suricata/rules: add more SQL and HTTP rules

ANSSI-FR · Jul 12, 2024 · 9a495e5 · 9a495e5
1 parent 5906702
commit 9a495e5
Showing 1 changed file with 21 additions and 17 deletions.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -67,23 +67,25 @@ alert http any any -> any any (msg: "tag"; http.method; content: "TRACE"; starts
 alert http any any -> any any (msg: "tag"; http.method; content: "OPTIONS"; startswith; metadata: tag OPTIONS, color info; sid: 2006;)
 alert http any any -> any any (msg: "tag"; http.method; content: "CONNECT"; startswith; metadata: tag CONNECT, color info; sid: 2007;)
 alert http any any -> any any (msg: "tag"; http.method; content: "PATCH"; startswith; metadata: tag PATCH, color info; sid: 2008;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "201"; startswith; metadata: tag 201, color info; sid: 2101;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "202"; startswith; metadata: tag 202, color info; sid: 2102;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "204"; startswith; metadata: tag 204, color info; sid: 2103;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "301"; startswith; metadata: tag 301, color info; sid: 2104;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "302"; startswith; metadata: tag 302, color info; sid: 2105;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "304"; startswith; metadata: tag 304, color info; sid: 2106;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "400"; startswith; metadata: tag 400, color info; sid: 2107;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "401"; startswith; metadata: tag 401, color info; sid: 2108;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "403"; startswith; metadata: tag 403, color info; sid: 2109;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "404"; startswith; metadata: tag 404, color info; sid: 2110;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "405"; startswith; metadata: tag 405, color info; sid: 2111;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "408"; startswith; metadata: tag 408, color info; sid: 2112;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color info; sid: 2113;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color info; sid: 2114;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color info; sid: 2115;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color info; sid: 2116;)
-alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2117;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "101"; startswith; metadata: tag 101, color info; sid: 2101;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "201"; startswith; metadata: tag 201, color info; sid: 2102;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "202"; startswith; metadata: tag 202, color info; sid: 2103;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "204"; startswith; metadata: tag 204, color info; sid: 2104;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "301"; startswith; metadata: tag 301, color info; sid: 2105;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "302"; startswith; metadata: tag 302, color info; sid: 2106;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "303"; startswith; metadata: tag 303, color info; sid: 2107;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "304"; startswith; metadata: tag 304, color info; sid: 2108;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "400"; startswith; metadata: tag 400, color info; sid: 2109;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "401"; startswith; metadata: tag 401, color info; sid: 2110;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "403"; startswith; metadata: tag 403, color info; sid: 2111;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "404"; startswith; metadata: tag 404, color info; sid: 2112;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "405"; startswith; metadata: tag 405, color info; sid: 2113;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "408"; startswith; metadata: tag 408, color info; sid: 2114;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color info; sid: 2115;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color info; sid: 2116;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color info; sid: 2117;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color info; sid: 2118;)
+alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2119;)
 
 # Identify user agents and some common response messages (sid 3001-4000)
 alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color info; sid: 3001;)
@@ -136,6 +138,8 @@ alert ip any any -> any any (msg: "Found SQL 'regexp_count'"; content: "regexp_c
 alert ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; content: " LIMIT 1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4303;)
 alert ip any any -> any any (msg: "Found SQL '::bytea'"; content: "|3A 3A|bytea"; nocase; metadata: tag SQL BYTEA, color warning; sid: 4304;)
 alert ip any any -> any any (msg: "Found SQL 'CAST(. as bytea)'"; content: "CAST("; content: " as bytea)"; nocase; metadata: tag SQL CAST, color warning; sid: 4305;)
+alert ip any any -> any any (msg: "Found SQL 'COALESCE('"; content: "COALESCE("; nocase; metadata: tag SQL COAL, color warning; sid: 4306;)
+alert ip any any -> any any (msg: "Found SQL 'VARCHAR('"; content: "VARCHAR("; nocase; metadata: tag SQL VARC, color warning; sid: 4307;)
 alert ip any any -> any any (msg: "Found XML '<!ENTITY'"; content: "|3c 21|ENTITY"; nocase; metadata: tag XML ENTITY, color warning; sid: 4401;)
 alert ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; content: "PCFFTlRJVF"; nocase; metadata: tag XML ENTITY, color warning; sid: 4402;)