From f81d9793c4e6764992294706908917c2f0cf10cc Mon Sep 17 00:00:00 2001 From: aiooss-anssi Date: Sat, 7 Sep 2024 22:58:03 +0200 Subject: [PATCH] suricata/rules: don't drop SQL queries between containers --- suricata/rules/suricata.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules index 4617108..8c21e8b 100644 --- a/suricata/rules/suricata.rules +++ b/suricata/rules/suricata.rules @@ -164,11 +164,11 @@ rejectboth ip any any -> any any (msg: "Found PHP '$_POST'"; flow:to_server; con rejectboth ip any any -> any any (msg: "Found PHP 'echo system'"; flow:to_server; content: "echo system"; nocase; metadata: tag PHP system(), color warning; sid: 4305;) rejectboth ip any any -> any any (msg: "Found PHP 'file_get_contents' call"; flow:to_server; content: "file_get_contents"; nocase; metadata: tag PHP f_g_c(), color warning; sid: 4306;) rejectboth ip any any -> any any (msg: "Found PHP 'halt_compiler' call"; flow:to_server; content: "halt_compiler"; nocase; metadata: tag PHP h_c(), color warning; sid: 4307;) -rejectboth ip any any -> any any (msg: "Found SQL 'SELECT . FROM '"; flow:to_server; content: "SELECT "; nocase; content: " FROM "; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4351;) +alert ip any any -> any any (msg: "Found SQL 'SELECT . FROM '"; flow:to_server; content: "SELECT "; nocase; content: " FROM "; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4351;) rejectboth ip any any -> any any (msg: "Found SQL 'SELECT . FROM ' (URL encoded)"; flow:to_server; content: "SELECT+"; nocase; content: "+FROM+"; nocase; within: 256; metadata: tag SQL SELECT, color warning; sid: 4352;) rejectboth ip any any -> any any (msg: "Found SQL 'array_to_string'"; flow:to_server; content: "array_to_string"; nocase; metadata: tag SQL A2S, color warning; sid: 4353;) rejectboth ip any any -> any any (msg: "Found SQL 'regexp_count'"; flow:to_server; content: "regexp_count"; nocase; metadata: tag SQL REGC, color warning; sid: 4354;) -rejectboth ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; flow:to_server; content: " LIMIT 1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4355;) +alert ip any any -> any any (msg: "Found SQL ' LIMIT 1'"; flow:to_server; content: " LIMIT 1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4355;) rejectboth ip any any -> any any (msg: "Found SQL ' LIMIT 1' (URL encoded)"; flow:to_server; content: "+LIMIT+1"; nocase; metadata: tag SQL LIM1, color warning; sid: 4356;) rejectboth ip any any -> any any (msg: "Found SQL '::bytea'"; flow:to_server; content: "|3A 3A|bytea"; nocase; metadata: tag SQL BYTEA, color warning; sid: 4357;) rejectboth ip any any -> any any (msg: "Found SQL 'CAST(. as bytea)'"; flow:to_server; content: "CAST("; content: " as bytea)"; nocase; metadata: tag SQL CAST, color warning; sid: 4358;)