Fvar%2Flog%2F"; metadata: tag VARLOG PATH, color warning; sid: 4208;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/nc'"; flow:to_server; content: "/bin/nc"; metadata: tag BIN NC, color warning; sid: 4209;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/nc' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fnc"; metadata: tag BIN NC, color warning; sid: 4210;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/sh'"; flow:to_server; content: "/bin/sh"; metadata: tag BIN SH, color warning; sid: 4211;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/sh' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fsh"; metadata: tag BIN SH, color warning; sid: 4212;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/bash'"; flow:to_server; content: "/bin/bash"; metadata: tag BIN BASH, color warning; sid: 4213;)
-rejectboth ip any any -> any any (msg: "Found path '/bin/bash' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fbash"; metadata: tag BIN BASH, color warning; sid: 4214;)
-rejectboth ip any any -> any any (msg: "Found path 'file://'"; flow:to_server; content: "file|3A|//"; nocase; metadata: tag FILE PATH, color warning; sid: 4215;)
-rejectboth ip any any -> any any (msg: "Found path 'file://' (URL encoded)"; flow:to_server; content: "file%3A%2F%2F"; nocase; metadata: tag FILE PATH, color warning; sid: 4216;)
-rejectboth ip any any -> any any (msg: "Found path 'gopher://'"; flow:to_server; content: "gopher|3A|//"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4217;)
-rejectboth ip any any -> any any (msg: "Found path 'gopher://' (URL encoded)"; flow:to_server; content: "gopher%3A%2F%2F"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4218;)
-rejectboth ip any any -> any any (msg: "Found path 'ldap://'"; flow:to_server; content: "ldap|3A|//"; nocase; metadata: tag LDAP PATH, color warning; sid: 4219;)
-rejectboth ip any any -> any any (msg: "Found path 'ldap://' (URL encoded)"; flow:to_server; content: "ldap%3A%2F%2F"; nocase; metadata: tag LDAP PATH, color warning; sid: 4220;)
-rejectboth ip any any -> any any (msg: "Found path 'phar://'"; flow:to_server; content: "phar|3A|//"; nocase; metadata: tag PHAR PATH, color warning; sid: 4221;)
-rejectboth ip any any -> any any (msg: "Found path 'phar://' (URL encoded)"; flow:to_server; content: "phar%3A%2F%2F"; nocase; metadata: tag PHAR PATH, color warning; sid: 4222;)
-rejectboth ip any any -> any any (msg: "Found path 'php://'"; flow:to_server; content: "php|3A|//"; nocase; metadata: tag PHP PATH, color warning; sid: 4223;)
-rejectboth ip any any -> any any (msg: "Found path 'php://' (URL encoded)"; flow:to_server; content: "php%3A%2F%2F"; nocase; metadata: tag PHP PATH, color warning; sid: 4224;)
-rejectboth ip any any -> any any (msg: "Found path 'tftp://'"; flow:to_server; content: "tftp|3A|//"; nocase; metadata: tag TFTP PATH, color warning; sid: 4225;)
-rejectboth ip any any -> any any (msg: "Found path 'tftp://' (URL encoded)"; flow:to_server; content: "tftp%3A%2F%2F"; nocase; metadata: tag TFTP PATH, color warning; sid: 4226;)
-rejectboth ip any any -> any any (msg: "Found path 'zip://'"; flow:to_server; content: "zip|3A|//"; nocase; metadata: tag ZIP PATH, color warning; sid: 4227;)
-rejectboth ip any any -> any any (msg: "Found path 'zip://' (URL encoded)"; flow:to_server; content: "zip%3A%2F%2F"; nocase; metadata: tag ZIP PATH, color warning; sid: 4228;)
-rejectboth ip any any -> any any (msg: "Found path traversal '../../' (URL encoded)"; flow:to_server; content: "..%2F..%2F"; metadata: tag PATH TRAVERSAL, color warning; sid: 4229;)
+rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/'"; flow:to_server; content: "/dev/tcp/"; metadata: tag /dev/tcp/, color warning; sid: 4201;)
+rejectboth ip any any -> any any (msg: "Found path '/dev/tcp/' (URL encoded)"; flow:to_server; content: "%2Fdev%2Ftcp"; metadata: tag /dev/tcp/, color warning; sid: 4202;)
+rejectboth ip any any -> any any (msg: "Found path '/etc/passwd'"; flow:to_server; content: "/etc/passwd"; metadata: tag /etc/passwd, color warning; sid: 4203;)
+rejectboth ip any any -> any any (msg: "Found path '/etc/passwd' (URL encoded)"; flow:to_server; content: "%2Fetc%2Fpasswd"; metadata: tag /etc/passwd, color warning; sid: 4204;)
+rejectboth ip any any -> any any (msg: "Found path '/var/lib/'"; flow:to_server; content: "/var/lib/"; metadata: tag /var/lib/, color warning; sid: 4205;)
+rejectboth ip any any -> any any (msg: "Found path '/var/lib/' (URL encoded)"; flow:to_server; content: "%2Fvar%2Flib%2F"; metadata: tag /var/lib/, color warning; sid: 4206;)
+rejectboth ip any any -> any any (msg: "Found path '/var/log/'"; flow:to_server; content: "/var/log/"; metadata: tag /var/log/, color warning; sid: 4207;)
+rejectboth ip any any -> any any (msg: "Found path '/var/log/ (URL encoded)'"; flow:to_server; content: "%2Fvar%2Flog%2F"; metadata: tag /var/log/, color warning; sid: 4208;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/nc'"; flow:to_server; content: "/bin/nc"; metadata: tag /bin/nc, color warning; sid: 4209;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/nc' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fnc"; metadata: tag /bin/nc, color warning; sid: 4210;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/sh'"; flow:to_server; content: "/bin/sh"; metadata: tag /bin/sh, color warning; sid: 4211;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/sh' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fsh"; metadata: tag /bin/sh, color warning; sid: 4212;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/bash'"; flow:to_server; content: "/bin/bash"; metadata: tag /bin/bash, color warning; sid: 4213;)
+rejectboth ip any any -> any any (msg: "Found path '/bin/bash' (URL encoded)"; flow:to_server; content: "%2Fbin%2Fbash"; metadata: tag /bin/bash, color warning; sid: 4214;)
+rejectboth ip any any -> any any (msg: "Found path 'file://'"; flow:to_server; content: "file|3A|//"; nocase; metadata: tag file://, color warning; sid: 4215;)
+rejectboth ip any any -> any any (msg: "Found path 'file://' (URL encoded)"; flow:to_server; content: "file%3A%2F%2F"; nocase; metadata: tag file://, color warning; sid: 4216;)
+rejectboth ip any any -> any any (msg: "Found path 'gopher://'"; flow:to_server; content: "gopher|3A|//"; nocase; metadata: tag gopher://, color warning; sid: 4217;)
+rejectboth ip any any -> any any (msg: "Found path 'gopher://' (URL encoded)"; flow:to_server; content: "gopher%3A%2F%2F"; nocase; metadata: tag gopher://, color warning; sid: 4218;)
+rejectboth ip any any -> any any (msg: "Found path 'ldap://'"; flow:to_server; content: "ldap|3A|//"; nocase; metadata: tag ldap://, color warning; sid: 4219;)
+rejectboth ip any any -> any any (msg: "Found path 'ldap://' (URL encoded)"; flow:to_server; content: "ldap%3A%2F%2F"; nocase; metadata: tag ldap://, color warning; sid: 4220;)
+rejectboth ip any any -> any any (msg: "Found path 'phar://'"; flow:to_server; content: "phar|3A|//"; nocase; metadata: tag phar://, color warning; sid: 4221;)
+rejectboth ip any any -> any any (msg: "Found path 'phar://' (URL encoded)"; flow:to_server; content: "phar%3A%2F%2F"; nocase; metadata: tag phar://, color warning; sid: 4222;)
+rejectboth ip any any -> any any (msg: "Found path 'php://'"; flow:to_server; content: "php|3A|//"; nocase; metadata: tag php://, color warning; sid: 4223;)
+rejectboth ip any any -> any any (msg: "Found path 'php://' (URL encoded)"; flow:to_server; content: "php%3A%2F%2F"; nocase; metadata: tag php://, color warning; sid: 4224;)
+rejectboth ip any any -> any any (msg: "Found path 'tftp://'"; flow:to_server; content: "tftp|3A|//"; nocase; metadata: tag tftp://, color warning; sid: 4225;)
+rejectboth ip any any -> any any (msg: "Found path 'tftp://' (URL encoded)"; flow:to_server; content: "tftp%3A%2F%2F"; nocase; metadata: tag tftp://, color warning; sid: 4226;)
+rejectboth ip any any -> any any (msg: "Found path 'zip://'"; flow:to_server; content: "zip|3A|//"; nocase; metadata: tag zip://, color warning; sid: 4227;)
+rejectboth ip any any -> any any (msg: "Found path 'zip://' (URL encoded)"; flow:to_server; content: "zip%3A%2F%2F"; nocase; metadata: tag zip://, color warning; sid: 4228;)
+rejectboth ip any any -> any any (msg: "Found path traversal '../../' (URL encoded)"; flow:to_server; content: "..%2F..%2F"; metadata: tag Path Traversal, color warning; sid: 4229;)
 rejectboth ip any any -> any any (msg: "Found Java '${jndi:'"; flow:to_server; content: "${jndi:"; metadata: tag JAVA JNDI, color warning; sid: 4251;)
-rejectboth ip any any -> any any (msg: "Found PHP '<?php' opening tag"; flow:to_server; content: "<?php"; nocase; metadata: tag PHP TAG, color warning; sid: 4301;)
-rejectboth ip any any -> any any (msg: "Found PHP '$_FILES'"; flow:to_server; content: "$_FILES"; metadata: tag PHP FILES, color warning; sid: 4302;)
-rejectboth ip any any -> any any (msg: "Found PHP '$_GET'"; flow:to_server; content: "$_GET"; metadata: tag PHP GET, color warning; sid: 4303;)
-rejectboth ip any any -> any any (msg: "Found PHP '$_POST'"; flow:to_server; content: "$_POST"; metadata: tag PHP POST, color warning; sid: 4304;)
-rejectboth ip any any -> any any (msg: "Found PHP 'echo system'"; flow:to_server; content: "echo system"; nocase; metadata: tag PHP SYSTEM, color warning; sid: 4305;)
-rejectboth ip any any -> any any (msg: "Found PHP 'file_get_contents' call"; flow:to_server; content: "file_get_contents"; nocase; metadata: tag PHP FGC, color warning; sid: 4306;)
-rejectboth ip any any -> any any (msg: "Found PHP 'halt_compiler' call"; flow:to_server; content: "halt_compiler"; nocase; metadata: tag PHP HC, color warning; sid: 4307;)
+rejectboth ip any any -> any any (msg: "Found PHP '<?php' opening tag"; flow:to_server; content: "<?php"; nocase; metadata: tag <?php, color warning; sid: 4301;)
+rejectboth ip any any -> any any (msg: "Found PHP '$_FILES'"; flow:to_server; content: "$_FILES"; metadata: tag PHP $_FILES, color warning; sid: 4302;)
+rejectboth ip any any -> any any (msg: "Found PHP '$_GET'"; flow:to_server; content: "$_GET"; metadata: tag PHP $_GET, color warning; sid: 4303;)
+rejectboth ip any any -> any any (msg: "Found PHP '$_POST'"; flow:to_server; content: "$_POST"; metadata: tag PHP $_POST, color warning; sid: 4304;)
+rejectboth ip any any -> any any (msg: "Found PHP 'echo system'"; flow:to_server; content: "echo system"; nocase; metadata: tag PHP system(), color warning; sid: 4305;)
+rejectboth ip any any -> any any (msg: "Found PHP 'file_get_contents' call"; flow:to_server; content: "file_get_contents"; nocase; metadata: tag PHP f_g_c(), color warning; sid: 4306;)
+rejectboth ip any any -> any any (msg: "Found PHP 'halt_compiler' call"; flow:to_server; content: "halt_compiler"; nocase; metadata: tag PHP h_c(), color warning; sid: 4307;)
 rejectboth ip any any -> any any (msg: "Found SQL 'SELECT . FROM '"; flow:to_server; content: "SELECT "; nocase; content: " FROM "; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4351;)
 rejectboth ip any any -> any any (msg: "Found SQL 'SELECT . FROM ' (URL encoded)"; flow:to_server; content: "SELECT+"; nocase; content: "+FROM+"; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4352;)
 rejectboth ip any any -> any any (msg: "Found SQL 'array_to_string'"; flow:to_server; content: "array_to_string"; nocase; metadata: tag SQL A2S, color warning; sid: 4353;)
@@ -171,25 +171,28 @@ rejectboth ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; flow:to_server; c
 rejectboth ip any any -> any any (msg: "Found SQL ' LIMIT 1' (URL encoded)"; flow:to_server; content: "+LIMIT+1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4356;)
 rejectboth ip any any -> any any (msg: "Found SQL '::bytea'"; flow:to_server; content: "|3A 3A|bytea"; nocase; metadata: tag SQL BYTEA, color warning; sid: 4357;)
 rejectboth ip any any -> any any (msg: "Found SQL 'CAST(. as bytea)'"; flow:to_server; content: "CAST("; content: " as bytea)"; nocase; metadata: tag SQL CAST, color warning; sid: 4358;)
-rejectboth ip any any -> any any (msg: "Found SQL 'COALESCE('"; flow:to_server; content: "COALESCE("; nocase; metadata: tag SQL COAL, color warning; sid: 4359;)
-rejectboth ip any any -> any any (msg: "Found SQL 'VARCHAR('"; flow:to_server; content: "VARCHAR("; nocase; metadata: tag SQL VARC, color warning; sid: 4360;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY'"; flow:to_server; content: "|3C|!ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4501;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded)"; flow:to_server; content: "|25|3C|25|21ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4502;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded variant)"; flow:to_server; content: "|25|3C|21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4503;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4504;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "whRU5USVR"; nocase; metadata: tag XML ENTITY, color warning; sid: 4505;)
-rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "8IUVOVElUW"; nocase; metadata: tag XML ENTITY, color warning; sid: 4506;)
+rejectboth ip any any -> any any (msg: "Found SQL 'COALESCE('"; flow:to_server; content: "COALESCE("; nocase; metadata: tag SQL COALESCE, color warning; sid: 4359;)
+rejectboth ip any any -> any any (msg: "Found SQL 'VARCHAR('"; flow:to_server; content: "VARCHAR("; nocase; metadata: tag SQL VARCHAR, color warning; sid: 4360;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY'"; flow:to_server; content: "|3C|!ENTITY"; nocase; metadata: tag <!ENTITY, color warning; sid: 4501;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded)"; flow:to_server; content: "|25|3C|25|21ENTITY"; nocase; metadata: tag <!ENTITY, color warning; sid: 4502;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (URL encoded variant)"; flow:to_server; content: "|25|3C|21|ENTITY"; nocase; metadata: tag <!ENTITY, color warning; sid: 4503;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "PCFFTlRJVF"; nocase; metadata: tag <!ENTITY, color warning; sid: 4504;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "whRU5USVR"; nocase; metadata: tag <!ENTITY, color warning; sid: 4505;)
+rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "8IUVOVElUW"; nocase; metadata: tag <!ENTITY, color warning; sid: 4506;)
 
 # Common indicators, but might cause false positives
-alert ip any any -> any any (msg: "tag"; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag SLOW, color warning; sid: 5001;)
+alert ip any any -> any any (msg: "tag"; flow:established,to_server; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag Slow, color warning; sid: 5001;)
 alert ip any any -> any any (msg: "Found TCP RST"; flow:to_server; flags: R+; metadata: tag RST, color warning; sid: 5002;)
-alert ip any any -> any any (msg: "Found path '/bin/'"; flow:to_server; content: "/bin/"; metadata: tag BIN PATH, color warning; sid: 5101;)
-alert ip any any -> any any (msg: "Found path '/bin/' (URL encoded)"; flow:to_server; content: "%2Fbin%2F"; metadata: tag BIN PATH, color warning; sid: 5102;)
-alert ip any any -> any any (msg: "Found path '/etc/'"; flow:to_server; content: "/etc/"; metadata: tag ETC PATH, color warning; sid: 5103;)
-alert ip any any -> any any (msg: "Found path '/etc/' (URL encoded)"; flow:to_server; content: "%2Fetc%2F"; metadata: tag ETC PATH, color warning; sid: 5104;)
-alert ip any any -> any any (msg: "Found path '/proc/'"; flow:to_server; content: "/proc/"; metadata: tag PROC PATH, color warning; sid: 5105;)
-alert ip any any -> any any (msg: "Found path '/proc/' (URL encoded)"; flow:to_server; content: "%2Fproc%2F"; metadata: tag PROC PATH, color warning; sid: 5106;)
-alert ip any any -> any any (msg: "Found path '/tmp/'"; flow:to_server; content: "/tmp/"; metadata: tag TMP PATH, color warning; sid: 5107;)
-alert ip any any -> any any (msg: "Found path '/tmp/' (URL encoded)"; flow:to_server; content: "%2Ftmp%2F"; metadata: tag TMP PATH, color warning; sid: 5108;)
-alert ip any any -> any any (msg: "Found path traversal '../../'"; flow:to_server; content: "../../"; metadata: tag PATH TRAVERSAL, color warning; sid: 5109;)
-alert ip any any -> any any (msg: "Found Unicode escape '\\u00..'"; flow:to_server; content: "|5C|u00"; pcre: "/[0-9a-fA-F]{2}/"; distance: 0; metadata: tag UNICODE, color warning; sid: 5201;)
+alert ip any any -> any any (msg: "Found path '/bin/'"; flow:to_server; content: "/bin/"; metadata: tag /bin/, color warning; sid: 5101;)
+alert ip any any -> any any (msg: "Found path '/bin/' (URL encoded)"; flow:to_server; content: "%2Fbin%2F"; metadata: tag /bin/, color warning; sid: 5102;)
+alert ip any any -> any any (msg: "Found path '/etc/'"; flow:to_server; content: "/etc/"; metadata: tag /etc/, color warning; sid: 5103;)
+alert ip any any -> any any (msg: "Found path '/etc/' (URL encoded)"; flow:to_server; content: "%2Fetc%2F"; metadata: tag /etc/, color warning; sid: 5104;)
+alert ip any any -> any any (msg: "Found path '/proc/'"; flow:to_server; content: "/proc/"; metadata: tag /proc/, color warning; sid: 5105;)
+alert ip any any -> any any (msg: "Found path '/proc/' (URL encoded)"; flow:to_server; content: "%2Fproc%2F"; metadata: tag /proc/, color warning; sid: 5106;)
+alert ip any any -> any any (msg: "Found path '/tmp/'"; flow:to_server; content: "/tmp/"; metadata: tag /tmp/, color warning; sid: 5107;)
+alert ip any any -> any any (msg: "Found path '/tmp/' (URL encoded)"; flow:to_server; content: "%2Ftmp%2F"; metadata: tag /tmp/, color warning; sid: 5108;)
+alert ip any any -> any any (msg: "Found path traversal '../../'"; flow:to_server; content: "../../"; metadata: tag ../../, color warning; sid: 5109;)
+alert ip any any -> any any (msg: "Found Unicode escape '\\u00..'"; flow:to_server; content: "|5C|u00"; pcre: "/[0-9a-fA-F]{2}/"; distance: 0; metadata: tag Unicode, color warning; sid: 5201;)
+
+# Dissection anomalies
+alert http any any -> any any (msg:"HTTP missing Host header"; flow:established,to_server; app-layer-event:http.missing_host_header; metadata: tag HTTP No Host, color warning; sid:6001;)