suricata/rules: add CINI base64 rule

ANSSI-FR · Jul 11, 2024 · b45c92c · b45c92c
1 parent 92a8fcd
commit b45c92c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
@@ -14,7 +14,8 @@ alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client";
 alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client"; flow:to_client; file.data; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG SC, color danger; sid: 2;)
 alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3d"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG SC HEX, color danger; sid: 3;)
 alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (hex)"; flow:to_client; content: "3D"; pcre: "/((?:[345][0-9a-f]){31}3d)/, flow:match"; distance: -64; metadata: tag FLAG SC HEX, color danger; sid: 4;)
-alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was placed in our services (probably by checkers)"; flow:to_server; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG CS, color warning; sid: 5;)
+alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was sent to client (base64)"; flow:to_client; content: "0="; pcre: "/((?:[MNOQ-W][DEFjkl01TUVz][014589ABEFIJMNQRUVYZcdghklopstwx][0-5B-Zawxyz]){10}[MNOQ-W][jDzT]0=)/, flow:match"; distance: -44; metadata: tag FLAG SC B64, color danger; sid: 5;)
+alert ip any any -> any any (msg: "A CINI flag (ECSC 2024) was placed in our services (probably by checkers)"; flow:to_server; content: "="; pcre: "/([A-Z0-9]{31}=)/, flow:match"; distance: -32; metadata: tag FLAG CS, color warning; sid: 6;)
 alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG SC, color danger; sid: 11;)
 alert ip any any -> any any (msg: "A ECSC flag was sent to client"; flow:to_client; file.data; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; distance: -5; metadata: tag FLAG SC, color danger; sid: 12;)
 alert ip any any -> any any (msg: "A ECSC flag was sent to client (base64)"; flow:to_client; content: "RUNTQ1"; pcre: "/(RUNTQ1[A-Za-z0-9\/+]{44}==)/, flow:match"; distance: -6; metadata: tag FLAG SC B64, color danger; sid: 13;)