suricata.rules: match rules outside of HOME_NET

ANSSI-FR · Jun 30, 2024 · 7127afd · 7127afd
1 parent aad64f8
commit 7127afd
Showing 1 changed file with 45 additions and 45 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -79,52 +79,52 @@ alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; start
 alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color warning; sid: 2117;)
 
 # Identify user agents and some common response messages (sid 3001-4000)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color warning; sid: 3001;)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color warning; sid: 3002;)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color warning; sid: 3003;)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color warning; sid: 3004;)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color warning; sid: 3005;)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color warning; sid: 3006;)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color warning; sid: 3007;)
-alert http any any -> $HOME_NET any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color warning; sid: 3008;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color warning; sid: 3001;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-httpx/"; startswith; http_user_agent; metadata: tag UA HTTPX, color warning; sid: 3002;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "HeadlessChrome/"; http_user_agent; metadata: tag UA HLCHROME, color warning; sid: 3003;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Gecko/20100101 Firefox/"; http_user_agent; metadata: tag UA FIREFOX, color warning; sid: 3004;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/"; http_user_agent; metadata: tag UA CHROME, color warning; sid: 3005;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "AppleWebKit/605.1.15 (KHTML, like Gecko) Version/"; http_user_agent; metadata: tag UA SAFARI, color warning; sid: 3006;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "nushell"; startswith; http_user_agent; metadata: tag UA NUSHELL, color warning; sid: 3007;)
+alert http any any -> any any (msg: "tag"; flow:to_server; content: "Python/3."; startswith; http_user_agent; metadata: tag UA PY, color warning; sid: 3008;)
 
 # Common exploit payloads (sid 4001-5000)
-alert ip any any -> $HOME_NET any (msg: "Found Bash space bypass '${IFS}'"; flow:to_server; content: "|24 7b|IFS|7d|"; nocase; metadata: tag BASH IFS, color warning; sid: 4001;)
-alert ip any any -> $HOME_NET any (msg: "Found Bash space bypass '$IFS'"; flow:to_server; content: "|24|IFS"; nocase; metadata: tag BASH IFS, color warning; sid: 4002;)
-alert ip any any -> $HOME_NET any (msg: "Found LaTeX '\include{'"; flow:to_server; content: "|5c|include|7b|"; nocase; metadata: tag LATEX INC, color warning; sid: 4051;)
-alert ip any any -> $HOME_NET any (msg: "Found LaTeX '\input{'"; flow:to_server; content: "|5c|input|7b|"; nocase; metadata: tag LATEX INPUT, color warning; sid: 4052;)
-alert ip any any -> $HOME_NET any (msg: "Found LaTeX '\lstinputlisting{'"; flow:to_server; content: "|5c|lstinputlisting|7b|"; nocase; metadata: tag LATEX LST, color warning; sid: 4053;)
-alert ip any any -> $HOME_NET any (msg: "Found LaTeX '\read\file'"; flow:to_server; content: "|5c|read|5c|file"; nocase; metadata: tag LATEX READ, color warning; sid: 4054;)
-alert ip any any -> $HOME_NET any (msg: "Found LaTeX '\verbatiminput{'"; flow:to_server; content: "|5c|verbatiminput|7b|"; nocase; metadata: tag LATEX VERB, color warning; sid: 4055;)
-alert ip any any -> $HOME_NET any (msg: "Found LaTeX '\write\outfile'"; flow:to_server; content: "|5c|write|5c|outfile"; nocase; metadata: tag LATEX WRITE, color warning; sid: 4056;)
-alert ip any any -> $HOME_NET any (msg: "Found LDAP 'commonName='"; flow:to_server; content: "commonName|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4101;)
-alert ip any any -> $HOME_NET any (msg: "Found LDAP 'givenName='"; flow:to_server; content: "givenName|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4102;)
-alert ip any any -> $HOME_NET any (msg: "Found LDAP 'objectClass='"; flow:to_server; content: "objectClass|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4103;)
-alert ip any any -> $HOME_NET any (msg: "Found LDAP 'userPassword='"; flow:to_server; content: "userPassword|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4104;)
-alert ip any any -> $HOME_NET any (msg: "Found NodeJS serialized function '_$$ND_FUNC$$_'"; flow:to_server; content: "|5f 24 24|ND_FUNC|24 24 5f|"; nocase; metadata: tag NODEJS NDFUNC, color warning; sid: 4151;)
-alert ip any any -> $HOME_NET any (msg: "Found path '/dev/'"; flow:to_server; content: "/dev/"; metadata: tag DEV PATH, color warning; sid: 4201;)
-alert ip any any -> $HOME_NET any (msg: "Found path '/etc/'"; flow:to_server; content: "/etc/"; metadata: tag ETC PATH, color warning; sid: 4202;)
-alert ip any any -> $HOME_NET any (msg: "Found path '/proc/'"; flow:to_server; content: "/proc/"; metadata: tag PROC PATH, color warning; sid: 4203;)
-alert ip any any -> $HOME_NET any (msg: "Found path '/var/lib/'"; flow:to_server; content: "/var/lib/"; metadata: tag VARLIB PATH, color warning; sid: 4204;)
-alert ip any any -> $HOME_NET any (msg: "Found path '/var/log/'"; flow:to_server; content: "/var/log/"; metadata: tag VARLOG PATH, color warning; sid: 4205;)
-alert ip any any -> $HOME_NET any (msg: "Found path 'file://'"; flow:to_server; content: "file|3A|//"; nocase; metadata: tag FILE PATH, color warning; sid: 4206;)
-alert ip any any -> $HOME_NET any (msg: "Found path 'gopher://'"; flow:to_server; content: "gopher|3A|//"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4207;)
-alert ip any any -> $HOME_NET any (msg: "Found path 'ldap://'"; flow:to_server; content: "ldap|3A|//"; nocase; metadata: tag LDAP PATH, color warning; sid: 4208;)
-alert ip any any -> $HOME_NET any (msg: "Found path 'phar://'"; flow:to_server; content: "phar|3A|//"; nocase; metadata: tag PHAR PATH, color warning; sid: 4209;)
-alert ip any any -> $HOME_NET any (msg: "Found path 'php://'"; flow:to_server; content: "php|3A|//"; nocase; metadata: tag PHP PATH, color warning; sid: 4210;)
-alert ip any any -> $HOME_NET any (msg: "Found path 'tftp://'"; flow:to_server; content: "tftp|3A|//"; nocase; metadata: tag TFTP PATH, color warning; sid: 4211;)
-alert ip any any -> $HOME_NET any (msg: "Found path 'zip://'"; flow:to_server; content: "zip|3A|//"; nocase; metadata: tag ZIP PATH, color warning; sid: 4212;)
-alert ip any any -> $HOME_NET any (msg: "Found path traversal '../..'"; flow:to_server; content: "../.."; metadata: tag PATH TRAVERSAL, color warning; sid: 4213;)
-alert ip any any -> $HOME_NET any (msg: "Found PHP '<?php' opening tag"; flow:to_server; content: "<?php"; nocase; metadata: tag PHP TAG, color warning; sid: 4251;)
-alert ip any any -> $HOME_NET any (msg: "Found PHP '$_FILES'"; flow:to_server; content: "|24 5f|FILES"; nocase; metadata: tag PHP FILES, color warning; sid: 4252;)
-alert ip any any -> $HOME_NET any (msg: "Found PHP '$_GET'"; flow:to_server; content: "|24 5f|GET"; nocase; metadata: tag PHP GET, color warning; sid: 4253;)
-alert ip any any -> $HOME_NET any (msg: "Found PHP '$_POST'"; flow:to_server; content: "|24 5f|POST"; nocase; metadata: tag PHP POST, color warning; sid: 4254;)
-alert ip any any -> $HOME_NET any (msg: "Found PHP 'echo system'"; flow:to_server; content: "echo system"; nocase; metadata: tag PHP SYSTEM, color warning; sid: 4255;)
-alert ip any any -> $HOME_NET any (msg: "Found PHP 'file_get_contents' call"; flow:to_server; content: "file_get_contents"; nocase; metadata: tag PHP FGC, color warning; sid: 4256;)
-alert ip any any -> $HOME_NET any (msg: "Found PHP 'halt_compiler' call"; flow:to_server; content: "halt_compiler"; nocase; metadata: tag PHP HC, color warning; sid: 4257;)
-alert ip any any -> $HOME_NET any (msg: "Found XML '<!ENTITY'"; flow:to_server; content: "|3c 21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4301;)
-alert ip any any -> $HOME_NET any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4302;)
+alert ip any any -> any any (msg: "Found Bash space bypass '${IFS}'"; content: "|24 7b|IFS|7d|"; nocase; metadata: tag BASH IFS, color warning; sid: 4001;)
+alert ip any any -> any any (msg: "Found Bash space bypass '$IFS'"; content: "|24|IFS"; nocase; metadata: tag BASH IFS, color warning; sid: 4002;)
+alert ip any any -> any any (msg: "Found LaTeX '\include{'"; content: "|5c|include|7b|"; nocase; metadata: tag LATEX INC, color warning; sid: 4051;)
+alert ip any any -> any any (msg: "Found LaTeX '\input{'"; content: "|5c|input|7b|"; nocase; metadata: tag LATEX INPUT, color warning; sid: 4052;)
+alert ip any any -> any any (msg: "Found LaTeX '\lstinputlisting{'"; content: "|5c|lstinputlisting|7b|"; nocase; metadata: tag LATEX LST, color warning; sid: 4053;)
+alert ip any any -> any any (msg: "Found LaTeX '\read\file'"; content: "|5c|read|5c|file"; nocase; metadata: tag LATEX READ, color warning; sid: 4054;)
+alert ip any any -> any any (msg: "Found LaTeX '\verbatiminput{'"; content: "|5c|verbatiminput|7b|"; nocase; metadata: tag LATEX VERB, color warning; sid: 4055;)
+alert ip any any -> any any (msg: "Found LaTeX '\write\outfile'"; content: "|5c|write|5c|outfile"; nocase; metadata: tag LATEX WRITE, color warning; sid: 4056;)
+alert ip any any -> any any (msg: "Found LDAP 'commonName='"; content: "commonName|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4101;)
+alert ip any any -> any any (msg: "Found LDAP 'givenName='"; content: "givenName|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4102;)
+alert ip any any -> any any (msg: "Found LDAP 'objectClass='"; content: "objectClass|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4103;)
+alert ip any any -> any any (msg: "Found LDAP 'userPassword='"; content: "userPassword|3d|"; metadata: tag LDAP FIELD, color warning; sid: 4104;)
+alert ip any any -> any any (msg: "Found NodeJS serialized function '_$$ND_FUNC$$_'"; content: "|5f 24 24|ND_FUNC|24 24 5f|"; nocase; metadata: tag NODEJS NDFUNC, color warning; sid: 4151;)
+alert ip any any -> any any (msg: "Found path '/dev/'"; content: "/dev/"; metadata: tag DEV PATH, color warning; sid: 4201;)
+alert ip any any -> any any (msg: "Found path '/etc/'"; content: "/etc/"; metadata: tag ETC PATH, color warning; sid: 4202;)
+alert ip any any -> any any (msg: "Found path '/proc/'"; content: "/proc/"; metadata: tag PROC PATH, color warning; sid: 4203;)
+alert ip any any -> any any (msg: "Found path '/var/lib/'"; content: "/var/lib/"; metadata: tag VARLIB PATH, color warning; sid: 4204;)
+alert ip any any -> any any (msg: "Found path '/var/log/'"; content: "/var/log/"; metadata: tag VARLOG PATH, color warning; sid: 4205;)
+alert ip any any -> any any (msg: "Found path 'file://'"; content: "file|3A|//"; nocase; metadata: tag FILE PATH, color warning; sid: 4206;)
+alert ip any any -> any any (msg: "Found path 'gopher://'"; content: "gopher|3A|//"; nocase; metadata: tag GOPHER PATH, color warning; sid: 4207;)
+alert ip any any -> any any (msg: "Found path 'ldap://'"; content: "ldap|3A|//"; nocase; metadata: tag LDAP PATH, color warning; sid: 4208;)
+alert ip any any -> any any (msg: "Found path 'phar://'"; content: "phar|3A|//"; nocase; metadata: tag PHAR PATH, color warning; sid: 4209;)
+alert ip any any -> any any (msg: "Found path 'php://'"; content: "php|3A|//"; nocase; metadata: tag PHP PATH, color warning; sid: 4210;)
+alert ip any any -> any any (msg: "Found path 'tftp://'"; content: "tftp|3A|//"; nocase; metadata: tag TFTP PATH, color warning; sid: 4211;)
+alert ip any any -> any any (msg: "Found path 'zip://'"; content: "zip|3A|//"; nocase; metadata: tag ZIP PATH, color warning; sid: 4212;)
+alert ip any any -> any any (msg: "Found path traversal '../..'"; content: "../.."; metadata: tag PATH TRAVERSAL, color warning; sid: 4213;)
+alert ip any any -> any any (msg: "Found PHP '<?php' opening tag"; content: "<?php"; nocase; metadata: tag PHP TAG, color warning; sid: 4251;)
+alert ip any any -> any any (msg: "Found PHP '$_FILES'"; content: "|24 5f|FILES"; nocase; metadata: tag PHP FILES, color warning; sid: 4252;)
+alert ip any any -> any any (msg: "Found PHP '$_GET'"; content: "|24 5f|GET"; nocase; metadata: tag PHP GET, color warning; sid: 4253;)
+alert ip any any -> any any (msg: "Found PHP '$_POST'"; content: "|24 5f|POST"; nocase; metadata: tag PHP POST, color warning; sid: 4254;)
+alert ip any any -> any any (msg: "Found PHP 'echo system'"; content: "echo system"; nocase; metadata: tag PHP SYSTEM, color warning; sid: 4255;)
+alert ip any any -> any any (msg: "Found PHP 'file_get_contents' call"; content: "file_get_contents"; nocase; metadata: tag PHP FGC, color warning; sid: 4256;)
+alert ip any any -> any any (msg: "Found PHP 'halt_compiler' call"; content: "halt_compiler"; nocase; metadata: tag PHP HC, color warning; sid: 4257;)
+alert ip any any -> any any (msg: "Found XML '<!ENTITY'"; content: "|3c 21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4301;)
+alert ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4302;)
 
 # Common side-channel indicators
-alert ip any any -> $HOME_NET any (msg: "tag"; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag SLOW, color warning; sid: 5001;)
-alert ip any any -> $HOME_NET any (msg: "Found TCP RST"; flow:to_server; flags: R+; metadata: tag RST, color warning; sid: 5002;)
+alert ip any any -> any any (msg: "tag"; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag SLOW, color warning; sid: 5001;)
+alert ip any any -> any any (msg: "Found TCP RST"; flow:to_server; flags: R+; metadata: tag RST, color warning; sid: 5002;)