From 9a495e5b6666242877603b3d887b14c4904a5311 Mon Sep 17 00:00:00 2001 From: aiooss-anssi Date: Fri, 12 Jul 2024 21:58:29 +0200 Subject: [PATCH] suricata/rules: add more SQL and HTTP rules --- suricata/rules/suricata.rules | 38 +++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules index 27e3bbc..8b0f14a 100644 --- a/suricata/rules/suricata.rules +++ b/suricata/rules/suricata.rules @@ -67,23 +67,25 @@ alert http any any -> any any (msg: "tag"; http.method; content: "TRACE"; starts alert http any any -> any any (msg: "tag"; http.method; content: "OPTIONS"; startswith; metadata: tag OPTIONS, color info; sid: 2006;) alert http any any -> any any (msg: "tag"; http.method; content: "CONNECT"; startswith; metadata: tag CONNECT, color info; sid: 2007;) alert http any any -> any any (msg: "tag"; http.method; content: "PATCH"; startswith; metadata: tag PATCH, color info; sid: 2008;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "201"; startswith; metadata: tag 201, color info; sid: 2101;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "202"; startswith; metadata: tag 202, color info; sid: 2102;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "204"; startswith; metadata: tag 204, color info; sid: 2103;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "301"; startswith; metadata: tag 301, color info; sid: 2104;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "302"; startswith; metadata: tag 302, color info; sid: 2105;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "304"; startswith; metadata: tag 304, color info; sid: 2106;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "400"; startswith; metadata: tag 400, color info; sid: 2107;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "401"; startswith; metadata: tag 401, color info; sid: 2108;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "403"; startswith; metadata: tag 403, color info; sid: 2109;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "404"; startswith; metadata: tag 404, color info; sid: 2110;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "405"; startswith; metadata: tag 405, color info; sid: 2111;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "408"; startswith; metadata: tag 408, color info; sid: 2112;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color info; sid: 2113;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color info; sid: 2114;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color info; sid: 2115;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color info; sid: 2116;) -alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2117;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "101"; startswith; metadata: tag 101, color info; sid: 2101;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "201"; startswith; metadata: tag 201, color info; sid: 2102;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "202"; startswith; metadata: tag 202, color info; sid: 2103;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "204"; startswith; metadata: tag 204, color info; sid: 2104;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "301"; startswith; metadata: tag 301, color info; sid: 2105;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "302"; startswith; metadata: tag 302, color info; sid: 2106;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "303"; startswith; metadata: tag 303, color info; sid: 2107;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "304"; startswith; metadata: tag 304, color info; sid: 2108;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "400"; startswith; metadata: tag 400, color info; sid: 2109;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "401"; startswith; metadata: tag 401, color info; sid: 2110;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "403"; startswith; metadata: tag 403, color info; sid: 2111;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "404"; startswith; metadata: tag 404, color info; sid: 2112;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "405"; startswith; metadata: tag 405, color info; sid: 2113;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "408"; startswith; metadata: tag 408, color info; sid: 2114;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "500"; startswith; metadata: tag 500, color info; sid: 2115;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "501"; startswith; metadata: tag 501, color info; sid: 2116;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "502"; startswith; metadata: tag 502, color info; sid: 2117;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "503"; startswith; metadata: tag 503, color info; sid: 2118;) +alert http any any -> any any (msg: "tag"; http.stat_code; content: "504"; startswith; metadata: tag 504, color info; sid: 2119;) # Identify user agents and some common response messages (sid 3001-4000) alert http any any -> any any (msg: "tag"; flow:to_server; content: "python-requests/"; startswith; http_user_agent; metadata: tag UA PYREQ, color info; sid: 3001;) @@ -136,6 +138,8 @@ alert ip any any -> any any (msg: "Found SQL 'regexp_count'"; content: "regexp_c alert ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; content: " LIMIT 1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4303;) alert ip any any -> any any (msg: "Found SQL '::bytea'"; content: "|3A 3A|bytea"; nocase; metadata: tag SQL BYTEA, color warning; sid: 4304;) alert ip any any -> any any (msg: "Found SQL 'CAST(. as bytea)'"; content: "CAST("; content: " as bytea)"; nocase; metadata: tag SQL CAST, color warning; sid: 4305;) +alert ip any any -> any any (msg: "Found SQL 'COALESCE('"; content: "COALESCE("; nocase; metadata: tag SQL COAL, color warning; sid: 4306;) +alert ip any any -> any any (msg: "Found SQL 'VARCHAR('"; content: "VARCHAR("; nocase; metadata: tag SQL VARC, color warning; sid: 4307;) alert ip any any -> any any (msg: "Found XML ' any any (msg: "Found XML '