+requires:
+ min-version: 8
+
pcap: ../../tls/tls-random/input.pcap
args:
+requires:
+ min-version: 8
+
pcap: ../../tls/tls-random/input.pcap
args:
+requires:
+ min-version: 8
+
pcap: ../../tls/tls-random/input.pcap
args:
+requires:
+ min-version: 8
+
pcap: ../../bug-2646-01/input.pcap
args:
+requires:
+ min-version: 8
+
pcap: ../../bug-2646-01/input.pcap
args:
--- /dev/null
+accept:flow tcp:flow_start any any -> any 443 (flow:to_server; sid:1;)
+drop:flow tcp:flow_start any any -> any any (sid:2;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+ - --simulate-ips
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
--- /dev/null
+accept:flow tcp:flow_start any any -> any 80 (flow:to_server; alert; sid:1;)
+drop:flow tcp:flow_start any any -> any any (sid:2;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+ - --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.action: blocked
+- filter:
+ count: 13
+ match:
+ event_type: drop
+- filter:
+ count: 0
+ match:
+ event_type: tls
--- /dev/null
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:101;)
+
+drop:flow tls:client_hello_done $HOME_NET any -> 172.16.0.0/12 any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+
+# Implicit drop all else
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+ features:
+ - HAVE_JA3
+
+pcap: ../../detect-itype-prefilter/icmpv4-ping.pcap
+
+args:
+ - --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 75
+ flow.pkts_toclient: 75
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: "accept"
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 150
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# pass rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# deny list some hash
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+# Disallow TLS v1.0 to some destinations.
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+ features:
+ - HAVE_JA3
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ flow.action: "accept"
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow, packet by packet
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 59
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow. Bidir as we don't know which side will talk first.
+accept:flow tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ flow.action: accept
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 59
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed" # TODO due to no drop being applied to the flow, we only drop after stream/app-layer
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 59
+ stats.ips.drop_reason.default_packet_policy: 59
--- /dev/null
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# allow rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# deny list some hash
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+# Disallow TLS v1.0 to some destinations.
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+# should not match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.bing.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:packet tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+ features:
+ - HAVE_JA3
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 7
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 53
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 9
+ stats.ips.blocked: 53
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 52
--- /dev/null
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# allow rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# deny list some hash
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+# Disallow TLS v1.0 to some destinations.
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+# should not match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.bing.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:packet tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+drop tcp any any -> any any (dsize:21; seq:538452275; sid:999;)
--- /dev/null
+requires:
+ min-version: 8
+ features:
+ - HAVE_JA3
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 999
+ alert.action: blocked
+ pcap_cnt: 6
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ alert.action: allowed
+ pcap_cnt: 6
+- filter:
+ count: 3 # 105 also matches here
+ match:
+ event_type: alert
+ pcap_cnt: 6
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 7
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 54 # 53 + 1 (drop sid 999)
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 8
+ stats.ips.blocked: 54
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.rules: 1
+ stats.ips.drop_reason.flow_drop: 52
--- /dev/null
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# allow rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# should match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+# this pass should prevent match of 998, but it should not affect the fw rules
+pass:flow tcp any any -> any any (flags:S; sid:999; alert;)
+# would match if 999 didn't set a flow pass
+alert tls any any -> any any (tls.sni; content:"google"; sid:998;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 999
+ pcap_cnt: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 998
+ pcap_cnt: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ alert.action: allowed
+ pcap_cnt: 6
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ pcap_cnt: 6
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ flow.action: "accept"
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.rules: 0
--- /dev/null
+# Packet rules
+
+accept:packet ip:all any any -> any any (flowbits:isset,fw_flow_accept; alert; sid:1010;)
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow to
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; flowbits:set,fw_flow_accept; alert; sid:1023;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ alert.action: allowed
+ pcap_cnt: 4
+- filter:
+ count: 58
+ match:
+ event_type: alert
+ alert.signature_id: 1010
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+accept:packet ip:all any any -> any any (flowbits:isset,fw_flow_accept; alert; sid:1010;)
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; flowbits:set,fw_flow_accept; sid:104; alert;)
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 56
+ match:
+ event_type: alert
+ alert.signature_id: 1010
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# allow rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# should match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+# this pass should prevent match of 998, but it should not affect the fw rules
+pass:flow tls any any -> any any (flow:to_server; tls.version:1.0; sid:999; alert;)
+# would match if 999 didn't set a flow pass
+alert tls any any -> any any (tls.sni; content:"google"; sid:998;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 999
+ pcap_cnt: 4
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 998
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ alert.action: allowed
+ pcap_cnt: 6
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ pcap_cnt: 6
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1011
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1022
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ flow.action: "accept"
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.rules: 0
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:100;)
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:101; alert;)
+accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (alert; sid:102;)
+accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (alert; sid:103;)
+accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (alert; sid:104;)
+
+accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (alert; sid:200;)
+accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (alert; sid:201;)
+accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:202;)
+accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:203;)
+accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:204;)
+accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (alert; sid:205;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 59
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 200
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 18
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 62
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; bsize:4; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 7
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 6
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;)
+
+# default drop
+
+accept:hook http1:request_started any any -> any any (alert; sid:100;)
+accept:hook http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; xbits:set,xxx,track tx; alert; sid:101;)
+accept:hook http1:request_headers any any -> any any (http.user_agent; content:"Windows NT"; xbits:isset,xxx,track tx; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (http.host; content:"msn"; xbits:isset,xxx,track tx; alert; sid:103;)
+
+accept:hook http1:request_body any any -> any any (xbits:isset,xxx,track tx; alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (xbits:isset,xxx,track tx; alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (xbits:isset,xxx,track tx; alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (xbits:isset,xxx,track tx; alert; sid:200;)
+accept:hook http1:response_line any any -> any any (http.stat_code; content:"200"; xbits:isset,xxx,track tx; alert; sid:201;)
+accept:hook http1:response_headers any any -> any any (xbits:isset,xxx,track tx; alert; sid:202;)
+accept:hook http1:response_body any any -> any any (xbits:isset,xxx,track tx; alert; sid:203;)
+accept:hook http1:response_trailer any any -> any any (xbits:isset,xxx,track tx; alert; sid:204;)
+accept:hook http1:response_complete any any -> any any (xbits:isset,xxx,track tx; alert; sid:205;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 24
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 200
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 18
+ flow.pkts_toclient: 9
+ flow.state: "established"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 27
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+# No rule to accept the request_line
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 7
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 6
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 7
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 6
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;)
+# test that packet and flow is still dropped if last rule was accept but several states
+# have no rules
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 7
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 6
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;)
+
+# default drop
+
+accept:hook http1:request_started any any -> any any (alert; sid:100;)
+accept:tx http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; alert; sid:101;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 24
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 18
+ flow.pkts_toclient: 9
+ flow.state: "established"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 27
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;)
+
+# default drop
+
+accept:hook http1:request_started any any -> any any (alert; sid:100;)
+accept:tx http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; alert; sid:101;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+alert http any any -> any any (http.user_agent; content:"Mozilla"; sid:9998;)
+alert http any any -> any any (http.stat_code; content:"200"; sid:9999;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 24
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 9998
+- filter:
+ count: 8
+ match:
+ event_type: alert
+ alert.signature_id: 9999
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 18
+ flow.pkts_toclient: 9
+ flow.state: "established"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 27
+ stats.ips.blocked: 0
--- /dev/null
+# Packet rules
+
+accept:hook udp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook dns:request_started any any -> any any (alert; sid:101;)
+accept:hook dns:request_complete any any -> any any (dns.query; content:"dropbox"; alert; sid:102;)
+
+accept:hook dns:response_started any any -> any any (alert; sid:201;)
+accept:hook dns:response_complete any any -> any any (dns.response.rrname; content:"dropbox"; alert; sid:202;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../dns/dns-eve/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 4
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 2
+ match:
+ event_type: drop
+- filter:
+ count: 3
+ match:
+ event_type: flow
+ flow.pkts_toserver: 1
+ flow.pkts_toclient: 1
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 1
+ flow.pkts_toclient: 1
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 6
+ stats.ips.blocked: 2
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 1
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook dns:request_started any any -> any any (alert; sid:101;)
+accept:hook dns:request_complete any any -> any any (dns.query; content:"suricata.io"; alert; sid:102;)
+
+accept:hook dns:response_started any any -> any any (alert; sid:201;)
+accept:hook dns:response_complete any any -> any any (dns.response.rrname; content:"suricata.io"; alert; sid:202;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../dns/dns-frames/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 2
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 2
+ stats.ips.drop_reason.default_packet_policy: 2
+ stats.ips.drop_reason.default_app_policy: 0
--- /dev/null
+accept:packet udp:all any any -> any any (sid:100;)
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../dns/dns-frames/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 10
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: TCP
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: UDP
+ flow.pkts_toserver: 1
+ flow.pkts_toclient: 1
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 2
+ stats.ips.blocked: 10
+ stats.ips.drop_reason.default_packet_policy: 10
+ stats.ips.drop_reason.default_app_policy: 0
--- /dev/null
+drop:packet tcp:all any any -> any any (sid:99;)
+accept:flow tcp:flow_start any any -> any 443 (alert; flow:to_server; sid:1;)
+drop:flow tcp:flow_start any any -> any any (sid:2;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+ - --simulate-ips
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 13
+ match:
+ event_type: alert
+ alert.signature_id: 99
+- filter:
+ count: 13
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+drop:packet http1:request_line any any -> any any (sid:999; alert;)
+accept:hook http1:request_line any any -> any any (http.method; content:"GET"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 999
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 1
+ match:
+ event_type: drop
+ alert.signature_id: 999
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "closed"
+ flow.alerted: true
+ not-has-key: flow.action
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 9
+ stats.ips.blocked: 1
+ stats.ips.drop_reason.rules: 1
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+drop:flow http1:request_line any any -> any any (sid:999; alert;)
+accept:hook http1:request_line any any -> any any (http.method; content:"GET"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 999
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 1
+ match:
+ event_type: drop
+ alert.signature_id: 999
+ drop.reason: "rules"
+- filter:
+ count: 6
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.rules: 1
+ stats.ips.drop_reason.flow_drop: 6
--- /dev/null
+drop:flow tcp:flow_start any any -> any any (flags:S; sid:100;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: drop
+ alert.signature_id: 100
+ drop.reason: "rules"
+- filter:
+ count: 9
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 6
+ flow.pkts_toclient: 4
+ flow.state: "new"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 0
+ stats.ips.blocked: 10
+ stats.ips.drop_reason.rules: 1
+ stats.ips.drop_reason.flow_drop: 9
--- /dev/null
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# allow rest of the flow to
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# should match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
--- /dev/null
+drop:packet tcp-pkt any any -> any any (flow:to_server; content:"|16 03 01 02 00|"; startswith; sid:666;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 666
+ pcap_cnt: 4
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+ alert.action: allowed
+ pcap_cnt: 6
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1021
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1023
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 104
+ pcap_cnt: 6
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 105
+ pcap_cnt: 4
+- filter:
+ count: 1
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: drop
+ pcap_cnt: 4
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 32
+ flow.pkts_toclient: 30
+ flow.state: "closed"
+ flow.alerted: true
+ flow.action: "accept"
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 61
+ stats.ips.blocked: 1
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.rules: 1
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ - stream:
+ all: true # log all TCP packets
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 101
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 106
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 201
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 202
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 203
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 204
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 205
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 206
+- filter:
+ count: 4
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.pkts_toserver: 7
+ flow.pkts_toclient: 2
+ flow.state: "established"
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 5
+ stats.ips.blocked: 4
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n"
+#pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: "
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n"
+
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535)
+
+wrpcap('input.pcap', pkts)
projects / thirdparty / suricata-verify.git / commitdiff
