From dacc92a53d6100a0b75a6d6e7a223efdff722d51 Mon Sep 17 00:00:00 2001
From: aiooss-anssi <alexandre.iooss@ssi.gouv.fr>
Date: Mon, 9 Sep 2024 14:13:19 +0200
Subject: [PATCH] suricata/rules: add rule to detect >1kB packets

---
 suricata/rules/suricata.rules | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
index 42fea53..f8ab173 100644
--- a/suricata/rules/suricata.rules
+++ b/suricata/rules/suricata.rules
@@ -183,8 +183,9 @@ rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_
 rejectboth ip any any -> any any (msg: "Found XML '<!ENTITY' (base64)"; flow:to_server; content: "8IUVOVElUW"; nocase; metadata: tag <!ENTITY, color warning; sid: 4506;)
 
 # Common indicators, but might cause false positives
-alert ip any any -> any any (msg: "tag"; flow:established,to_server; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag Slow, color warning; sid: 5001;)
-alert ip any any -> any any (msg: "Found TCP RST"; flow:to_server; flags: R+; metadata: tag RST, color warning; sid: 5002;)
+alert ip any any -> any any (msg: "tag"; flow:established; flow.age:>10; flowbits: isnotset, slowflow; flowbits: set, slowflow; metadata: tag Slow, color warning; sid: 5001;)
+alert ip any any -> any any (msg: "tag"; flow:established; dsize:1024; metadata: tag BIG, color warning; sid: 5002;)
+alert ip any any -> any any (msg: "Found TCP RST"; flow:to_server; flags: R+; metadata: tag RST, color warning; sid: 5003;)
 alert ip any any -> any any (msg: "Found path '/bin/'"; flow:to_server; content: "/bin/"; metadata: tag /bin/, color warning; sid: 5101;)
 alert ip any any -> any any (msg: "Found path '/bin/' (URL encoded)"; flow:to_server; content: "%2Fbin%2F"; metadata: tag /bin/, color warning; sid: 5102;)
 alert ip any any -> any any (msg: "Found path '/etc/'"; flow:to_server; content: "/etc/"; metadata: tag /etc/, color warning; sid: 5103;)